ZERO TRUST (ZT) APPLICATION DEVELOPMENT SECURITY SME (VIRTUALIZATION AND APPLICATION DEVELOPMENT SME)

ZERO TRUST (ZT) APPLICATION DEVELOPMENT SECURITY SME

POSITION OVERVIEW

The Zero Trust Virtualization / Application Development Technical SME exists to serve as the agency's primary technical advisor for the CISA ZTMM v2.0 Applications & Workloads pillar - the pillar responsible for extending ZT enforcement to the application layer across the agency's enterprise software portfolio. This role advances TSA's application access control posture, API security maturity, and DevSecOps adoption by providing senior-level advisory on application security architecture, cloud workload protection, and secure software delivery in alignment with EO 14028 and OMB M-22-09. The expected outcome is a continuously advancing Applications & Workloads pillar maturity posture - with application access enforced at the authorization layer, API security posture assessed and advised, and DevSecOps practices integrated into the software delivery lifecycle. This is a senior technical advisory role requiring hands-on application security and cloud architecture experience.

DUTIES & RESPONSIBILITIES

General Duties

• Serve as the primary technical advisor for the CISA ZTMM v2.0 Applications & Workloads pillar across application security, cloud security, and secure software delivery domains.
• Continuously assess the agency's application portfolio posture against CISA ZTMM v2.0 Applications & Workloads criteria and NIST SP 800-207; proactively identify emerging application risk indicators, including access control drift, API exposure, and supply chain vulnerabilities, and deliver real-time advisory recommendations.
• Provide technical advisory guidance on application access control design options, API security strategies, and authorization gateway approaches, recommending solutions and implementation pathways for agency decision-making.
• Evaluate cloud-hosted and on-premises application environments for ZT compliance; develop recommended approaches for secure configuration, workload isolation, and least-privilege access enforcement for agency adoption.
• Advise on DevSecOps integration strategies, secure CI/CD pipeline practices, and software supply chain security aligned to OMB M-23-16 and EO 14028; develop recommended solutions for agency review.
• Assess container and virtualization environments for workload segmentation, access control, and ZT enforcement alignment; develop findings and recommended remediation approaches for agency concurrence.
• Provide advisory support for the development and maturation of Applications & Workloads pillar entries in the ZT Common Control Catalog (CCC), ensuring traceability to NIST SP 800-53 Rev. 5 control families.
• Develop recommended Applications & Workloads pillar inputs to the ZT Roadmap, IG CIGIE maturity reporting, and enterprise performance reporting for agency review and approval.
• Collaborate with Identity, Network, and Data SMEs to ensure application access control approaches integrate coherently across all ZTMM pillars.
• Review application-related policy documents and technical standards; identify gaps relative to ZT mandates and develop recommended updates for agency concurrence.
• Support all application and workload-related ZT data calls, audits, and compliance reporting by providing advisory analysis and recommended responses.
• Prepare and present application security findings, maturity assessments, and advisory recommendations to senior leadership and the CISO.
• Leverage AI-assisted analysis tools, automation platforms, and prompt engineering techniques to enhance advisory productivity, accelerate gap analysis and documentation tasks, and enable focus on higher-value technical advisory work; apply all AI capabilities in accordance with agency acceptable use policies and Zermount's ethical AI use guidelines.

SUBJECT MATTER EXPERTISE

SME Area #1 – Application Security, Cloud Workload Protection & DevSecOps Advisory

• Expert-level mastery of application security architecture including ZT application access control design, API security strategy, authorization gateway architecture, and DevSecOps integration demonstrated through operational implementation or senior advisory engagement in a federal or large enterprise environment.
• Authoritative knowledge of CISA ZTMM v2.0 Applications & Workloads pillar criteria, NIST SP 800-207 application access tenets, NIST SP 800-218 SSDF, EO 14028 software security requirements, OMB M-23-16, and NIST SP 800-53 Rev. 5 SA, SI, and CM control families.
• Expert-level proficiency with cloud platforms (Azure, AWS, or GCP) at a security architecture or engineering level, including IaaS, PaaS, and SaaS security constructs, cloud-native access control, and cloud workload protection.
• Expert-level knowledge of API security frameworks, authorization gateway design, and application-layer access control enforcement in a ZT context.
• Independent decision-making authority on Applications & Workloads pillar advisory scope, application portfolio assessment methodology, and recommended ZT enforcement approach. Bring solutions for concurrence.
• Problem-solving at the intersection of application security and cross-pillar ZT integration. Able to identify how application access control gaps create risk in Identity enforcement and Data pillar protection requirements.

SME Area #2 – Container, Virtualization & Software Supply Chain Security

• Strong foundational knowledge of application development concepts, software architectures (microservices, monolithic, serverless), and API design patterns sufficient to assess application security controls and advise on ZT enforcement at the application layer.
• Working knowledge of container orchestration (Kubernetes, Docker) and virtualization platforms, including container runtime security, image scanning, and workload isolation, as they relate to ZT Applications & Workloads pillar requirements.
• Hands-on experience with CI/CD pipeline security integration, software supply chain risk management, and SSDF practice alignment in a federal or large enterprise environment.
• Foundational understanding of database security, data access patterns, and application-to-database authentication mechanisms as they relate to ZT workload protection and least-privilege enforcement.
• Supports Applications & Workloads pillar advisory by enabling technically credible engagement with agency application developers, cloud architects, DevSecOps engineers, and software delivery teams.
• Interacts directly with Identity SME on application-layer identity assertion and authorization, Network SME on application traffic segmentation, and the ZT Process Re-Engineering SME on DevSecOps process change advisory.

QUALIFICATIONS

Minimum Requirements

• A minimum of 10 years in application security, cloud security architecture, or DevSecOps with demonstrated Zero Trust scope.
• Hands-on experience implementing ZT-aligned application access control in cloud environments (Azure, AWS, or GCP); must extend beyond administration to include ZT policy design and enforcement architecture.
• Expert knowledge of NIST SP 800-207, CISA ZTMM v2.0 Applications & Workloads pillar criteria, NIST SP 800-218, and federal secure software development standards.
• Experience with API security frameworks, authorization gateway design, and application-layer access control enforcement in a ZT context.
• Demonstrated familiarity with DevSecOps practices, CI/CD security integration, and software supply chain security under EO 14028 and OMB M-23-16.
• Experience assessing application security controls against NIST SP 800-53 Rev. 5 SA, SI, and CM control families.
• Demonstrated experience developing and implementing Zero Trust application security solutions operationally, not limited to framework mapping or documentation.
• Experience supporting ZT-related IG FISMA metrics reporting pertaining to applications and workloads.
• Strong written and oral communication skills; ability to translate complex application security concepts into CISO-ready recommendations.
• Demonstrated familiarity with AI-assisted analysis tools or prompt engineering; ability to apply AI capabilities ethically to accelerate advisory work and surface higher-value technical insights.

Preferred Qualifications

• Five years of IT cybersecurity experience, including direct support to the U.S. Government. This experience can be concurrent with the minimum 10 years of application security experience.
• Prior direct involvement in a ZT Applications & Workloads pillar implementation or enterprise ZT-aligned deployment in a technical design or advisory capacity.
• Cloud security certification: AWS Security Specialty, Microsoft Azure Security Engineer Associate (AZ-500), or GCP Professional Cloud Security Engineer.
• Experience with Kubernetes security, container runtime protection, and image vulnerability management in a federal or enterprise environment.
• Experience with legacy application ZT advisory extending ZT controls to applications that cannot natively support modern authentication or authorization.
• Prior CISO-facing experience.

Competencies

• Technical: CISA ZTMM v2.0 Applications & Workloads pillar, NIST SP 800-207, NIST SP 800-218, EO 14028, OMB M-23-16, Azure/AWS/GCP cloud security, API security, authorization gateways, DevSecOps, CI/CD pipeline security, Kubernetes, Docker, NIST SP 800-53 SA/SI/CM, AI-assisted analysis.
• Leadership: Technical advisory leadership for Applications & Workloads pillar; cross-pillar SME coordination with Identity, Network, and Data teams; engagement with agency developers, cloud architects, and DevSecOps engineers.
• Behavioral: Proactive continuous application posture monitoring; precision in application security architecture assessment; continuous learning toward evolving cloud security capabilities, DevSecOps practices, and federal software security mandates.

Education & Certifications

• Minimum of a Bachelor of Science (or higher) in Information Technology, Computer Science, Software Engineering, Cybersecurity, or a related field.
• Required: Certified Information Systems Security Professional (CISSP) or Certified Cloud Security Professional (CCSP), or equivalent certification.
• Strongly preferred: Certified Information Security Manager (CISM) or equivalent senior security management certification.
• Strongly preferred: Cloud security certification. AWS Security Specialty, Microsoft Azure Security Engineer Associate (AZ-500), or GCP Professional Cloud Security Engineer.

Clearance Level

• Active Secret Clearance required.

WORK LOCATION

• Hybrid – Primarily Remote. Occasional onsite work required at the client location in Springfield, VA and Zermount HQ in Arlington, VA.

HOURS OF OPERATION

• Business Hours: 8:00 AM EST – 4:30 PM EST
• Core Hours: 9:00 AM EST – 3:00 PM EST

REPORTING STRUCTURE

• Reports To: ZT SME Team Leader
• Direct Reports: None