Senior Compliance Automation Engineer

Senior Compliance Automation Engineer

Denver, CO or Long Beach, CA or SF Bay area, CA or Washington, DC

Space is a warfighting domain. True Anomaly seeks those with the talent and ambition to build the technology that secures it.

True Anomaly delivers decisive capabilities for space superiority. We build autonomous spacecraft, advanced payloads, mission software, and space-based interceptors — enabling the U.S. and its Allies to secure the space environment and counter threats from the ultimate high ground.

Our Values

• Be the offset. We create asymmetric advantages with creativity and ingenuity.
• What would it take? We challenge assumptions to deliver ambitious results.
• It's the people. Our team is our competitive advantage and we are better together.

Your Mission

We are seeking a Senior Compliance Automation Engineer to join our Governance, Risk, and Compliance (GRC) team and design and build True Anomaly's compliance automation platform from the ground up. This is a greenfield engineering role, not a configuration or administration position. You will not be deploying off-the-shelf GRC tools and calling it done. Instead, you will architect and engineer a purpose-built, continuous compliance monitoring platform capable of spanning a hybrid environment of on-premises classified systems and multi-cloud infrastructure (AWS GovCloud, Azure Government).

This role sits at the intersection of software engineering, DevSecOps, and compliance, and demands someone who can write production-quality code, design robust API and webhook integration frameworks, and translate NIST SP 800-53 Rev. 5 and NIST SP 800-171 Rev. 3 control requirements into automated, evidence-generating technical workflows. You will own the architecture, build the pipelines, and integrate data from across the enterprise to produce a real-time, auditable, and scalable compliance posture built on infrastructure you design, not a vendor's dashboard.

This position requires the ability to obtain and maintain a security clearance.

Responsibilities

Compliance Automation Platform Engineering

• Architect and build a greenfield Continuous Compliance Monitoring (CCM) platform from first principles, designed to aggregate, correlate, and report on security control status across hybrid on-premises and cloud environments in near real time.
• Design and implement a modular, API-first platform architecture with well-documented internal APIs and extensible data models that support rapid onboarding of new control families, systems, and data sources.
• Develop webhook-driven integration pipelines that ingest telemetry and compliance signals from diverse source systems, including cloud-native security services, SIEM platforms, vulnerability scanners, configuration management tools, and identity providers, without reliance on manual data collection or polling.
• Build control validation microservices that programmatically test the implementation state of NIST SP 800-53 and 800-171 controls, generate machine-readable evidence artifacts, and surface control gaps with contextual remediation guidance.
• Implement an evidence collection and artifact management framework that automatically captures, timestamps, and indexes compliance evidence mapped to specific control requirements, enabling audit-ready artifact packages to be assembled on demand.
• Develop platform capabilities to support continuous authorization workflows, replacing point-in-time assessment cycles with living, automated control validation that feeds directly into ATO decision support.

DevSecOps and Pipeline Integration

• Embed compliance enforcement gates into CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins) to intercept non-compliant infrastructure-as-code (IaC) changes, insecure configurations, and policy violations before they reach production.
• Develop and maintain policy-as-code libraries using tools such as Open Policy Agent (OPA), Terraform Sentinel, AWS Config Rules, and Azure Policy, translating control requirements into machine-enforceable rulesets.
• Integrate compliance telemetry with infrastructure provisioning workflows using Terraform, Ansible, and Pulumi, ensuring that system authorization boundaries are maintained as infrastructure evolves.
• Build automated STIG validation workflows that apply and verify DISA STIG benchmarks across Linux, Windows, container, and cloud resource configurations using tools such as InSpec, OpenSCAP, and custom-built validation scripts.
• Partner with DevOps and platform engineering teams to implement secure baseline enforcement automation, including automated drift detection and remediation triggering for configuration deviations.

Hybrid Architecture and On-Premises Integration

• Design integration patterns and secure data collection agents for on-premises and air-gapped or limited-connectivity environments, enabling compliance telemetry to flow into the central platform without violating network segmentation or classification boundaries.
• Build bidirectional sync mechanisms between on-premises systems and cloud compliance services where permitted by authorization boundaries, ensuring hybrid posture visibility without creating unauthorized data flows.
• Develop solutions for classified environment compliance monitoring that operate within applicable network and data handling constraints, including support for IL5 and IL6 system boundaries.
• Architect the platform's data pipeline and storage layer with an explicit understanding of CUI, ITAR-controlled data, and classified data handling requirements, ensuring the platform itself does not become a compliance liability.

NIST Framework Implementation and Control Automation

• Serve as the technical authority on programmatic implementation of NIST SP 800-53 Rev. 5 control families, translating AC, AU, CM, IA, IR, RA, SC, SI, and other control families into automatable checks, evidence generators, and remediation workflows.
• Build automation coverage for NIST SP 800-171 Rev. 3 requirements across the full 110-control set, with particular depth in Access Control, Audit and Accountability, Configuration Management, and System and Communications Protection.
• Develop automated SSP population and maintenance workflows, enabling system security plans to be updated dynamically as control implementations change rather than through manual quarterly refresh cycles.
• Implement POA&M lifecycle automation, including automated finding ingestion from scan results and audit outputs, deduplication, severity scoring, and status tracking integrated with ticketing systems such as Jira or ServiceNow.
• Build CMMC Level 3 readiness automation tooling that maps assessment objectives to automated test cases, evidence artifacts, and gap reporting outputs.

Platform Observability and Reporting

• Design and implement a compliance posture dashboard and reporting layer, built in-house, that provides real-time visibility into control implementation status, open findings, POA&M health, and assessment readiness across all scoped systems.
• Build automated compliance scoring and trend analysis capabilities, surfacing control degradation, coverage gaps, and risk concentration patterns to GRC leadership and system owners.
• Develop alerting and escalation workflows that notify responsible parties of control failures, configuration drift, scan findings, or expiring artifacts with appropriate urgency and context.
• Implement structured audit log generation across all platform components, ensuring the compliance platform itself is fully auditable and operates within the control boundaries it enforces.

Qualifications

• 7+ years of experience in security engineering, compliance engineering, DevSecOps, or a closely related discipline, with a demonstrated emphasis on building automation rather than operating tools.
• Proven ability to design and build production-quality software systems, including APIs, data pipelines, and integration services. Proficiency in one or more of: Python, Go, TypeScript/Node.js, or equivalent.
• Deep, hands-on expertise with NIST SP 800-53 Rev. 5 and NIST SP 800-171 Rev. 2/Rev. 3, including the ability to translate control language into specific, automatable technical implementations rather than policy documents alone.
• Demonstrated experience designing and implementing webhook-driven and API-based integrations across heterogeneous security and IT toolsets, including cloud-native services, SIEMs, vulnerability management platforms, and ITSM systems.
• Hands-on experience with policy-as-code frameworks including Open Policy Agent (OPA), Terraform Sentinel, AWS Config, or Azure Policy.
• Proficiency with infrastructure-as-code tools including Terraform, Ansible, Pulumi, or equivalent, with experience enforcing compliance controls through IaC templates and pipelines.
• Experience with CI/CD platforms (GitHub Actions, GitLab CI, Jenkins) and the ability to build and maintain compliance gates as native pipeline components.
• Working experience with STIG validation tooling including InSpec, OpenSCAP, SCC, or equivalent, including custom profile development.
• Familiarity with cloud security services across AWS GovCloud and/or Azure Government, including AWS Security Hub, AWS Config, Azure Security Center, Microsoft Defender for Cloud, and related services.