Security Engineer - Governance, Risk & Compliance
Nominal
Legal
Washington, DC, USA
Posted on Nov 7, 2024
About Nominal
Nominal is a venture-backed company with offices in Washington DC, Los Angeles, Austin, and New York City. We’re focused on building software and data solutions for organizations that test and validate complex systems—think drones, rocket engines, satellites, and nuclear reactors. Supported by leading investors like General Catalyst, Founders Fund, Lux Capital, and more, we’re gaining strong traction in the commercial and government aerospace and defense industrial base, including direct work with the U.S. Department of Defense (DoD).
Our team includes engineers and operators from SpaceX, Palantir, Anduril, Lockheed Martin, and NASA, all working toward a common goal: making it faster and easier for hardware engineers to push the boundaries of advanced technology safely and efficiently. Our platform helps engineering teams accelerate test data review and analysis, scaling testing campaigns to save time and cut costs.
Nominal’s defense and commercial customers operate in some of the most sensitive data environments in the country. We built the Nominal platform to protect the sensitivity of this data and to prioritize its security above all else. Our internal systems must meet a commensurate standard of security.
As our first technical hire fully dedicated to information security (infosec) and governance, risk, and compliance (GRC), you’ll be responsible for developing and maturing various infosec and GRC controls, and authority to operate (ATO) initiatives, to meet the high bar described above. This includes hardening Nominal’s software platform (both security and availability/reliability), deploying into secure environments, assisting with incident response, managing Nominal’s network, ensuring endpoint security, establishing baseline device configuration, guaranteeing technical compliance with information security standards, and more.
🚀 About the role
- Own the Posture: Technical excellence in product hardening and information security is table-stakes for Nominal’s success due to our product and industry. You’ll need to internalize this and fully own it in a first-class way. Set Nominal up for success in serving large DoD and enterprise customers in a secure manner.
- Plan & Execute: Translate GRC requirements (e.g., CMMC, NIST 800-171, Impact Level (IL) 4/5, FedRAMP) in order to propose and lead a rollout of technical actions and policies that meet the stringent standard of government- and enterprise-defined information security. Oversee our Risk Management Framework (RMF) lifecycle management. Apply technology standards to classified, air-gapped environments.
- Coach Our Team: Create and deliver approachable, relevant training to ensure all employees are equipped to maintain high technical standards for infosec and GRC. Provide guidance regarding procurement or download of secure, vetted third-party software, applications, and libraries.
- Communicate the Standard: Prepare communications for government partners, auditors, and customers that satisfactorily explain Nominal’s technical security posture, both for our software platform and IT systems/endpoints and inspire confidence in our secure product and business practices.
🔍 We're looking for someone with
- 4+ years of experience working with U.S. Department of Defense contracting and data requirements (whether in the government or industry), including CMMC, NIST 800-171, IL4/5, FedRAMP, SOC 2, and the Risk Management Framework (RMF).
- General knowledge of DevSecOps and infrastructure, information security, cybersecurity, incident management, and root cause analysis.
- Experience with systems administration, including network setup (VPN, SSIDs, firewalls), endpoint device protection, attack monitoring & logging (EDR & SIEM), software allowlisting / blocklisting, encryption & secure protocols, and more.
- Experience with AWS / Cloud, Microsoft Azure, and Microsoft Government Community Cloud (GCC).
- Familiarity with a variety of deployment styles, including cloud, on-prem, air-gapped, and hybrid.
- Knowledge of modern software development techniques and processes and their security (CI pipelines, microservice architectures, cloud and container-based deployments).
- Organization, attention to detail, and strong writing skills to build out associated documentation that would stand up to questioning and scrutiny by customers, government officials, and auditors.
- Process management and relational skills to work with cross-functional stakeholders from across Nominal to ensure ongoing delivery of our infosec and GRC posture.
✨ Benefits/Perks
- Medical, dental, and vision insurance with 100% of premiums covered
- Unlimited PTO /sick leave
- Free lunch, snacks, and coffee
- Professional development stipend
- Quarterly company retreats
Please note that Nominal is unable to sponsor employment visas (H-1B, F-1 OPT, etc.) for this position. Applicants must be authorized to work in the U.S. without the need for visa sponsorship now or in the future. Qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, or national origin.