PSDC - TAS1 A4 SC3 (Senior DevSecOps Engineer)
Cumberland County
Submission Requirements
- •Resume must use the agency PA ITSA template. Other formats will not be considered.
- •RTR must be fully completed and physically signed. Unsigned forms will not be considered.
- •Skills assessment must be completed in VectorVMS format. All required skills must be addressed.
- •All information provided must be accurate. Misrepresentation may result in disqualification.
Job Description
***This requisition's PO is funded through 6/30/26, so use that date in the RTR. Contract end date is dependent on the final schedule and projected needs. Additional funding would then last a year and occur from 7/1/26-6/30/27.***
***Do not resubmit candidates from previously released req # 777897.***
Work Location: Hybrid with two days onsite (1920 Technology Parkway, Mechanicsburg, PA
17050). Schedule can be discussed during interview.
Work hours: 8AM to 5PM (hourlong lunch)
Start date can be ID'd upon after compliant PATCH and PSDC-related clearance has been processed and approved.
This req is available to candidates nationwide, but candidate must be ready to relocate for this hybrid position (60% remote vs. 40% onsite). Candidate must go onsite on their first day to pick up commonwealth-issued equipment, badging, etc.. Role contingent on compliant PATCH and passing PSDC/CJIS background checks.
PSDC (Public Safety Delivery Center)
requires the services of a Senior DevSecOps Engineer to act as consultant with the PSDC Solutions Management group.
Role summary
Hands-on security
automation for AWS delivery. Build secure-by-default CDK constructs and CloudFormation templates, wire them into CI/CD, and enforce compliance checks that map to CJIS and NIST. Azure support is a future consideration, not a core
day-one duty.
Scope boundaries
- Does not own enterprise AWS Organizations or SCP operations.
- Designs and builds reference guardrails and enforcement patterns that can be deployed by enterprise teams.
- Focuses on preventive controls and compliance automation, not incident response.
What you will deliver
First 90 days
- Pipeline security templates in GitHub Actions and Azure DevOps with SAST, SCA, IaC, container, and secret scanning gates.
- Compliance as code in reference accounts: AWS Config rules and Security Hub standards aligned to CJIS and NIST 800-53, with exceptions workflow documented.
- IaC reference modules using AWS CDK and CloudFormation for IAM least privilege, KMS, Secrets Manager, logging,
and network baselines; Terraform equivalents provided where teams require them.
- Evidence exports tying checks to control IDs and producing auditor-ready artifacts.
Ongoing
- Harden CDK/CFT modules and pipeline templates as compliance needs evolve.
- Coach pilot teams to adopt templates.
- Raise gaps to enterprise teams for org-level enforcement.
Day-to-day responsibilities
- Author and maintain AWS CDK constructs and CloudFormation templates; provide Terraform versions as secondary.
- Implement AWS Config conformance, Security Hub standards, and GuardDuty routing in reference accounts.
- Wire scanning in CI/CD for app code, containers, and IaC.
- Create reusable GitHub/Azure DevOps templates with enforcement gates and exception handling.
- Generate posture and evidence reports mapped to CJIS and NIST controls.
Required skills
- 5+ years AWS security automation and DevOps.
- Strong with AWS CDK and CloudFormation; working proficiency in Terraform.
- CI/CD authoring in GitHub Actions and Azure DevOps.
- Proficient in Python and Bash, with PowerShell for Windows automation.
- Able to read Java and C# to integrate and tune SAST/SCA.
- Practical knowledge of CJIS and NIST 800-53 control families and how to automate checks and evidence.
Nice to have
- EKS/ECS/Lambda hardening patterns.
- OPA/Conftest, Checkov, Trivy, Inspector, CodeQL or equivalent.
- Basic Azure security automation for future phases.
Decision rights
Independent on design and build within standards; proposes guardrails and reference patterns;
escalates enterprise-wide changes.
Skills Assessment
Required skills must be completed during application.
| Skill | Required / Desired | Experience |
|---|---|---|
| 5+ years AWS security automation and DevOps | Required | 5 Years |
| Strong with AWS CDK and CloudFormation; working proficiency in Terraform | Required | — |
| CI/CD authoring in GitHub Actions and Azure DevOps | Required | — |
| Proficient in Python and Bash, with PowerShell for Windows automation | Required | — |
| Able to read Java and C# to integrate and tune SAST/SCA | Required | — |
| Practical knowledge of CJIS and NIST 800-53 control families and how to automate checks and evidence | Required | — |
| EKS/ECS/Lambda hardening patterns | Desired | — |
| OPA/Conftest, Checkov, Trivy, Inspector, CodeQL or equivalent | Desired | — |
| Basic Azure security automation for future phases | Desired | — |