3am Business Solutions3am Business Solutions

PSDC - TAS1 A4 SC3 (Senior DevSecOps Engineer)

Cumberland County

Submission Requirements

  • Resume must use the agency PA ITSA template. Other formats will not be considered.
  • RTR must be fully completed and physically signed. Unsigned forms will not be considered.
  • Skills assessment must be completed in VectorVMS format. All required skills must be addressed.
  • All information provided must be accurate. Misrepresentation may result in disqualification.

Job Description

***This requisition's PO is funded through 6/30/26, so use that date in the RTR. Contract end date is dependent on the final schedule and projected needs. Additional funding would then last a year and occur from 7/1/26-6/30/27.*** ***Do not resubmit candidates from previously released req # 777897.*** Work Location: Hybrid with two days onsite (1920 Technology Parkway, Mechanicsburg, PA 17050). Schedule can be discussed during interview. Work hours: 8AM to 5PM (hourlong lunch) Start date can be ID'd upon after compliant PATCH and PSDC-related clearance has been processed and approved. This req is available to candidates nationwide, but candidate must be ready to relocate for this hybrid position (60% remote vs. 40% onsite). Candidate must go onsite on their first day to pick up commonwealth-issued equipment, badging, etc.. Role contingent on compliant PATCH and passing PSDC/CJIS background checks. PSDC (Public Safety Delivery Center) requires the services of a Senior DevSecOps Engineer to act as consultant with the PSDC Solutions Management group. Role summary Hands-on security automation for AWS delivery. Build secure-by-default CDK constructs and CloudFormation templates, wire them into CI/CD, and enforce compliance checks that map to CJIS and NIST. Azure support is a future consideration, not a core day-one duty. Scope boundaries - Does not own enterprise AWS Organizations or SCP operations. - Designs and builds reference guardrails and enforcement patterns that can be deployed by enterprise teams. - Focuses on preventive controls and compliance automation, not incident response. What you will deliver First 90 days - Pipeline security templates in GitHub Actions and Azure DevOps with SAST, SCA, IaC, container, and secret scanning gates. - Compliance as code in reference accounts: AWS Config rules and Security Hub standards aligned to CJIS and NIST 800-53, with exceptions workflow documented. - IaC reference modules using AWS CDK and CloudFormation for IAM least privilege, KMS, Secrets Manager, logging, and network baselines; Terraform equivalents provided where teams require them. - Evidence exports tying checks to control IDs and producing auditor-ready artifacts. Ongoing - Harden CDK/CFT modules and pipeline templates as compliance needs evolve. - Coach pilot teams to adopt templates. - Raise gaps to enterprise teams for org-level enforcement. Day-to-day responsibilities - Author and maintain AWS CDK constructs and CloudFormation templates; provide Terraform versions as secondary. - Implement AWS Config conformance, Security Hub standards, and GuardDuty routing in reference accounts. - Wire scanning in CI/CD for app code, containers, and IaC. - Create reusable GitHub/Azure DevOps templates with enforcement gates and exception handling. - Generate posture and evidence reports mapped to CJIS and NIST controls. Required skills - 5+ years AWS security automation and DevOps. - Strong with AWS CDK and CloudFormation; working proficiency in Terraform. - CI/CD authoring in GitHub Actions and Azure DevOps. - Proficient in Python and Bash, with PowerShell for Windows automation. - Able to read Java and C# to integrate and tune SAST/SCA. - Practical knowledge of CJIS and NIST 800-53 control families and how to automate checks and evidence. Nice to have - EKS/ECS/Lambda hardening patterns. - OPA/Conftest, Checkov, Trivy, Inspector, CodeQL or equivalent. - Basic Azure security automation for future phases. Decision rights Independent on design and build within standards; proposes guardrails and reference patterns; escalates enterprise-wide changes.

Skills Assessment

Required skills must be completed during application.

SkillRequired / DesiredExperience
5+ years AWS security automation and DevOpsRequired5 Years
Strong with AWS CDK and CloudFormation; working proficiency in TerraformRequired
CI/CD authoring in GitHub Actions and Azure DevOpsRequired
Proficient in Python and Bash, with PowerShell for Windows automationRequired
Able to read Java and C# to integrate and tune SAST/SCARequired
Practical knowledge of CJIS and NIST 800-53 control families and how to automate checks and evidenceRequired
EKS/ECS/Lambda hardening patternsDesired
OPA/Conftest, Checkov, Trivy, Inspector, CodeQL or equivalentDesired
Basic Azure security automation for future phasesDesired