Cloud Security Architect - Federal / DoD Programs - Remote

Optum Tech is a global leader in health care innovation. Our teams develop cutting-edge solutions that help people live healthier lives and help make the health system work better for everyone. From advanced data analytics and AI to cybersecurity, we use innovative approaches to solve some of health care's most complex challenges. Your contributions here have the potential to change lives. Ready to build the next breakthrough? Join us to start Caring. Connecting. Growing together.

Optum Serve is seeking a highly experienced Security Architect to lead security architecture strategy, solution design, and technical governance for regulated on-prem, cloud, and hybrid environments supporting federal and DoD healthcare missions. This role serves as a trusted advisor to engineering, platform, compliance, operations, and program teams, translating mission and regulatory requirements into secure, scalable architecture patterns.

The architect will define and guide secure multi-cloud and hybrid solutions aligned with DoD IL4/IL5, FedRAMP Moderate/High, NIST SP 800-53 Rev. 5, and DoD RMF (DoDI 8510.01), while partnering closely with delivery teams responsible for implementation and ongoing operations. This role will also help define target-state architectures and transition strategies for modernizing legacy on-prem systems into compliant cloud and hybrid environments.

The ideal candidate brings deep expertise in Zero Trust Architecture (ZTA), DevSecOps, federal ATO processes, cloud modernization, and emerging technologies such as AI/ML, with a proven ability to balance mission delivery, compliance, and security in complex, highly regulated environments. To support this mission, OSIT has initiated a multi year modernization program aimed at updating and enhancing enterprise technology systems in accordance with modern design standards.

You'll enjoy the flexibility to work remotely * from anywhere within the U.S. as you take on some tough challenges.For all hires in the Minneapolis or Washington, D.C. area, you will be required to work in the office a minimum of four days per week.

Primary Responsibilities:

• Security Architecture Strategy & Collaboration
  • Define and maintain security reference architectures, design patterns, and technical guardrails for cloud and hybrid environments supporting federal and DoD healthcare workloads
  • Partner with cloud engineering, infrastructure, IAM, networking, application, data, compliance, and operations teams to embed security requirements into solution designs and modernization initiatives
  • Serve as the security architecture lead for new capabilities, major enhancements, and platform changes by conducting architecture reviews and providing risk-based design guidance
  • Translate regulatory, mission, and business requirements into practical security architectures that enable delivery while maintaining compliance
  • Collaborate with enterprise architecture, program leadership, and customer stakeholders to align security strategy with platform roadmaps and system lifecycle planning
• Cloud & Hybrid Security Architecture
  • Lead the design of secure cloud and hybrid architectures aligned with DoD IL4/IL5, FedRAMP Moderate/High, NIST SP 800-53 Rev. 5, and DoD RMF (DoDI 8510.01) requirements
  • Establish architectural standards for network segmentation, encryption, key management, logging, resiliency, boundary protection, and secure service integration across Azure, AWS, and hybrid environments
  • Define hardening and configuration expectations using DISA STIGs, DoD SRGs, and CIS Benchmarks, in collaboration with platform and operations teams responsible for implementation and sustainment
  • Guide secure architecture decisions for systems handling PHI, PII, and CUI
• Cloud Modernization & Legacy Transformation
  • Define secure target-state architectures and transition roadmaps for migrating legacy on-prem applications, infrastructure, and data platforms to Azure, AWS, and hybrid environments
  • Lead or advise on cloud readiness assessments, application rationalization, dependency mapping, and migration wave planning to determine appropriate modernization strategies such as rehost, replatform, refactor, replace, retain, or retire
  • Partner with application, infrastructure, IAM, network, and data teams to design secure migration patterns for legacy workloads, hybrid connectivity, identity federation, segmentation, data migration, resiliency, and observability
  • Establish security and compliance guardrails for interim hybrid states, including compensating controls for systems that cannot be fully modernized immediately
  • Guide modernization approaches such as containerization, API enablement, service decomposition, managed service adoption, and legacy platform decommissioning
  • Evaluate modernization impacts on authorization boundaries, control inheritance, shared services, and continuous monitoring to support ATO and compliance objectives
  • Advise teams on reducing legacy technical debt while preserving mission continuity, operational stability, and regulatory compliance
• Zero Trust & Identity Architecture
  • Lead adoption of security architectures aligned with the DoD Zero Trust Reference Architecture and OMB M-22-09, driving maturity across identity, device, network, workload, application, and data pillars
  • Partner with IAM and platform teams to define authentication, authorization, federation, privileged access, and service-to-service trust models aligned with NIST SP 800-63
  • Develop architecture patterns that support continuous verification, least privilege, micro-segmentation, and conditional access, while balancing security, usability, and mission needs
• DevSecOps & Secure Platform Enablement
  • Define architectural requirements and secure design patterns for DevSecOps pipelines, including Infrastructure as Code (IaC), policy as code, SAST/DAST, software composition analysis, container security, secrets management, and software supply chain controls
  • Partner with engineering and platform teams to ensure security controls are integrated by design and validated through automation and continuous compliance mechanisms
  • Advise on the selection, integration, and architectural use of security tooling supporting vulnerability management, CSPM, DLP/DRM, configuration compliance, and monitoring, in collaboration with teams responsible for day-to-day operations.
• AI & Emerging Technology Security
  • Define security architecture and governance guardrails for the adoption of AI/ML and generative AI capabilities within regulated cloud environments
  • Partner with engineering, data, privacy, and compliance teams to design secure patterns for data ingestion, model hosting, inference APIs, retrieval integrations, and mission system connectivity
  • Evaluate and mitigate AI-specific risks including model poisoning, prompt injection, data leakage, hallucinations, model abuse, and third-party/model supply chain risk
  • Ensure AI-enabled solutions appropriately protect PHI, PII, and CUI and align with NIST SP 800-53 Rev. 5, NIST SP 800-171, and healthcare-specific compliance requirements
  • Incorporate AI security considerations into Security Impact Analyses (SIAs), Significant Change Requests (SCRs), and ATO documentation when AI capabilities materially affect system risk posture
  • Define logging, monitoring, and explainability expectations for AI components to support auditability, incident response, and continuous monitoring
  • Advise leadership and engineering teams on compliant and responsible use of generative AI, ensuring sensitive data is not exposed to non-authorized or non-FedRAMP AI services where prohibited
  • Apply emerging principles such as NIST AI Risk Management Framework (AI RMF 1.0) to support secure, responsible, and defensible AI adoption
• Compliance, Authorization & Governance
  • Provide architecture leadership in support of ATO lifecycles, including control strategy, system boundary design, inheritance models, implementation approaches, and continuous monitoring alignment
  • Partner with ISSOs, compliance teams, system owners, PMOs, customer stakeholders, and assessors to develop defensible architectures that support FedRAMP and customer authorization objectives
  • Support Change Control Boards (CCB), architecture reviews, SIAs, and SCRs to ensure system changes are evaluated for security and compliance impact
  • Advise teams on evolving federal requirements, including FedRAMP Rev. 5, NIST SP 800-53 Rev. 5, FIPS 140-3, EO 14028, and software supply chain security expectations
  • Support FedRAMP package strategy and marketplace readiness activities in partnership with compliance, PMO, and agency stakeholders
• Risk, Incident & Program Support
  • Provide architectural guidance during security incidents, post-incident reviews, and root cause analyses to improve resilience and reduce future risk
  • Identify systemic security gaps and recommend roadmap improvements across platforms, applications, and shared services
  • Develop and maintain architecture artifacts, standards, decision records, and technical security documentation
  • Mentor teams on cloud security, Zero Trust, modernization, and AI security best practices

You'll be rewarded and recognized for your performance in an environment that will challenge you and give you clear direction on what it takes to succeed in your role as well as provide development for other roles you may be interested in.

Required Qualifications:

• One or more active certifications such as CISSP, CCSP, CISM, Azure Security Engineer, or AWS Security, meeting DoD 8570/8140 expectations
• 7+ years of experience in cloud security architecture within regulated environments
• 5+ years of experience supporting FedRAMP-authorized systems, federal ATOs, or DoD authorization efforts
• 5+ years of experience designing secure solutions across Azure, AWS, and hybrid cloud environments
• Experience leading or advising on the secure modernization of legacy on-prem systems into cloud and hybrid environments
• Experience with application rationalization, cloud readiness assessments, dependency mapping, migration planning, and transition architecture
• Experience with modernization strategies including rehost, replatform, refactor, replace, retain, and retire
• Experience partnering across engineering, infrastructure, IAM, networking, application, data, compliance, and operations teams to drive secure architectural outcomes
• Solid knowledge of DoD IL4/IL5, FedRAMP Moderate/High, NIST RMF, DoD RMF (DoDI 8510.01), NIST SP 800-53 Rev. 5, and Zero Trust principles
• Demonstrated ability to balance security, compliance, mission delivery, and technical feasibility in complex environments
• Solid written and verbal communication skills, including experience presenting to technical leaders, program stakeholders, and customer/government audiences
• Ability to obtain and maintain a favorable federal suitability determination and/or security clearance
• If you are offered this position, you will be required to provide extensive personal information to obtain and maintain a suitability or determination of eligibility for a Confidential/Secret or Top Secret security clearance as a condition of your employment
• United States Citizenship

Preferred Qualifications:

• Bachelor's or Master's degree in Computer Science, Cybersecurity, or a related field, or equivalent experience
• 5+ years of experience supporting DoD or civilian federal agencies
• 2+ years of experience supporting healthcare or life sciences environments
• Experience modernizing monolithic, COTS, or highly integrated legacy enterprise applications in regulated environments
• Experience with legacy platforms such as VMware, Windows/Linux server estates, enterprise databases, middleware, and on-prem identity services during cloud transformation
• Experience designing or governing AI/ML security architectures in regulated environments
• Experience participating in architecture review boards, technical governance forums, or enterprise architecture functions
• Additional certifications such as CISSP-ISSEP, CySA+, GSLC, GCSA, FITSP-A, or equivalent

*All employees working remotely will be required to adhere to UnitedHealth Group's Telecommuter Policy.

Pay is based on several factors including but not limited to local labor markets, education, work experience, certifications, etc. In addition to your salary, we offer benefits such as, a comprehensive benefits package, incentive and recognition programs, equity stock purchase and 401k contribution (all benefits are subject to eligibility requirements). No matter where or when you begin a career with us, you'll find a far-reaching choice of benefits and incentives. The salary for this role will range from $112,700 to $193,200 annually based on full-time employment. We comply with all minimum wage laws as applicable.

Application Deadline : This will be posted for a minimum of 2 business days or until a sufficient candidate pool has been collected. Job posting may come down early due to volume of applicants.

At UnitedHealth Group, our mission is to help people live healthier lives and make the health system work better for everyone. We believe everyone-of every race, gender, sexuality, age, location and income-deserves the opportunity to live their healthiest life. Today, however, there are still far too many barriers to good health which are disproportionately experienced by people of color, historically marginalized groups and those with lower incomes. We are committed to mitigating our impact on the environment and enabling and delivering equitable care that addresses health disparities and improves health outcomes - an enterprise priority reflected in our mission.

UnitedHealth Group is an Equal Employment Opportunity employer under applicable law and qualified applicants will receive consideration for employment without regard to race, national origin, religion, age, color, sex, sexual orientation, gender identity, disability, or protected veteran status, or any other characteristic protected by local, state, or federal laws, rules, or regulations.

UnitedHealth Group is a drug - free workplace. Candidates are required to pass a drug test before beginning employment.