ZERO TRUST (ZT) IDENTITY & CREDENTIAL MANAGEMENT SME

ZERO TRUST (ZT) IDENTITY & CREDENTIAL MAnagement SME

POSITION OVERVIEW

The Zero Trust Identity Management Technical SME exists to serve as the agency's primary technical advisor for the CISA ZTMM v2.0 identity pillar. This role directly advances TSA's compliance with OMB M-22-09 phishing-resistant MFA requirements and EO 14028 identity modernization mandates by providing senior-level ICAM advisory that translates federal policy into concrete identity architecture recommendations. The expected outcome is a continuously advancing identity pillar maturity posture, with phishing-resistant authentication enforced, privileged access controlled, and identity posture signals integrated into cross-pillar ZT enforcement decisions. This is a senior technical advisory role requiring hands-on ICAM implementation experience, not policy familiarity alone.

DUTIES & RESPONSIBILITIES

General duties

• Serve as the primary technical advisor for the CISA ZTMM v2.0 identity pillar across identity architecture, authentication, and access management domains.
• Continuously assess the agency's IAM posture against CISA ZTMM v2.0 identity pillar criteria, OMB M-22-09, and NIST SP 800-63. Proactively surface emerging identity risk indicators and deliver real-time advisory recommendations.
• Provide technical advisory guidance on phishing-resistant MFA strategies, PIV/CAC enforcement, FIDO2 deployment, and enterprise IdP integration - recommending solutions and implementation pathways for agency decision-making.
• Evaluate enterprise IAM/IdP platforms (e.g., Entra ID, Okta, Ping Identity) and provide configuration and enhancement recommendations aligned to ZT principles for agency adoption.
• Advise PAM strategies, RBAC/ABAC models, and least-privilege enforcement aligned to NIST SP 800-207; develop recommended solutions for agency review.
• Provide advisory support for the development and maturation of identity-related entries in the Common Control Catalog (CCC), ensuring traceability to NIST SP 800-53 rev. 5 control families.
• Develop recommended identity pillar inputs to the ZT roadmap, IG FISMA maturity reporting, and enterprise performance reporting for agency review and approval.
• Collaborate with device, network, and application SMEs to ensure identity-based enforcement integrates coherently across all ZTMM pillars.
• Review identity-related policy documents and SOPs; identify gaps relative to ZT mandates and develop recommended updates for agency concurrence.
• Support all identity-related ZT data calls, audits, and compliance reporting by providing advisory analysis and recommended responses.
• Prepare and present technical findings, maturity assessments, and advisory recommendations to senior leadership and the CISO.
• Leverage AI-assisted analysis tools, automation platforms, and prompt engineering techniques to enhance advisory productivity, accelerate gap analysis and documentation tasks, and enable focus on higher-value technical advisory work; apply all AI capabilities in accordance with agency acceptable use policies and Zermount's ethical AI use guidelines.

SUBJECT MATTER EXPERTISE

SME Area #1 - Identity & Access Management Architecture, ICAM advisory

• Expert-level mastery of ICAM architecture and authentication engineering including enterprise IAM/PAM/IdP design, phishing-resistant MFA implementation (PIV/CAC enforcement, FIDO2) deployment, and federated identity frameworks demonstrated through operational implementation experience, not framework study.
• Authoritative knowledge of NIST SP 800-63, NIST SP 800-207 identity tenets, CISA ZTMM v2.0 identity pillar criteria, OMB M-22-09, and federal ICAM policy requirements; ability to independently interpret and apply evolving guidance.
• Expert-level proficiency in enterprise IAM platforms including Entra ID (Azure AD), Okta, or equivalent architecture and configuration design depth, not administrative use.
• Expert-level knowledge of RBAC, ABAC, and PAM architectures to support Just Enough, Just In Time (JEJIT) access principles in federal environments; demonstrated ability to advise on least-privilege policy design and privileged account governance.
• Independent decision-making authority on identity pillar advisory scope, maturity assessment methodology, and recommended advancement approach.
• Problem-solving at the intersection of identity enforcement and cross-pillar ZT integration. Able to identify how identity posture deficiencies create downstream risk in devices, networks, data, and application pillar enforcement.

SME area #2 - Cloud Identity Platforms, Enterprise Infrastructure & Protocol-Level Expertise

• Strong foundational knowledge of directory services (Active Directory, LDAP, Entra ID), cloud identity platforms, and enterprise authentication infrastructure at an architecture or engineering level.
• Hands-on experience with cloud platforms, particularly Azure/Entra ID, AWS IAM, or GCP identity, including conditional access policy design, cross-tenant federation, and hybrid identity architecture.
• Working knowledge of core identity and network access protocols including OAUTH 2.0, SAML, OIDC, RADIUS, and TACACS+, and their role in enforcing ZT identity-based access decisions.
• Foundational understanding of network architecture, database access controls, and systems administration concepts sufficient to assess identity enforcement implications across the enterprise stack.
• Supports identity pillar advisory by enabling technically credible engagement with agency engineers, platform administrators, and cross-pillar SMEs on authentication architecture, access control design, and protocol-level enforcement.
• Interact directly with other ZT SMEs to support access requirements across pillars.

QUALIFICATIONS

Minimum requirements

• A minimum of 10 years of experience supporting identity management, governance, or security, with demonstrated Zero Trust scope.
• Hands-on experience implementing phishing-resistant MFA solutions including PIV/CAC enforcement and FIDO2/WEBAUTHN deployment in a federal or large enterprise environment.
• Hands-on experience with federal IAM platforms including Entra ID (Azure AD) or Okta; must extend beyond administration to include ZT-aligned architecture and configuration design.
• Expert knowledge of NIST SP 800-63, NIST SP 800-207, CISA ZTMM v2.0 identity pillar criteria, and OMB M-22-09.
• Experience with RBAC, ABAC, and PAM architectures in a federal environment.
• Demonstrated experience developing and implementing Zero Trust Identity solutions operationally, to include JEJIT access principles.
• Experience integrating identity posture signals into ZT access enforcement policy decisions.
• Experience supporting ZT-related IG FISMA metrics reporting pertaining to identity and access management.
• Strong written and oral communication skills; ability to translate complex technical findings into CISO-ready recommendations.
• Demonstrated familiarity with ai-assisted analysis tools or prompt engineering; ability to apply AI capabilities ethically to accelerate advisory work and surface higher-value technical insights.

Preferred qualifications

• Five years of IT cybersecurity experience, including direct support to the U.S. Government. This experience can be concurrent with the minimum 10 years of identity management, governance, or security
• Prior direct involvement in implementing access and authorization automations.
• Prior direct involvement in a ZT Identity Pillar implementation or enterprise ZT deployment in a technical design or advisory capacity.
• Experience architecting or evaluating ZT-aligned IAM solutions including enterprise IdP integration, federation, and phishing-resistant authentication enforcement.
• Cloud vendor IAM certification (e.g., Microsoft certified: Identity and Access Administrator SC-300, AWS security specialty).
• Experience with ICAM roadmap implementation or federal ICAM architecture design.

Competencies

• Technical: CISA ZTMM v2.0 identity pillar, NIST SP 800-63, NIST SP 800-207, OMB M-22-09, Entra ID/Azure AD, Okta, PIV/CAC, FIDO2, PAM, RBAC/ABAC, OAUTH 2.0, SAML, OIDC, NIST SP 800-53 control families, AI-assisted analysis.
• Leadership: Technical advisory leadership for Identity Pillar; cross-pillar SME collaboration and integration; CISO-facing technical briefing and recommendations; advisory engagement with federal engineers and platform administrators.
• Behavioral: Proactive continuous assessment of posture rather than point-in-time reporting; rigorous technical precision in architecture recommendations; continuous learning orientation toward evolving federal identity standards and platform capabilities.

Education & Certifications

• Minimum of a Bachelor of Science (or higher) in Information Technology, Computer Science, Cybersecurity, or related field.
• Required: Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager (CISM) or equivalent certification.
• Strongly preferred: Certified Identity and Access Manager (CIAM) or Microsoft certified: Identity and Access Administrator (SC-300).
• Strongly preferred: cloud vendor IAM certification (e.g., Microsoft Azure Security Engineer Associate AZ-500, AWS security specialty).

Clearance Level

• Active Secret clearance is required.

WORK LOCATION

• Hybrid - primarily remote. Occasional onsite work required at the client location in Springfield, VA and Zermount HQ in Arlington, VA.

HOURS OF OPERATION

• Business hours: 8:00 AM EST - 4:30 PM EST
• Core hours: 9:00 AM EST - 3:00 PM EST

REPORTING STRUCTURE

• Reports to: ZT SME Team Lead
• Direct reports: None