Cyber PKI Administrator

SHR - Software Hardware Re-engineered

About SHR Consulting Group


SHR is a premier technology integrator solving our nation's most complex modernization and readiness challenges across the defense, federal civilian, and intelligence markets. Our robust portfolio of offerings includes high-end solutions in systems engineering and integration; enterprise IT, including cloud services; cyber; software; advanced analytics and AI. With an intimate understanding of our customers' challenges and deep expertise in existing and emerging technologies, we integrate the best components from our own portfolio and our partner ecosystem to deliver innovative, effective, and efficient solutions.

We are a rapidly growing organization seeking a Cyber PKI Administrator to provide specialized IT expertise for supporting a DISA environment. This position is responsible for the installation, configuration, operation, and maintenance of Public Key Infrastructure (PKI) services and Hardware Security Module (HSM) appliances that protect DoD identity, authentication, and encryption capabilities. The Cyber PKI Administrator ensures that HSM devices, Certificate Authorities, and supporting services are properly configured, maintained, and updated, and that the cryptographic environment adheres to DoD security standards, organizational values, and contractual performance requirements.

This role supports Government customers across one or more classification domains and may require work across standard business hours or on a shift/rotational schedule, depending on task order requirements. Because HSMs are designated mission-critical assets, the role demands strict adherence to two-person integrity, separation of duties, and disciplined audit and access controls. The Cyber PKI Administrator serves as the primary administrator of the cryptographic environment and works alongside designated backup administrators in the broader operations team who hold equivalent privileged credentials and emergency access.


Duties will vary based on position and area of focus:

HSM Operations and Administration

• Install, configure, and maintain enterprise-class Hardware Security Module (HSM) appliances in accordance with vendor best practices, DoD security configuration baselines, and approved standard operating procedures (SOPs).
• Monitor HSM health, performance, and availability; identify, troubleshoot, and resolve hardware, firmware, and client-side issues in a timely manner.
• Perform HSM firmware updates, software patches, and supporting client software upgrades in compliance with DoD Information Assurance Vulnerability Management (IAVM) requirements and Government-directed maintenance windows.
• Maintain HSM configuration documentation, baseline records, and change logs in accordance with configuration management processes.
• Partition and Role Management : Create and manage HSM partitions, assign cryptographic officer and user roles, and enforce quorum (M of N) authentication controls so that no single individual can perform sensitive operations.
• Key Lifecycle Management : Oversee the full lifecycle of cryptographic key material - generation, distribution, rotation, backup, escrow, restoration, and destruction - and maintain chain-of-custody documentation for all key operations.
• Key Ceremony Execution : Plan and execute formal key ceremonies for Root and Issuing Certificate Authority events; develop and maintain ceremony scripts and witness logs.
• Tamper Integrity : Maintain tamper-evident packaging, seal logs, and physical inspection records consistent with FIPS 140-2/140-3 operational guidance.

Public Key Infrastructure (PKI) and Certificate Management

• Operate and maintain enterprise Certificate Authorities, Online Certificate Status Protocol (OCSP) responders, and Certificate Revocation List (CRL) distribution services across multiple classification domains.
• Issue, renew, revoke, and replace DoD and National Security System (NSS) PKI certificates for web servers, domain controllers, Domain Name System (DNS) servers, and other infrastructure components.
• Expiration Tracking : Build and maintain a comprehensive certificate expiration tracker; coordinate proactive renewal with affected system owners to prevent service disruption and report status to Government leadership on a recurring cadence.
• Root and Policy CA Operations : Support Root and Policy Certificate Authority lifecycle events, including offline operations, approved key ceremonies, and Government-directed updates.
• Smart Card and CAC Integration : Manage Common Access Card (CAC) and PKI integration for Government and contractor personnel, including user authentication, certificate mapping, and smart-card-based access controls.
• PKI Consumer Coordination : Partner with Domain Services, application, database, and platform teams to ensure dependent systems consume PKI services correctly and remain compliant with cryptographic standards.

Physical and Logical Access Control

• Enforce physical and logical access controls to HSM appliances; maintain access rosters and coordinate facility access with Government POCs.
• Execute two-person rule procedures for sensitive cryptographic operations in partnership with designated backup administrators.
• Train and qualify designated backup administrators from the broader operations team to maintain emergency access to the cryptographic environment, ensuring continuity of operations without compromising separation of duties.
• Audit privileged access to the cryptographic environment on a recurring basis and report findings to Government leadership.

Cybersecurity and Compliance

• Ensure all PKI and HSM systems maintain compliance with DoD Security Technical Implementation Guides (STIGs), Information Assurance Vulnerability Alerts (IAVAs), and applicable Command Cyber Tasking Orders (CCTOs).
• Conduct and analyze vulnerability scans (e.g., ACAS/Nessus) of HSM management interfaces and PKI infrastructure; apply remediations including security patches, configuration changes, and STIG settings within Government-required timelines.
• Support Risk Management Framework (RMF) activities including the development and maintenance of system security documentation, Plan of Action and Milestones (POA&Ms), and Assessment and Authorization (A&A) artifacts for the cryptographic environment.
• Log Auditing : Review HSM and Certificate Authority audit logs on a recurring schedule, investigate anomalies, and coordinate with the defensive cyber operations team on any indicators of compromise.
• Adhere to DoD 8570.01-M / DoD 8140 Information Assurance workforce requirements applicable to the assigned role.

Documentation and Communication

• Develop, update, and maintain SOPs, Work Instructions (WIs), key ceremony scripts, and technical documentation for all supported cryptographic services.
• Provide status updates, incident reports, and After Action Reports (AARs) as required by Government leadership.
• Participate in configuration change control board (CCB) processes; coordinate all PKI and HSM changes through approved change management procedures.
• Collaborate with network, cybersecurity, server operations, and application teams to resolve cross-functional issues.
• Provide technical support and training to end users and junior staff as needed.

Security Clearance Requirement

U.S. Citizenship and a minimum active Secret security clearance are required for this position. Certain task orders or work locations may require a Top Secret (TS) or TS/SCI clearance. All personnel must be able to obtain and maintain the required clearance level and must possess a valid DoD Common Access Card (CAC). Personnel may be required to access systems across multiple classification domains, including Unclassified (NIPR), Secret (SIPR), and Top Secret/Collateral networks.

Education Requirements

One of the following is required:

• Bachelor's degree in Computer Science, Computer Engineering, Information Technology, Information Systems, Cybersecurity, or a closely related technical field; OR
• Associate's degree in a related technical field plus additional qualifying experience; OR
• Equivalent combination of education, training, and directly relevant DoD IT experience as defined by labor category level below.
  • Junior (0-2 years) - Works under supervision; executes defined tasks; learns SOPs and tools
  • Mid (3-5 years - Works independently on most tasks; supports complex troubleshooting; mentors juniors
  • Senior (6+ years) - SME-level expertise; leads technical efforts; guides architecture and compliance decisions

Minimum Qualifications

• Hands-on experience administering enterprise PKI in a Windows Active Directory environment, including Certificate Authorities, OCSP, and CRL distribution.
• Working knowledge of Hardware Security Modules (HSMs) and FIPS 140-2/140-3 operational requirements.
• Experience with cryptographic key lifecycle management: generation, backup, cloning, restoration, escrow, and destruction.
• Working knowledge of Windows Server operating systems (2016/2019/2022), Active Directory, Group Policy, and PowerShell scripting.
• Understanding of cryptographic concepts: asymmetric and symmetric algorithms, hashing, digital signatures, X.509 certificate structure, and certificate chain validation.
• Ability to apply DoD STIGs and IAVAs to maintain system compliance.
• Ability to operate under strict two-person integrity, separation-of-duties, and audit controls.
• Ability to create and maintain technical documentation, SOPs, and key ceremony scripts.
• Ability to work shift hours, weekends, or on-call rotations as required by task order.
• Strong oral and written communication skills; ability to brief technical topics to non-technical stakeholders.

Preferred Qualifications

• Experience in a DoD, Intelligence Community, or Federal Government IT environment.
• Direct hands-on experience with Thales Luna Network HSM or Luna PCIe HSM appliances and associated administrative tooling.
• Experience operating Microsoft Active Directory Certificate Services (AD CS) at enterprise scale.
• Experience with OCSP responders, CRL signing, and Certificate Transparency.
• Experience supporting DoD PKI, NSS PKI, or External Certification Authority (ECA) programs.
• Familiarity with HSM integration with VMware, Microsoft IIS, F5, and other PKI-consuming platforms.
• Familiarity with DoD RMF processes, eMASS, and A&A documentation.
• Knowledge of DoD Identity, Credential, and Access Management (ICAM) frameworks.
• PowerShell, Python, or Bash scripting for PKI and HSM automation.

Required Certifications

DoD Directive 8570.01-M / DoD 8140 baseline certification requirements applicable to their assigned Cyber IT/Cybersecurity role. The following certifications satisfy the minimum IAT Level II requirement:

• CompTIA Security+ CE
• Cisco CCNA Security
• CySA+ (CompTIA Cybersecurity Analyst)
• GIAC Security Essentials (GSEC)
• Systems Security Certified Practitioner (SSCP)

Additional computing environment (CE) certifications may be required depending on the specific technologies managed (e.g., Microsoft, VMware, Red Hat, Cisco). Certifications must be current and maintained throughout the period of performance.

Desired Vendor Certification

In addition to the IAT Level II baseline above, the Thales Luna HSM Professional Engineer certification is strongly desired for this position. As an alternative pathway, a candidate who possesses the credentials and demonstrated experience to be granted Domain Administrator privileges may be considered, provided the candidate commits to achieving the Thales Luna HSM Professional Engineer certification within six (6) months of hire. Failure to obtain the certification within the agreed window may result in reassignment from the primary cryptographic administrator role.

Work Environment and Physical Requirements

• Work is performed in a Government facility or contractor site supporting classified and/or unclassified IT environments.
• Personnel may be required to work in data centers or consolidated server rooms with associated environmental conditions (temperature, noise, and physical equipment).
• Occasional lifting of IT equipment up to 50 lbs may be required.
• Personnel may be required to support 24x7 operations via scheduled shifts or on-call arrangements.
• Travel to alternate Government sites may be required on an as-needed basis.

Benefits:

• Competitive salary based on experience
• Comprehensive benefits package including health, dental, vision, and retirement plans
• Paid time off and holidays

We are an Equal Opportunity Employer and consider all qualified applicants without regard to protected characteristics under applicable law. EEO/AA Employer/Veteran/Disabled.