Software Engineer V - Security Engineer

About Mighty Acorn

At Mighty Acorn, we make it easier for governments to deliver world-class digital services. From renewing a fishing license to applying for unemployment benefits, we build digital services that enhance public trust and satisfaction.

Our vision is a world where “good enough for government work” returns to its pedestal: fast, reliable, and frustration-free. We achieve this by empowering people, increasing transparency, breaking down silos, and moving together toward a shared goal.

Specializing in modern software development, DevSecOps, and scalable infrastructure, we focus on leveraging automation to manage complexity, accelerate transformation, shorten feedback loops, and reduce risk to build a world where government programs run reliably, smoothly, and efficiently.

While our team averages 10+ years of experience in the industry, we are a relatively new (formed in 2023) professional services company. Our government clients engage us to improve their digital products and services in a way that ensures better outcomes for their users and stakeholders. That means our clients hire us for our expertise, which we bill our time for.

Software Engineer V - Security Engineer at Mighty Acorn

At Mighty Acorn, we build digital services that real people depend on to access government benefits and programs. The data flowing through those services — health records, social security numbers, income information — demands a higher standard of security than most software environments. We're not looking for someone to run periodic audits; we're looking for someone to embed directly with our product teams, build a culture of security-by-default, and ensure we can handle sensitive data with confidence.

As a Software Engineer V - Security Engineer, you'll work as an embedded security expert across one or more product teams, translating complex government compliance requirements into practical, actionable engineering guidance. You'll combine hands-on implementation work — hardening infrastructure, integrating security into CI/CD pipelines, reviewing code — with the strategic work of developing security roadmaps, leading gap remediation efforts, and working directly with government stakeholders and client security teams. At this level, you own the security posture for the engagements you're on. That means earning trust with engineers and government program staff alike.

This is a fully remote position. Candidates must be based in and work from the contiguous United States, with at least a 5-hour overlap with 9am–5pm ET, Monday through Friday.

On a day to day basis, you will be responsible for:

• Acting as the embedded security lead for product teams handling sensitive data, including PII, health information, and other regulated data — providing guidance on architecture decisions, data handling, and storage in real time.
• Proactively implementing security hardening measures across AWS infrastructure, CI/CD pipelines, and application code — not waiting for a compliance process to tell you what needs to change.
• Translating government compliance frameworks (NIST, HIPAA, FedRAMP, CMS ARC-AMPE, and others) into practical, prioritized guidance the engineering team can act on.
• Developing and maintaining a security roadmap from compliance gap findings — writing concrete implementation tickets and helping teams understand the threshold at which different types of production data can be safely handled.
• Participating in code review of infrastructure, DevOps, and security-relevant pull requests, and pairing with engineers on implementation.
• Establishing automated and manual processes for ongoing compliance: security gates in CI/CD pipelines, secrets management, automated repository scanning, deployment checklists, and similar.
• Documenting current data handling practices to support legal review, ATO processes, and security assessment reporting (SAR and similar).
• Working closely with client agency security teams to align practices, share context, and support compliance across organizational boundaries.
• Facilitating threat modeling sessions with product teams to establish a shared understanding of actual risk — helping the team distinguish high-impact changes from nice-to-haves.

Must have technical skills:

• 10+ years of engineering experience, with significant depth in application security and/or DevSecOps practices.
• Cloud security expertise on AWS — securing compute, storage, networking, and identity at the infrastructure level.
• Hands-on experience with DevSecOps tooling: CI/CD security integration, secrets management, container security, and automated scanning (SAST, DAST, dependency scanning).
• Experience with government compliance frameworks (NIST, FISMA, FedRAMP, HIPAA, or similar) and a demonstrated ability to translate regulatory language into concrete technical requirements.
• Scripting and automation skills sufficient to build and maintain security tooling — Python, TypeScript/JavaScript, or shell.
• Experience operating systems that process PII, SSNs, health data, or other sensitive information — with sound judgment about what that entails.

Must have nontechnical skills:

• Demonstrated ability to read dense regulatory documents and translate them into clear, prioritized, actionable guidance for an engineering team.
• Experience with formal security assessment processes — ATOs, SARs, or comparable frameworks — and the documentation they require.
• Strong written and verbal communication skills, including the ability to explain risk and security posture to non-technical program staff and government stakeholders.
• Experience developing security roadmaps and leading gap remediation efforts from initial assessment through implementation.
• Comfort operating in ambiguous environments, building programs from scratch without a predefined playbook.
• Sound judgment about prioritization — the ability to differentiate high-impact security changes from improvements that can wait.
• A Bachelor's degree (or equivalent experience) is contractually required for this role.

Nice to haves:

• Experience with healthcare data security, CMS compliance requirements (including ARC-AMPE), or state health IT systems.
• Familiarity with OWASP SAMM or similar software assurance maturity models.
• Experience working in or alongside government agencies, with an understanding of their organizational constraints and stakeholder dynamics.
• Experience working in professional services or government digital services consulting.

This Position Is Contingent, Pending Contract Award.

Other requirements:

• An ability to work efficiently, sometimes under tight deadlines.
• A preference for transparency and an ability to be direct and transparent in your own communication.
• An ability to adapt quickly and cope with temporarily ambiguous situations as requirements change.
• This role requires work be performed from within the contiguous United States.
• Candidates must either hold active US citizenship or a green card, and should possess work authorization that does not require any present or future visa sponsorship by Mighty Acorn Digital.
• Candidates selected for the role must pass a criminal background check prior to their start date.
• Candidates must have a fast (>100Mbps) and reliable internet connection and have a dedicated workspace with background noise at an appropriate level for audio calls.

If you don’t meet every requirement but believe you’d be great in this role, we’d love to hear from you! We’re committed to building diverse teams, and research shows that women and underrepresented groups often hesitate to apply unless they meet every qualification. Don't let that hold you back—let’s talk!