Zero Trust Engineer (Mid-Level)
Hybrid - US
Zero Trust Engineer (Mid-Level)
Full Time • Hybrid - US
The CIG Universe Is Expanding
Benefits:
- 401(k)
- Dental insurance
- Health insurance
- Paid time off
- Training & development
- Vision insurance
POSITION SUMMARY
Celestial Innovations Group (CIG) is seeking a Mid Zero Trust Engineer to support federal agency clients in the design, implementation, and sustainment of Zero Trust Architecture (ZTA) programs. This role is framework-agnostic and vendor-informed: the ideal candidate understands that Zero Trust is a security philosophy and architectural strategy, not a single product or platform. The engineer will apply that expertise across one or more leading vendor ecosystems to deliver compliant, mission-ready ZTA solutions aligned with federal mandates including EO 14028, OMB M-22-09, NIST SP 800-207, and the CISA Zero Trust Maturity Model.
Must be located in the DC Metro Area as this role requires onsite and remote support.
Must be located in the DC Metro Area as this role requires onsite and remote support.
KEY RESPONSIBILITIES
Architecture and Strategy
- Lead Zero Trust Architecture assessments, gap analyses, and roadmap development for federal clients
- Design and document ZTA solutions spanning all five pillars: Identity, Device, Network, Application/Workload, and Data
- Translate federal ZTA mandates (EO 14028, OMB M-22-09, CISA ZT Maturity Model) into actionable implementation plans
- Develop architecture artifacts including conceptual, logical, and physical ZTA diagrams using DODAF, TOGAF, or equivalent frameworks
- Support integration of ZTA principles into existing enterprise architectures, hybrid cloud environments, and multi-tenant federal networks
Implementation and Engineering
- Deploy and configure Zero Trust solutions across one or more vendor platforms (see Vendor Ecosystem section below)
- Implement Identity and Access Management controls including CAC/PIV authentication, MFA, role-based access control (RBAC), and Just-in-Time (JIT) Privileged Access Management
- Configure microsegmentation, Zero Trust Network Access (ZTNA), software-defined perimeters, and DNS security controls
- Deploy Endpoint Detection and Response (EDR) tooling and enforce device compliance policies at enterprise scale
- Integrate data protection controls including classification, labeling, DLP, and encryption aligned to ZTA data pillar requirements
Compliance and Authorization
- Align ZTA implementations with NIST SP 800-53 Rev 5, NIST SP 800-207, DISA STIGs, and DHS CDM program requirements
- Support the Risk Management Framework (RMF) lifecycle, including SSP authoring, continuous monitoring, and ATO maintenance
- Document ZTA controls for system security packages, POA&Ms, and security assessment reports
Client Engagement and Collaboration
- Serve as a trusted ZTA advisor to federal agency stakeholders, program managers, and ISSO/ISSM counterparts
- Produce executive-level briefings, technical white papers, and implementation status reports
- Collaborate cross-functionally with cloud, networking, data analytics, and infrastructure teams to ensure cohesive ZTA integration
VENDOR ECOSYSTEM EXPERIENCE
CIG's ZTA practice is solution-agnostic at the architectural level. Engineers are expected to bring deep expertise in at least one of the following vendor platforms, with cross-platform fluency strongly preferred:
CIG's ZTA practice is solution-agnostic at the architectural level. Engineers are expected to bring deep expertise in at least one of the following vendor platforms, with cross-platform fluency strongly preferred:
Vendor / Framework & Relevant Capabilities
Palo Alto Networks (Prisma): Prisma Access (ZTNA 2.0), Prisma Cloud, Cortex XDR/XSIAM, NGFW policy, SD-WAN integration, threat prevention across all ZTA pillars
Zscaler: Zscaler Internet Access (ZIA), Zscaler Private Access (ZPA), Zscaler Digital Experience (ZDX), cloud proxy architecture, VPN replacement, SSL inspection
Microsoft Zero Trust: Microsoft Entra ID (Azure AD), Conditional Access, Intune/MEM, Microsoft Defender suite, Sentinel SIEM/SOAR, Purview data governance, M365 compliance center
CISA ZT Maturity Model: Five-pillar maturity assessment (Traditional, Initial, Advanced, Optimal), cross-cutting capability mapping, agency self-assessment support, roadmap alignment to federal reporting requirements
Palo Alto Networks (Prisma): Prisma Access (ZTNA 2.0), Prisma Cloud, Cortex XDR/XSIAM, NGFW policy, SD-WAN integration, threat prevention across all ZTA pillars
Zscaler: Zscaler Internet Access (ZIA), Zscaler Private Access (ZPA), Zscaler Digital Experience (ZDX), cloud proxy architecture, VPN replacement, SSL inspection
Microsoft Zero Trust: Microsoft Entra ID (Azure AD), Conditional Access, Intune/MEM, Microsoft Defender suite, Sentinel SIEM/SOAR, Purview data governance, M365 compliance center
CISA ZT Maturity Model: Five-pillar maturity assessment (Traditional, Initial, Advanced, Optimal), cross-cutting capability mapping, agency self-assessment support, roadmap alignment to federal reporting requirements
REQUIRED QUALIFICATIONS
Experience
- 5+ years of experience in cybersecurity engineering, network security, or IT infrastructure roles
- 2+ years of hands-on experience designing or implementing Zero Trust Architecture in an enterprise or federal environment
- Demonstrated understanding of ZTA concepts across all five pillars per NIST SP 800-207 and the CISA Zero Trust Maturity Model
- Experience supporting federal government clients or DoD/civilian agency environments
Technical Skills
- Proficiency in at least one of the following: Palo Alto Prisma, Zscaler, or Microsoft Zero Trust stack
- Identity and access management: Entra ID, Active Directory, LDAP, PKI, MFA, PAM tooling
- Network security: microsegmentation, ZTNA, DNS security, SD-WAN, next-generation firewall policy
- Endpoint security: EDR/XDR deployment and management, device compliance policy enforcement
- Cloud environments: Azure, AWS, or hybrid cloud architectures with ZTA overlay
- Familiarity with SIEM/SOAR platforms (Microsoft Sentinel, SumoLogic, Google SecOps, or equivalent)
PREFERRED QUALIFICATIONS
- Active certifications in one or more ZTA vendor platforms: PCCSE, PCNSE, Zscaler ZCCA-IA or ZCCA-PA, Microsoft SC-100 (Cybersecurity Architect Expert)
- Additional certifications: CISSP, CISM, CompTIA Security+, Cloud+ or relevant AWS/Azure security certifications
- Familiarity with RMF processes: NIST SP 800-37, SSP authoring, ATO package preparation
- Experience with ServiceNow, Salesforce, or IT service management tooling in a federal context
- Multi-vendor ZTA integration experience (e.g., combining Palo Alto and Zscaler capabilities within a single architecture)
- Familiarity with post-quantum cryptography standards (FIPS 203/204/205) and their ZTA implications
Flexible work from home options available.
Compensation: $135,000.00 - $155,000.00 per year
Our Philosophy
Long-Term Customer Relationships: We believe in growing with our clients. Our approach is to understand your unique business challenges and aspirations, providing personalized solutions and ongoing support designed to evolve with your needs.
Strong Employee Culture: At CIG, we are more than just a team; we are a community. We foster a culture of innovation, inclusion, and mutual respect, where every member is empowered to contribute and excel.
Work-Life Balance: We prioritize the well-being of our team members, ensuring a healthy work-life balance through flexible working conditions, continuous learning opportunities, and a supportive work environment.
(if you already have a resume on Indeed)