Sr. DevSecOps Engineer (US)

About Craft: Craft is the leader in supplier risk intelligence, enabling enterprises to discover, evaluate, and continuously monitor their suppliers at scale. Our AI research and monitoring agents deliver real, actionable intelligence, by operating on top of our unique, proprietary data platform - this helps our customers make better, more informed decisions for their business, faster and strategically secure critical supply chains from risk. Our customers include Fortune 500 companies, government agencies, and global service platforms. We’ve developed distribution partnerships with some of the largest integrators and software platforms globally. We are a post-Series B high-growth technology company backed by top-tier investors in Silicon Valley and Europe, headquartered in San Francisco with hubs in Seattle and Warsaw. We support remote and hybrid work, with team members across North America and Europe. We are looking for innovative and driven people passionate about building the future of Enterprise Intelligence to join our growing team! About the Role: Craft is growing — and we’re looking for a senior engineer to lead one of our most strategically important initiatives: establishing a FedRAMP-authorized cloud environment by defining a secure boundary and hardening our existing cloud platform. This is an initiative with direct impact on Craft’s ability to serve the 40+ federal government agencies we already work with, and to unlock new opportunities across the public sector. You’ll own and lead the implementation of security controls, compliance automation, and secure architecture patterns required to achieve and maintain FedRAMP authorization at both Moderate and High impact levels, with alignment to DoW IL2 and IL5 requirements. Working cross-functionally with infrastructure, engineering, and security, you’ll translate NIST 800-53 Rev. 5 requirements into scalable, auditable technical controls across our platform. This role reports to and partners closely with Jose M., our Manager of DevSecOps. You’ll lead the FedRAMP readiness effort day-to-day — driving the ATO timeline, shaping the program’s architecture, and upleveling team expertise in FedRAMP and NIST controls. If you want to own something consequential at a company that already has a sponsor and active federal relationships, this is it. What You’ll Do: Lead Craft’s FedRAMP readiness program — defining the roadmap, owning the ATO timeline, and driving execution across engineering and security stakeholders. Design and implement AWS GovCloud architecture that meets FedRAMP Moderate and High requirements. Translate NIST 800-53 Rev. 5 controls into concrete, auditable, and continuously enforced technical implementations — not just documentation. Build and maintain compliance automation tooling to continuously validate control adherence across the environment, reducing manual audit burden. Develop and manage secure CI/CD pipelines with integrated security gates, secrets management, and deployment controls appropriate for FedRAMP environments. Author and maintain System Security Plans (SSPs), control implementation statements, and audit evidence packages; work directly with auditors and 3PAOs through assessment cycles. Perform threat modeling, risk assessments, and security architecture reviews across the platform. Define and drive how FedRAMP controls are embedded across the engineering lifecycle, partnering with full-stack, data, and machine learning teams to ensure consistent, scalable adoption. Serve as the internal subject matter expert on FedRAMP, NIST 800-53, and federal compliance — upleveling the broader team’s knowledge as the program matures. Who You Are: Required You have direct, hands-on FedRAMP ATO experience — you’ve been through the process, not just observed it. You have strong working knowledge of NIST 800-53 Rev. 5 controls and how to implement them technically, not just document them. You have deep hands-on experience securing AWS environments. You have direct experience with AWS GovCloud, including its constraints and operational differences from commercial AWS. You write advanced Terraform — modules, policy enforcement, and infrastructure that’s auditable by design. You’ve built or hardened CI/CD pipelines for secure, compliant deployments — integrating security scanning, secrets management, and access controls. You’ve worked directly with auditors and 3PAOs: preparing evidence packages, responding to findings, and supporting assessment activities. Nice to Haves SOC 2 Type II experience, particularly in environments where mapped or extended to support FedRAMP or NIST frameworks. Experience securing data platforms such as Databricks, including data isolation and access control patterns. Familiarity with AI and LLM security concepts: prompt injection risks, model data isolation, inference boundary controls. Experience working in a startup or lean DevSecOps environment where you’ve had to build programs pragmatically with limited resources. What We Offer: Competitive salary starting at $170,000 USD/ year. This starting number can be increased based on levels of expertise, location, cost of living, taxes, market experience, etc. Equity at a well-funded, fast-growing startup Unlimited vacation time so you can take what you need, when you need it 99% covered Health + Dental + Vision insurance for employees and dependents 401K through Empower with options to invest how you want it A Note to Candidates: We are an equal opportunity employer who values and encourages diversity, equity and belonging at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, caste, or disability status. Don’t meet every requirement? Studies have shown that women, communities of color and historically underrepresented talent are less likely to apply to jobs unless they meet every single qualification. At Craft, we are dedicated to building a diverse, inclusive and authentic workplace, so if you’re excited about this role but your past experience doesn’t align perfectly with every qualification in the job description, we strongly encourage you to apply. You may be just the right candidate for this or other roles! #J-18808-Ljbffr