Senior Network Security Engineer

The Senior Network Security Engineer supports our program with the U.S. Census Bureau by designing, implementing, operating, troubleshooting, and improving enterprise network security services across on-premises, hybrid-cloud, and cloud-connected environments. The role focuses on firewall engineering, VPN and remote access services, RSA SecurID or equivalent MFA/token services, content filtering, network access control, edge security services, monitoring and logging integration, vulnerability remediation, security documentation, and policy compliance for TCO-managed systems.

The engineer serves as a senior technical resource for secure network architecture, operations support, incident response coordination, and compliance support. This position works closely with TCO leadership, Network Infrastructure, Identity and Domain Services, cloud teams, SOC/NOC/Operations Center personnel, the Office of Information Security (OIS), Information System Security Officers (ISSOs), System Owners, and application teams.

Scope and Technology Ownership

• Primary scope: Cisco and Palo Alto firewall platforms; firewall policy lifecycle; NAT; segmentation; remote access and site-to-site VPN; RSA SecurID or equivalent MFA/two-factor authentication server and token services; Cloudflare or equivalent DNS/DDoS/WAF/Zero Trust edge security services; content filtering; network access control; monitoring, logging, and SIEM integration; vulnerability remediation; POA&M support; and audit evidence for TCO-managed systems.
• Coordination scope: SOC/NOC/Operations Center support, cloud and hybrid connectivity, IAM/DDI integrations, wireless/LAN dependencies, security architecture, change management, application access troubleshooting, and cross-team incident response.
• Role boundary: This is not a primary F5 BIG-IP/LTM/GTM/ASM/Advanced WAF or load-balancer administration role. The engineer will coordinate with the dedicated F5/application delivery team when firewall, VPN, DNS, WAF, certificate, routing, or application-traffic issues require cross-team support.
• RSA/MFA boundary: This role includes operational support for RSA SecurID or equivalent two-factor authentication services used by VPN and remote access, including server operations, software updates, token support, and troubleshooting. Broader enterprise IAM, directory services, and PKI functions remain coordinated with the Identity Management and Domain Services (IMDS) team.

Key Responsibilities

Firewall Engineering and Operations

• Design, configure, administer, maintain, and troubleshoot enterprise firewall solutions, including Cisco and Palo Alto platforms, firewall policy rule bases, NAT, segmentation, threat prevention, logging, high availability, and secure configuration baselines.
• Install, configure, maintain, and upgrade firewall hardware and software into new and existing network infrastructure, including cloud-connected environments.
• Administer firewall policies and services in accordance with Census IT security policy, secure configuration standards, and change control processes.
• Perform recurring firewall rule base reviews, rule recertification, policy cleanup, decommissioning of obsolete rules, and optimization to reduce risk and complexity.
• Identify, diagnose, and resolve firewall issues involving connectivity, rule behavior, utilization, performance, routing, VPNs, DNS, TLS/certificates, application flows, and log/packet analysis.

VPN, Remote Access, and Secure Connectivity

• Install, configure, maintain, monitor, and troubleshoot VPN services, including remote access VPN, site-to-site VPN, client/clientless access, partner connectivity, mobile device access, and cloud connectivity.
• Support RSA SecurID or equivalent MFA/two-factor authentication and directory service integrations for VPN and remote access services where applicable.
• Maintain, operate, administer, patch, upgrade, and troubleshoot RSA SecurID or equivalent MFA/two-factor authentication infrastructure supporting VPN and remote access, including authentication servers/appliances, middleware/agents, certificates, high availability, backups, logs, monitoring, and directory service integration.
• Support RSA/MFA token lifecycle operations, including hardware and software token provisioning, assignment, activation, replacement, resynchronization, deactivation, inventory tracking, end-user/tiered support, and emergency access processes.
• Monitor and report on VPN availability, utilization, and performance, and resolve connectivity issues affecting users, business partners, cloud networks, and mission systems.

Edge Security, Content Filtering, and Network Access Control

• Administer or support Cloudflare and related edge security capabilities, including DNS, DDoS protection, WAF policies, CDN, Access/Gateway, Zero Trust/ZTNA, tunneling, access controls, and logging.
• Design, implement, maintain, and troubleshoot content filtering services, including web security gateways, email security gateways, URL filtering, Data Loss Prevention (DLP) integrations, Advanced Persistent Threat (APT) integrations, malware defense integrations, and related cloud services.
• Support network access control services, including NAC policy administration, endpoint posture or 802.1X controls, identity-aware access policies, and integrations with firewalls, wireless, LAN, and identity management systems.
• Perform policy reviews for content filtering and NAC services as threats, requirements, and enterprise standards change.

Cloud, Hybrid Architecture, and Zero Trust

• Implement and manage network security controls across AWS, Azure, and hybrid environments, including VPCs/VNets, security groups, NACLs/NSGs, route tables, cloud firewalls, Transit Gateway, ExpressRoute, Direct Connect, VPN, DNS, monitoring, and logging.
• Provide technical guidance on Zero Trust principles, network segmentation, microsegmentation, least-privilege access, secure data transmission, threat detection, and compliance monitoring across on-premises and cloud environments.
• Evaluate proposed network and cloud changes for security impact, operational risk, compliance impact, and maintainability.

Monitoring, Logging, Incident Support, and Operations

• Ensure core network security capabilities are integrated into enterprise monitoring, alerting, logging, and SIEM platforms for availability, diagnostics, traceability, operational insight, and incident response.
• Review logs, alerts, vulnerability notices, vendor advisories, and threat information; recommend and implement improvements to reduce risk and improve network security posture.
• Support Operations Center, SOC/NOC, and incident response teams during maintenance, outages, investigations, security events, and incident resolution.
• Provide Tier II-IV troubleshooting support for complex network security incidents and service-impacting issues.
• Participate in after-hours upgrades, approved maintenance windows, emergency troubleshooting, and on-call availability as needed.

Compliance, Documentation, Change Management, and Continuous Improvement

• Support IT Security, ISSO, System Owner, and OIS activities by addressing findings and POA&Ms, supporting control implementation and validation, evaluating vulnerability scan results, and preparing evidence/artifacts for review.
• Create and maintain comprehensive documentation for firewall, VPN, RSA/MFA token services, content filtering, NAC, and edge security services, including topology diagrams, equipment inventories, token lifecycle procedures, configurations, SOPs, runbooks, code/IaC repositories, implementation plans, rollback plans, and build/upgrade procedures.
• Follow and document configuration management, change management, and release management policies, methods, and procedures.
• Use automation and Infrastructure as Code (IaC) where practical for repeatable provisioning, configuration, deployment, documentation, monitoring, and operational efficiencies.
• Provide status input, technical briefings, metrics, root-cause analysis, knowledge transfer, and mentoring to government staff and other contractor personnel.

Key Work Products and Deliverables

• Firewall, VPN, RSA/MFA token services, content filtering, NAC, Cloudflare/edge security, and cloud security configurations implemented through approved change processes.
• RSA/MFA server operations documentation, patch/upgrade records, token inventory/lifecycle procedures, troubleshooting notes, and user-support coordination artifacts.
• Firewall rule reviews, recertification results, policy cleanup recommendations, and decommissioning plans.
• Technical diagrams, SOPs, runbooks, configuration documentation, build/upgrade procedures, implementation plans, rollback plans, and knowledge articles.
• Monitoring and logging integration updates, alert tuning recommendations, operational metrics, and incident support artifacts.
• Vulnerability remediation documentation, POA&M support, control evidence, audit artifacts, and risk/impact analysis for TCO-managed systems.
• Status updates, ticket updates, JIRA/task updates, and input to weekly, bi-weekly, or monthly reporting as required.

Requirements

• 7+ years of experience in network security engineering, network infrastructure, cybersecurity infrastructure, or a closely related role.
• 5+ years of hands-on experience designing, implementing, administering, and troubleshooting enterprise firewall platforms in production environments.
• Hands-on experience with Cisco firewall technologies such as Cisco FTD/FMC, ASA, AnyConnect/Secure Client, or equivalent Cisco security platforms.
• Hands-on experience with Palo Alto Networks technologies such as NGFW, Panorama, GlobalProtect, App-ID/User-ID, security profiles, and policy optimization.
• Experience with firewall policy design, NAT, segmentation, remote access VPN, site-to-site VPN, IDS/IPS integrations, high availability, logging, and operational troubleshooting.
• Working knowledge of Cloudflare or equivalent DNS, DDoS, WAF, CDN, Zero Trust, or edge security platforms.
• Experience with VPN services, secure remote access, RSA SecurID or equivalent MFA/two-factor authentication services, hardware and software token support, directory integration, partner tunnels, cloud tunnels, and cloud connectivity troubleshooting.
• Experience supporting MFA server operations, including software updates, patching, certificate/configuration changes, backups, log review, monitoring, vulnerability remediation, and vendor/support escalation.
• Working knowledge of TCP/IP, DNS, DHCP, IPAM, BGP, routing, subnetting, TLS/certificates, VPN protocols, packet capture, NetFlow/traffic analysis, and common network diagnostic tools.
• Experience supporting network security in AWS and/or Azure environments.
• Experience integrating network security controls with enterprise monitoring, logging, SIEM, SOC/NOC, or incident response workflows.
• Experience working within formal change management, configuration management, release management, incident management, and vulnerability remediation processes.
• Ability to develop clear technical documentation, diagrams, SOPs, runbooks, implementation plans, rollback plans, status updates, and audit evidence.
• Strong communication and collaboration skills, including the ability to explain technical risk, operational impact, and recommended actions to technical and non-technical stakeholders.
• Ability to obtain and maintain a Public Trust / Background Investigation and complete required DOC/Census security processing, security/privacy training, and non-disclosure requirements.

Preferred Qualifications

• Deep experience administering Cloudflare DNS, DDoS protection, WAF, CDN, Access, Gateway, Tunnel, Magic Transit, or Zero Trust services.
• Experience with content filtering platforms, secure web gateways, email security gateways, URL filtering, DLP integrations, APT/malware defense integrations, and related cloud security services.
• Deep experience with RSA SecurID/RSA Authentication Manager or equivalent MFA platforms, including token administration, agent/middleware upgrades, high availability, disaster recovery, reporting, and integration with VPN and directory services.
• Experience with Network Access Control technologies such as Cisco ISE, 802.1X, endpoint posture, wireless/LAN access controls, and identity-aware access policies.
• Experience with AWS security and networking services such as VPC, Transit Gateway, Security Groups, NACLs, Route 53, Network Firewall, Direct Connect, VPN, GuardDuty, Security Hub, IAM, and CloudWatch.
• Experience with Azure security and networking services such as VNets, NSGs, Azure Firewall, Application Gateway/WAF, VPN Gateway, ExpressRoute, Private Link, Defender for Cloud, Entra ID, and Azure Monitor.
• Experience supporting federal cybersecurity and compliance requirements such as NIST, FISMA, FedRAMP, ATO support, POA&M remediation, continuous monitoring, audit evidence packages, and security control validation.
• Experience with automation and IaC tools such as Terraform, Ansible, Python, PowerShell, Git, APIs, CI/CD pipelines, or vendor automation frameworks.
• Experience with Zero Trust architecture, SASE/SSE, ZTNA, secure segmentation, policy-as-code, microsegmentation, or identity-aware network access.
• Familiarity with F5/load-balancing/application-delivery concepts for cross-team coordination; hands-on F5 administration is not required for this role.
• Experience leading technical projects, coordinating across matrixed teams, mentoring junior engineers, and supporting Agile/Scrum or JIRA-based task tracking.

Desired Certifications

Relevant certifications are helpful but should not replace demonstrated hands-on experience. Examples include CCNP Security, CCIE Security, PCNSE, PCCSE, CISSP, CCSP, AWS Certified Security - Specialty, AWS Advanced Networking - Specialty, Microsoft Certified: Azure Security Engineer Associate, Microsoft Certified: Azure Network Engineer Associate, CompTIA Security+, CompTIA CySA+, GIAC certifications, or equivalent vendor/cloud certifications.

Benefits

• 401(k)
• 401(k) matching
• Dental insurance
• Flexible schedule
• Flexible spending account
• Health insurance
• Health savings account
• Life insurance
• Paid time off
• Professional development assistance
• Referral program
• Retirement plan
• Tuition reimbursement
• Vision insurance