<h2 style="margin-bottom:4px;text-indent:-0.5pt;">Role summary</h2>We are seeking a remote Senior DevSecOps Engineer to own and evolve the platform — Terraform, EKS, GitLab CI/CD security gates, GitOps delivery, observability, and FISMA controls — and set the engineering standard for the team. You are the person who catches a backend block in the wrong module before it merges, and who makes the security gate something developers trust rather than route around.<h2 style="text-indent:-0.5pt;">What you’ll do</h2><ul><li style="margin-bottom:2px;margin-left:7px;">Own the Terraform estate across the three repos and the 2-stack-perenv layout — directory-per-env roots, semver-pinned module consumption, a provider-pinning contract (version ranges in modules, locked in roots), S3 state with native locking, and OIDC (no static keys).</li><li style="margin-left:7px;margin-bottom:2px;">Lead state-safe refactors — split the monolith, fold sandbox stacks into the data stack using moved blocks / state mv, with backed-up state and zero-destroy plans on stateful resources (Aurora, Redis).</li><li style="margin-left:7px;margin-bottom:2px;">Build and operate EKS (toward Auto Mode), GitLab CI (runner-onEKS), and Argo CD GitOps — Helm, image signing, Kyverno admission, OPA policy decisions.</li><li style="margin-left:7px;margin-bottom:2px;">Harden the CI/CD security gate: container/filesystem scanning (Trivy), secret detection (Gitleaks), SBOM + signing, policy-as-code deny-gates, and ECR scan-on-push — wired so a failing gate blocks the merge.</li><li style="margin-left:7px;">Stand up the AWS-native observability stack (CloudWatch / </li></ul>Container Insights, AMP, X-Ray/ADOT, Managed Grafana, Application Signals) with SLOs, alarms-as-code, and a dead-man’s-switch on the alerting path itself. Drive the private-network migration (TGW egress, VPC endpoints, no NAT/IGW) and close FISMA gaps (CloudTrail/Config, Security Hub NIST 800-53, KMS where required, audit-account separation).<ul style="margin-bottom:13px;"><li style="margin-bottom:13px;margin-left:7px;">Review teammates’ IaC and set the standards.</li></ul><h2 style="text-indent:-0.5pt;">Must-haves</h2><ul><li style="margin-left:7px;margin-bottom:2px;">Terraform at scale — root vs. child modules, state isolation, for_each/count/dynamic, drift, provider-pin conflicts, and state migration (moved/state mv) without destroying data. Writes modules others reuse. Can explain why workspaces ≠ directory-per-env.</li><li style="margin-bottom:2px;margin-left:7px;">Strong AWS cloud engineering — VPC/networking (private subnets, endpoints, TGW), IAM/OIDC, EKS, ECR, ALB/API-GW, and when SSE-S3 vs. KMS-CMK is actually required.</li><li style="margin-left:7px;margin-bottom:2px;">EKS you have operated, not just used — node/pod networking, IRSA, admission control, upgrades, troubleshooting a broken rollout.</li><li style="margin-left:7px;">CI/CD security (the “Sec” in DevSecOps) — </li></ul>SAST/dependency/container scanning, secret scanning, supply-chain (SBOM, signing), policy-as-code, secrets hygiene. You have made a pipeline block on a finding.<ul style="margin-bottom:13px;"><li style="margin-left:7px;margin-bottom:2px;">Federal compliance fluency — NIST 800-53 / FISMA-Moderate; can map a control family (AU, CM, SC) to an actual implementation.</li><li style="margin-bottom:13px;margin-left:7px;">Writes clear PRs and reviews others’ code constructively.</li></ul><h2 style="text-indent:-0.5pt;">Strongly preferred</h2><ul style="margin-bottom:15px;"><li style="margin-left:7px;margin-bottom:2px;">Observability depth (OpenTelemetry, Prometheus/Grafana, SLO/errorbudget design).</li><li style="margin-left:7px;margin-bottom:2px;">Prior regulated/federal environment (NOAA/DoD/civilian agency, ATO process), clearance or Public-Trust history.</li><li style="margin-bottom:15px;margin-left:7px;">GitLab CI specifically, Argo CD, and Kubernetes runners.</li></ul>GAMA-1 also offers a variety of benefits, including health insurance coverage, life and disability insurance, 401(k) savings plan, training and career development opportunities, paid holidays and paid time off (PTO - to cover vacation, illness or disability, appointments, emergencies or other situations that require time off from work). For more information click <a href=\"https://www.gama1tech.com/gama-benefits/\">here.</a> ABOUT GAMA-1 GAMA-1 is a rapidly growing technology business that is based in Greenbelt, Maryland. GAMA-1 Technologies provides strategic information assurance, information security, and business enterprise and networking solutions to the Federal Government. Our success is based on the utilization of industry and agency standards, establishment of standardized processes, and IT Services expertise. At GAMA-1, we believe employees should grow, achieve, and develop just as the company grows, achieves, and develops. GAMA-1 is committed to providing our employees with opportunities for career advancement throughout their employment. For more information, visit www.gama1tech.com GAMA-1 is an Equal Opportunity Employer and all qualified applicants will receive consideration for employment without regard to: veteran status, uniformed servicemember status, race, color, religion, sex, sexual orientation, gender identity, age, pregnancy (including childbirth, lactation and related medical conditions), national origin or ancestry, citizenship or immigration status, physical or mental disability, genetic information (including testing and characteristics), domestic violence victims, political orientation, status as a smoker or tobacco user, hairstyle, use of a service animal, education status, familial status, HIV/AIDS status, height, weight, reproductive healthcare decisions or any other category protected by federal, state or local law.

Senior DevSecOps / AWS Cloud Engineer