Information Security Engineer- PKI & Audit Engineering

Position Title:â Information Security Engineer

Location: Herndon Virginia - Hybrid (in office 3x/week)

Position Overview:

This senior-level Information Security Engineer will serve as a member of the Exostar Information Security Office. This role primarily serves as the lead auditor and audit engineer for Identity Access Management (IAM) assurance activities including the Federal PKI (FPKI) Annual Review and Kantara certification audits as well as Exostars broader internal and external audit programs (e.g. ISO/IEC 27001 SOC 2 Type 2 Cyber Essentials).

The role blends audit program development with hands-on technical depth. A successful candidate can translate complex architectures and operational processes into defensible audit evidence engineer repeatable evidence pipelines and control validation and drive remediation to closure across business and technical teams. This position enhances the Exostar Security Offices ability to integrate risk assessments and threat modeling into audit and assurance activities ensuring alignment between enterprise risk management and audit outcomes.

Responsibilities: Your day if you join us:

PKI & Identity Assurance Auditing

• Plan and execute the PKI internal audit program including scoping test procedures evidence requests control validation and reporting.
• Lead Annual Review readiness and submission support for FPKI-related requirements including coordination with engineering operations policy and external stakeholders.
• Support Federal Bridge cross-certification activities and ongoing compliance obligations; translate CP/CPS and operational practices into audit-ready evidence.
• Lead and support Kantara assessments (e.g. Classic / Rev.3 as applicable) including criteria mapping evidence compilation and auditor coordination.
• Track PKI and identity audit findings document corrective actions and drive remediation through verification and closure.Enterprise Audit Development

• Lead and manage the calendar of internal and external audits and assessments (e.g. ISO 27001 SOC 2 Type 2 Cyber Essentials firewall audit user account management audit customer/security validation processes).
• Own audit lifecycle management: scope definition evidence request lists control walkthroughs sampling issue management and final report coordination.
• Develop and maintain audit control narratives that accurately reflect current architecture and operations.
• Partner with control owners across infrastructure development and business functions to ensure consistent evidence quality and timely delivery.Audit Engineering Automation and Technical Control Validation

• Design and implement audit-support tooling and automation to reduce evidence collection burden and increase repeatability (e.g. system baselines access reviews configuration and logging attestations).
• Provide hands-on engineering support to validate technical controls for identity access network security and platform services across on-prem and cloud environments.
• Create and maintain control test scripts runbooks and evidence pipelines aligned to audit criteria and internal standards.
• Support secure SDLC/DevSecOps practices by enabling auditable change management traceability and control verification.
• Perform security risk assessments and threat modeling for identity and high-impact systems to inform control design and audit priorities.Governance Policy & Documentation

• Maintain and evolve PKI governance documentation including Certificate Policy (CP) and Certification Practice Statement (CPS) ensuring alignment between policy and operations.
• Lead or support the Policy Management Authority (PMA) process including change reviews approvals and documented decisions impacting IAM/PKI/OTP programs.
• Author and maintain information security policies standards and procedures supporting enterprise audits (e.g. access control logging/monitoring vulnerability management incident response).
• Monitor relevant standards and regulatory drivers (e.g. NIST FICAM/FPKI FedRAMP Moderate CMMC Level 2) and assess impact to security controls and audit obligations.Physical Security & Training

• Support physical security and badging program oversight including reporting and audit evidence for facilities controls as applicable.
• Maintain and deliver targeted security and privacy awareness training relevant to trusted roles and audit obligations.

Qualifications:

You are a great fit for this role if you:

• 7 years of information security engineering audit engineering or security assurance experience in complex technical environments.
• Demonstrated experience auditing or assuring PKI and identity systems (e.g. Microsoft CA/AD CS HSM-backed key management certificate lifecycle CRL/OCSP).
• Experience leading internal/external audits and interacting directly with auditors and customers; strong capability to produce defensible evidence and narratives.
• Hands-on understanding of identity access management and authentication systems across on-prem and cloud environments.
• Ability to assess secure architectures and validate technical controls spanning network systems and platform services.
• Strong written and verbal communication skills; ability to drive cross-functional remediation to closure.
• Ability to pass background investigation and attain/maintain Trusted Role access to company systems.
• U.S. Citizens only
• Due to customer requirements U.S. Citizenship is required. Ability to gain and maintain Trusted Role is required

Preferred Qualifications:

You are exactly who we are looking for if you:

• Experience with Federal PKI (FPKI) Annual Review processes and/or Federal Bridge cross-certification audits.
• Experience with Kantara Initiative assessments (including NIST SP 800-63A/63B-aligned service criteria).
• Experience with ISO/IEC 27001 SOC 2 Type 2 Cyber Essentials and customer security assessments.
• Experience building evidence automation (e.g. scripts API-based data pulls GRC workflow enablement CI/CD-integrated evidence capture).
• Working knowledge of SIEM/logging architectures and File Integrity Monitoring (FIM) technologies; familiarity with tools such as Splunk and CrowdStrike.
• Experience with Jira/Confluence (or equivalent) for audit tracking evidence management and remediation workflows.
• Relevant certifications (one or more): CISSP CISA CISM CMMC CCP/CCA FedRAMP auditor/implementer (or equivalent).

Education:

• Bachelors degree from an accredited university in an IT-related discipline (or equivalent experience).
• Security and/or engineering certifications are a plus.

Exostar - The Company:
Exostars cloud-based platforms create exclusive communities within the Aerospace and Defense Life Sciences and other highly regulated industries where members securely collaborate share information and operate compliantly. Within these communities we build trust. By analyzing community data we provide insights and intelligence enabling organizations to make better timelier decisions to mitigate risk and operate more efficiently.
We believe in employee development: we promote internally and provide training and educational assistance
We provide a fun engaged workplace with social and community-building events
We offer comprehensive benefits and flexible time off plans

Exostar is an Equal Opportunity Employment Employer. The company provides equal employment opportunities to all applicants without regard to race color religion sex national origin age marital status disability status or genetic information. Exostar is committed to providing equal employment opportunities for all persons in all facets of employment including recruiting hiring compensation promotion training benefits transfers and working conditions.

Required Experience:

IC