Chief Security Architect, Developer Experience

Chief Security Architect, Developer Experience 

​"Wanted: The architect who sees that the ATO process isn't a compliance problem—it's an engineering problem—and knows how to build the solution." 

​Large-scale software delivery in regulated, defense-focused environments runs into the same wall everywhere you look. The compliance process was designed to create an audit trail. It wasn't designed to enforce security. SSPs capture intent. ATOs authorize environments at a point in time. And by the time the ink is dry, the system has already moved. 

​The developers building mission-critical software know this pattern. The security organizations know it too. The question has never been whether this model needs to change—it's whether anyone has the engineering depth and the security credibility to build something that actually replaces it. 

​That's why this role exists. 

​We're building the platform that is transforming how thousands of Leidos engineers build and deliver software. At the center of that platform is a fundamental re-architecture of how compliance works: not as a gate you pass through, but as code woven into the infrastructure itself. Policy-as-code. Continuous compliance evidence. A platform ATO that programs inherit rather than pursue on their own. 

​The goal is a platform that the enterprise security organization looks at and says: this is the thing we've been trying to build for years. These people aren't going around us. They're handing us superpowers. 

​You're the person who builds it. And you're the person who makes that realization inevitable. 

​Why This Role Matters 

​ 

​Security and compliance in defense-sector software delivery have long lived in a structural paradox: the processes designed to protect mission software are the same processes that slow it down. Manual authorization cycles. Point-in-time snapshots. Documentation that proves intent but not execution. Every program team re-solves the same compliance problems. Every platform that wants to help them has to run the gauntlet first. 

​What you'll build isn't a workaround. It's a better architecture: policy-as-code that enforces compliance at the moment of deployment, continuous evidence that gives auditors real-time proof instead of point-in-time packages, and a platform-level ATO that program teams can inherit rather than pursue. The result is a security posture that's demonstrably stronger than manual review—stricter, more consistent, and infinitely more scalable. 

​Leidos is one of the largest engineering organizations supporting national security, with thousands of developers building mission-critical software across hundreds of programs. What you build here will shape how that software is delivered—and whether the security guaranteeing it is a paper promise or an enforced fact. 

​If you've spent your career knowing this was possible and waiting for an organization big enough to matter and willing enough to move—this is it. 

​ 

​What You'll Do 

​​ 

• Architect the compliance engine. Design and build the policy-as-code infrastructure that sits at the heart of the platform: the enforcement points, evidence pipeline, continuous compliance dashboards, and attestation framework that make "approved to deploy" a machine-verifiable fact, not a permission you wait on. You know this toolchain—the policy engines, the evidence frameworks, the supply chain attestation standards—and you've put it to work in production. 

• Own the platform ATO strategy. Chart the path from where we are to a platform-level ATO that programs can inherit. Navigate RMF, NIST 800-53, NIST 800-171, NIST 800-160, and DoD IL4/IL5 requirements alongside the realities of working with internal security reviewers and external auditors (3PAOs, DCMA). You've done this before. You know which shortcuts are real and which are traps. 

• Be the enterprise security team's most important technical partner. Attend the meetings. Build the trust. Co-author the policies. Make the case—technically, patiently, relentlessly—that policy-as-code is more rigorous than manual reviews, not less. You can speak the language of ISSOs and ISSMs, help them see their role shifting from gatekeepers to policy authors, and make that shift feel like a promotion rather than a loss. 

• Build the agentic AI security model. Claude Code, Codex, MCP servers, agentic development pipelines—all of these require a new security architecture that doesn't exist yet at enterprise scale. You'll design the controls that let developers use these tools at full power while enterprise security leadership can look at the posture and say "yes, we can see what's happening, and we're comfortable with it." 

• Own security architecture across the developer platform. Threat model the full stack—CI/CD pipelines, developer portal, container runtimes, workstation environments, inner and outer developer loop. Design the controls. Keep the security posture visible and auditable—not as an afterthought, but as a first-class platform capability. 

• Lead the supply chain security effort. SBOM generation, dependency management, container image provenance, vulnerability scanning—you design the enterprise pattern, build the tooling, and make it automatic. Every artifact that comes out of our pipelines has a provenance story you can tell. 

• Drive ATO process re-architecture. The current ATO process needs structural change—not circumvention, but a fundamentally better model. You'll have the technical depth to speak credibly about what the current process gets right, the honesty to name what it's not designed for, and the credibility to propose something that security teams will actually embrace. 

Who You Are 

• A builder, not a reviewer. You've designed security systems. You've implemented them. You've seen them work in production under real conditions. You don't just know what good looks like on a whiteboard—you know how to build it. 

• Fluent in compliance, but not captured by it. You understand RMF, NIST 800-53, NIST 800-171, NIST 800-160, FedRAMP, and DoD IL4/IL5 deeply enough to know which requirements the current manual process actually satisfies—and which ones it only claims to satisfy. You can make the argument that automated enforcement is a better answer to the underlying security requirement, not a workaround. 

• A translator. You can walk into a room with the CISO, explain a Kubernetes admission controller policy in terms of the RA-5 control it satisfies, get heads nodding, and leave with a commitment. You can then turn around and work shoulder-to-shoulder with a platform engineer to implement it. You move fluidly between executive conversations and implementation details. 

• Patient and persistent with organizational change. You know that the security and IT organizations you're working with are not obstacles. They're stakeholders with legitimate concerns who need to be brought along, not pushed aside. You've done this before. You know it takes time. And you know how to make progress anyway. 

• Clear-eyed about the mission. You know that the point of all of this isn't compliance for its own sake. It's software that powers national security delivered faster, more reliably, and with a security posture that can be proven—not just promised. That understanding shapes how you make decisions. 

What You’ll Face 

• A compliance process built for steady-state operations being applied to a build phase that requires a fundamentally different engagement model. 

• A corporate security organization that understands the problem and wants velocity—and needs a technical partner who can help turn that stated value into structural change. 

• Agentic AI tooling that is arriving faster than enterprise security controls can be designed for it. You'll be building the plane while flying it. 

• The bootstrapping paradox: you're using the manual compliance process to build the tool that automates the manual compliance process. Every week in review is a week you're not building what eliminates the need for review. 

• Programs that need platform ATOs now and a platform that isn't mature enough yet to grant them. 

And still—you'll make progress. Because you've navigated this before. You know what's possible, you know what takes time, and you know how to keep moving when both are true simultaneously. 

Your Technical Impact 

• Design and deliver the policy-as-code infrastructure that enforces compliance at deployment—making it impossible to ship non-compliant code rather than hoping it doesn't happen. 

• Establish continuous compliance evidence generation: every deployment auto-produces artifacts mapped to NIST 800-53, NIST 800-171, NIST 800-160, FedRAMP, and DoD SRG controls. Auditors query dashboards, not document packages. 

• Build the agentic AI security architecture that covers agentic development tools, MCP server governance, and AI-assisted development pipelines at enterprise scale—so security leadership sees a mature security posture, not an uncontrolled threat surface. 

• Architect the path to a platform-level ATO that programs can inherit—reducing what once took months or years to a matter of seconds for teams building on the platform. 

• Lead the software supply chain security effort: SBOM generation, image provenance, dependency management, vulnerability scanning—automated, continuous, and integrated into the developer workflow. 

• Be the technical voice that turns the security team–DevEx relationship into a genuine partnership: co-authored policies, shared security posture ownership, and a security organization that sees the platform as an asset they helped build rather than a risk they were asked to accept. 

Required Qualifications 

• Masters degree in Computer Science, Information Security, Software Engineering, or related technical field. 

• 15+ years of experience in security architecture, DevSecOps, platform security, or related disciplines—with significant hands-on work, not just advisory roles. 

• Deep expertise in policy-as-code tooling: Open Policy Agent (OPA), Kyverno, Rego, Sentinel, or equivalent. You've written policies in production, not just evaluated the category. 

• Strong working knowledge of compliance frameworks: NIST 800-53, NIST 800-171, NIST 800-160, FedRAMP, DoD IL4/IL5/6, RMF, CMMC. You understand the controls, what satisfies them, and how to build automated evidence. 

• Hands-on experience with container and Kubernetes security: admission controllers, image scanning, network policies, runtime security, and hardened base images. 

• Experience with CI/CD pipeline security: SAST/DAST, SCA, container scanning, IaC scanning, secrets management, hardened images/libraries, and how to integrate these into developer workflows without crushing velocity. 

• Familiarity with software supply chain security: supply chain integrity frameworks (SLSA, in-toto), SBOM standards (CycloneDX, SPDX), signed commits, and provenance tooling. 

• Experience designing security for AI-assisted development environments, including agent tooling, MCP server governance, LLM-integrated development pipelines, or equivalent emerging threat surfaces (or demonstrated ability to reason credibly about novel security architectures). 

• Proven ability to engage effectively with security and compliance stakeholders—not just technically, but organizationally. You've worked with ISSOs/ISSMs, auditors, and compliance teams. You know how to move them. 

• Excellent communication skills—you can explain a Kubernetes admission webhook to a CISO and a FedRAMP control to a platform engineer, and make both conversations productive. 

• U.S. citizenship required; ability to obtain and maintain a security clearance. 

Preferred Qualifications 

• Direct experience with USAF Platform One, DISA Repo One, or equivalent DoD DevSecOps programs—you've seen what continuous ATO looks like in practice. 

• Background working with 3PAOs, DCMA, or other external auditors in the context of FedRAMP, DoD IL authorization, or RMF. 

• Hands-on experience with Wiz, Prisma Cloud, Orca, or equivalent cloud security posture management platforms. 

• Familiarity with RegScale, Telos Xacta, or equivalent GRC tooling and how to automate evidence flows into them. 

• Experience building or operating an Internal Developer Portal (Backstage, Cortex, or custom) with security capabilities integrated. 

• CISSP, CCSP, or equivalent security certifications (valued but not  if the work speaks for itself).