Salesforce Security Officer

Description

About Us:

eSimplicity is modern digital services company that work across government, partnering with our clients to improve the lives and ensure the security of all Americans—from soldiers and veteran to kids and the elderly, and defend national interests on the battlefield. Our engineers, designers and strategist cut through complexity to create intuitive products and services that equip Federal agencies with solutions to courageously transform today for a better tomorrow for all Americans.

Purpose of Scope:

We are seeking a Salesforce Security Engineer and System Security Officer (SSO) with a proven balance of technical security engineering and governance/compliance expertise who is to be responsible for providing security support services while meeting security compliance requirements for a portfolio of systems at various states of maturity and modernization. The SSO is expected to work inside a DevSecOps / SAFe Agile delivery framework and must operate inside an Agile Release Train (ART) alongside DevSecOps, Product Owners, and Engineers. The SSO role is embedded, constantly aligning security with Agile delivery rather than in a detached compliance silo. In this role, the SSO is ultimately a happy mix of DevSecOps engineer, Security Governance Guru and Security Product Owner/Scrum Master that is responsible and accountable for end-to-end ownership of security processes, from design through continuous operation and improvement, across Salesforce GovCloud and AWS environments to include but is not limited to possessing the following capabilities: 

·  Embrace SSO to SAFe Agile Responsibilities, acting as a Security Product Owner/Scrum Master within Agile ceremonies, ensuring security backlog items are identified, refined, and prioritized alongside feature delivery. 

·  Act as the Technical Salesforce Security SME for Federal Government Programs, responsible for designing, implementing, and enforcing security controls across Salesforce Government Cloud (Experience Cloud, Health Cloud) environments

·  Act as a hands-on security team engineering/technical lead and a governance champion and subject matter expert, directing technical remediation while capable of actively responding to and maintaining all Authorization to Operate (ATO) requirements. 

·  Serve as the primary liaison for incident response, security inquiries, and compliance reporting to the agency and stakeholders. 

·  Create various communication channels to provide timely and accurate responses to security related data calls (System Security & Compliance Status, Vulnerability and Compliance scanning issues).  

·  Manage coordination and response to agency security related inquiries, compliance with agency policies, implementation of security controls, and maintenance of security documentation and artifacts. 

·  Provide subject matter expertise throughout the system development lifecycle and interface with multiple stakeholders through multiple touchpoints weekly. 

·  Lead Security Impact Analyses (SIAs), integrate automated security validation into CI/CD pipelines, and ensure tools are configured and tuned for maximum effectiveness. 

·  Drive continuous improvement and automation of security processes, including access control, vulnerability management, and compliance validation; continuously monitoring the cybersecurity posture of systems to secure against cyber threats, and provide security governance, architectural guidance, and enforcement of security controls across the Salesforce and AWS ecosystem. 

·  Direct how security tools, cloud services, and guardrails are implemented by our DevSecOps engineering teams; as well as taking ownership of communication and visualization of security issues especially where coordination between product teams, information owners, engineering and infrastructure staff is necessary for remediation. 

·  Manage end-to-end onboarding/offboarding lifecycle processes, ensuring timely provisioning, least-privilege access enforcement, privileged account management, and periodic reviews. 

·  Build and maintain dashboards and reporting solutions that give leadership and teams visibility into risk, vulnerabilities, and compliance status. 

Responsibilities:

·  Lead Salesforce security reviews for new features and integrations, validating object-level, field-level, record-level access, sharing behaviors, and APIs before production releases

·  Design and govern Salesforce access models using Profiles, Permission Sets, Permission Set Groups, Roles, Sharing Rules, and Delegated Administration, ensuring least-privilege and separation of duties

·  Manage end-to-end vulnerability management lifecycle from detection to remediation and reporting. Drive identification of new attack vectors and implement automation-driven improvements; configure and operate security tools (Snyk, AppOmni, Tenable, Invicti, Splunk, SecurityHub), to ensure findings are triaged, prioritized, and remediated.  

·  Champion the integration of automated security testing into the CI/CD pipeline to align with continuous delivery practices. Integrate security controls into CI/CD pipelines (GitHub Actions, Jenkins, Copado, Terraform, Kubernetes). 

·  Build and maintain dashboards in Splunk, Jira, or equivalent tools to report on vulnerabilities, compliance, access reviews, and system posture. 

·  Lead Security Impact Analyses (SIAs) for proposed changes and facilitate the SIA process within Agile cadence, ensuring change reviews don't block delivery but still meet compliance. 

·  Lead incident response activities, from detection through remediation and post-mortem review; conduct log reviews (Splunk), to monitor systems for breaches, and ensure tuning of detection and alerting rules. 

·  Define, enforce, and lead least-privilege access models for Salesforce, CI/CD pipelines, AWS and infrastructure. 

·  Manage end-to-end user lifecycle: onboarding, offboarding, least-privilege enforcement, privileged access reviews, and IAM guardrail enforcement. 

·  Automate identity and access workflows wherever possible and integrate continuous access reviews with reporting dashboards. 

·  Develop automation (Python, Bash, PowerShell, APIs) for onboarding, compliance validation, and recurring security tasks. 

·  Lead compliance interactions as the primary liaison for agency data calls, reviews, and audits; maintain and update all ATO documentation (SSPs, POA&Ms, IRPs, CMPs, PIAs, contingency plans); facilitate tabletop exercises and ensure lessons learned are implemented. 

·  Participate in SAFe Agile Program Increment (PI) Planning, architecture reviews, sprint planning, and backlog refinement to embed security throughout the SDLC providing input on security guardrails, dependencies, and risks that may impact delivery commitments. Clearly communicate security requirements to technical and non-technical audiences. 

·  Drive the reengineering of processes for efficiency and visibility, ensuring leaders and engineers have actionable data. Define and manage security enablers in the program backlog to ensure that architectural runway includes continuous security improvements. 

·  Collaborate with Release Train Engineers (RTEs) to track security risks, impediments, and dependencies across teams; work directly with Scrum Masters and Product Owners to ensure user stories include clear security acceptance criteria; ensure security features and enablers are represented in Definition of Done (DoD) across all product teams. 

·  Mentor product and engineering teams on secure development practices and continuous security; translate and tailor NIST 800-53 Rev 5 and CMS security controls into actionable tasks for DevSecOps teams. Educate Agile teams on secure development practices and evolving threat models, ensuring security becomes part of the team culture. 

·  Review and validate completed user stories and features to confirm security controls have been implemented as designed; continuously measure and report security-related metrics (e.g., backlog burn-down of vulnerabilities, compliance closure rates) during Inspect & Adapt workshops. 

Requirements

Required Qualifications:

· All candidates must pass public trust clearance through the U.S. Federal Government. This requires candidates to either be U.S. citizens or pass clearance through the Foreign National Government System which will require that candidates have lived within the United States for at least 3 out of the previous 5 years, have a valid and non-expired passport from their country of birth and appropriate VISA/work permit documentation.

·  A Bachelor’s degree in Computer Science, Information Systems, Engineering, Business, or other related scientific or technical discipline. OR

· In lieu of a degree, 10 years of general information technology experience and at least 8 years of specialized experience may be substituted.

·  Deep, practical knowledge of Salesforce security architecture, including Profiles vs Permission Sets, Permission Set Groups, Sharing Rules, Role Hierarchies, Record-Level Security, and Delegated Administration

·  Experience performing security reviews of Salesforce metadata and application logic, including Apex, Flows, and Experience Cloud configurations

·  Minimum of 8 years experience implementing security controls and monitoring compliance for systems, in accordance with federal system security and privacy regulations.

·  Strong understanding of continuous automated security practices applied to data and application engineering teams. 

·  Demonstrated ability to manage end-to-end security processes, from requirements and configuration through monitoring, reporting, and closure. 

·  Proven hands-on management of user onboarding and offboarding processes, including provisioning, deprovisioning, least-privilege enforcement, privileged account management, and periodic reviews. 

·  Experience with designing security "baked-in" to any architecture: Cloud and IaC, Applications, Web application, Data Processing, Data Centric Applications, AI/ML, CICD Pipelines; seeks automation driven designs. 

·  Demonstrated work experience with computer networking, cryptography, security engineering and architecture, vulnerability assessments, or operating systems as required. 

·  Experience automating onboarding/offboarding workflows and building dashboards (Splunk, Jira, or equivalent) for visibility into access control, vulnerabilities, and compliance posture. 

·  Hands-on configuration and operation of security tools (Snyk, AppOmni, Tenable, Invicti, Splunk, AWS SecurityHub), including integration into CI/CD pipelines. 

·  Strong technical knowledge of Salesforce security best practices (roles, profiles, permission sets, OAuth/MFA, AppOmni).

·  Practical experience embedding security into CI/CD pipelines (Copado, GitHub Actions, Jenkins, Terraform, Kubernetes). 

·  Demonstrated ability to lead and document Security Impact Analyses (SIAs) for proposed system and architecture changes. 

·  Experience with CI/CD, defining security decision gates and DevSecOps, including AWS Github Actions and Copado CI/CD 

·  Ability to assist customers and stakeholders with defining appropriate management processes (Responsible for documenting application criticality, privacy, and security impact analysis). 

·  Strong working knowledge of secure SDLC, SAST/DAST/IAST/OAST tools, with ability to both configure and interpret results. 

·  Strong understanding business security practices and procedures; knowledge of current security tools available; hardware/software security implementation; different communication protocols; encryption techniques/tools; familiarity with commercial products; and current Internet technology. 

·  Hands-on scripting and automation skills (Python, Bash, PowerShell, APIs). 

·  Excellent organizational, analytical, and problem-solving skills in a fast-paced DevSecOps environment. 

·  Strong communication skills to brief leadership and collaborate with technical/non-technical teams. 

·  Must possess strong analytical and problem-solving abilities; and strong critical-thinking skills in complex communication environments.  

·  Strong attention to detail. Required to manage/follow-through of multiple independent tasks, dependencies across intra/inter-project teams. 

·  Demonstrated ability to work independently and as part of a cross-functional team. 

·  Demonstrated ability employing SAFe Agile Responsibilities as a SSO and/or DevSecOps Engineer. 

·  Experience with Atlassian Jira & Confluence 

·  Excellent command of written and spoken English. 

Desired Qualifications:

·  Federal Government contracting work experience 

·  Highly preferred industry certification such as the CISSP, CISM, CRISC, CEH, GIAC, etc. 

·  Cloud Security & Automation certifications such as AWS Certified Security Specialty, AWS Solutions Architect, GIAC Cloud Security (GCSA), and CCSK/CCSP 

·  Highly preferred Salesforce or Developer certifications such as Administrator, Security & Privacy, Platform Developer 

·  Technical / Offensive Security certifications such as OSCP, GPEN, CEH, and GWAPT 

·  Experience with Security Information and Event Management (SIEM) systems (i.e Splunk); DevSecOps & CI/CD: Kubernetes Security (CKS), GitHub Advanced Security, or equivalent 

·  Demonstrated experience facilitating tabletop exercises and embedding lessons learned into continuous improvement cycles. 

·  Experience developing or customizing security automation scripts and compliance dashboards for ongoing reporting to leadership. 

·  Prior experience managing systems in AWS cloud environments, familiarity with AWS Tools and Services. 

·  Strong technical knowledge of AWS cloud security (IAM, GuardDuty, CloudTrail, Security Hub)

·  Strong working knowledge of DISA STIGs, CIS Benchmarks, and other hardening standards and strong working knowledge of NIST RMF, NIST 800-53 Rev 5, and FedRAMP requirements. 

·  Experience maintaining and updating ATO documentation (SSPs, POA&Ms, IRPs, CMPs, PIAs, contingency plans). 

·  Experience with Government Agency Security Assessment Process in support of maintaining and/or establishing an ATO and the appropriate security boundary. 

Working Environment:
eSimplicity supports a hybrid work environment operating within the Eastern time zone so we can work with and respond to our government clients. Expected hours are 9:00 AM to 5:00 PM Eastern unless otherwise directed by your manager.

Occasional travel for training and project meetings. It is estimated to be less than 25% per year.

Benefits:
We offer highly competitive salaries and full healthcare benefits.

Equal Employment Opportunity:
eSimplicity is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to race, religion, color, national origin, gender, age, status as a protected veteran, sexual orientation, gender identity, or status as a qualified individual with a disability.