Job Information
Red Cat Holdings Senior DevSecOps Engineer, Government Systems Security & Compliance in United States
Description
Position Summary
Apium Swarm Robotics (ASR) is revolutionizing swarm autonomy software for air, surface, undersea, and ground vehicles operating across dual-use commercial and defense environments. Our systems are deployed on real platforms, tested in the field, and delivered to customers operating in complex, uncertain, and safety-critical conditions.
We do not build research prototypes or slideware. Our software is integrated into real vehicles, tested in the field, and delivered to customers who depend on operational reliability, speed of execution, and mission relevance. We prioritize performance over hype.
ASR systems represent the next phase in autonomy: collaborative swarming. These are not like pre-programmed drones for light shows. We are creating real-time cooperative management that lets one operator control dozens to hundreds of vehicles in real-time with the ease of controlling a single vehicle. As such, this role requires comfort with responsibility, ambiguity, and operational accountability.
ASR seeks a Senior DevSecOps Engineer to build the company’s government-grade security and compliance engineering practice from the ground up. You will architect the CI/CD security pipeline, own our CMMC compliance posture, and deliver software artifacts that are accreditable under applicable NIST frameworks for operational technology.
This is not a traditional IT security role. ASR builds embedded, safety-critical systems for unmanned platforms. You must understand OT security requirements and apply them appropriately to firmware, autopilot-layer software, and ground control systems — not just enterprise IT frameworks.
Unlike almost any other robotics company, ASR’s advanced SITL suite allows developers to work from home. Travel for testing and demonstrations will allow you to witness firsthand your contributions as dozens of drones take flight.
Essential Duties and Responsibilities
Design and implement CI/CD security gates (SAST, dependency scanning, secrets detection, SBOM generation) across ASR’s version control organization (GitHub, GitLab, or equivalent)
Establish structured artifact management with semantic versioning, signed releases, and audit-traceable build provenance; manage release pipelines across incrementally constrained compliance tiers (commercial, CMMC-controlled, SIPRNet-classified)
Own CMMC Level 2 compliance posture; develop and maintain SSP, POA&M, and ATO/IATT support documentation for government program deliveries
Apply NIST SP 800-82 OT security controls to embedded flight software, GCS services, and swarm communications protocols
Implement technical controls for CUI handling, export-controlled repository access, and ITAR/EAR compliance in development workflows
Define threat modeling and SSDF (NIST SP 800-218) practices; maintain SBOM generation per EO 14028 and DoD supply chain requirements
Ensure source control organization meets required security standards: MFA applied as required, least-privilege access controls maintained, audit logging confirmed, and third-party application permissions managed
Support corporate IT integration: align ASR’s development environment with broader CMMC and CUI enclave requirements as the company scales
Required Qualifications
Must be a US Citizen
Active Secret clearance or demonstrated ability and willingness to obtain one
5+ years of DevSecOps, security engineering, or information assurance experience, with at least 2 years in a DoD or defense contractor environment
Working knowledge of CMMC 2.0 Level 2 requirements and assessment processes
Practical experience with GitHub Actions, GitLab CI, or equivalent CI/CD platforms, including writing custom pipeline configurations for security automation
Ability to read and reason about C++ and Python codebases for threat modeling, SAST triage, and vulnerability assessment.
Understanding of OT/embedded system security distinctions from enterprise IT; ability to apply NIST 800-82 to firmware and autopilot-layer software
Experience with SBOM generation tooling (e.g., Syft, CycloneDX, SPDX) and DoD supply chain security requirements
Familiarity with ITAR/EAR technical controls: CUI handling, export-controlled repository access, and developer access management
Comfort working independently with limited oversight; ability to remain calm and effective under operational pressure
Additional Desired Qualifications
BS in Computer Science or related field preferred
Experience authoring NIST SP 800-171 SSP and POA&M documentation in a DoD or defense contractor environment
Experience managing release pipelines across incrementally constrained compliance environments (e.g., commercial release, CMMC-controlled distribution, SIPRNet-classified behaviors)
CMMC Registered Practitioner (RP) or Certified Professional (CP); DoD 8570/8140 compliant certification (CISSP, Security+, or equivalent)
Familiarity with RMF and DISA STIG applicability for Linux-based embedded systems
Experience with Android application security including APK signing and MDM for government tablet deployments
Prior work on UAS, robotics, or autonomous systems; familiarity with PX4/ArduPilot is a differentiator
Experience with ATAK/WinTAK plugin security and TAK server CUI handling
Active TS/SCI clearance
Physical Requirements and Working Conditions
Must be able to walk, stand, and navigate large indoor and outdoor facilities for extended periods of time.
Ability to lift, carry, and move materials and equipment weighing up to 25 lbs on a regular basis.
Use of personal protective equipment (PPE) may be required in designated areas or when performing specific tasks, in accordance with safety protocols and company policy.
May be required to climb ladders, stoop, kneel, or crouch during inspections, maintenance walk-throughs, or emergency response situations.
Regular exposure to facility operations including noise, dust, temperature fluctuations, and industrial equipment.
Occasional off-hours or weekend work required for emergency facility responses or projects as needed
Requires frequent use of a computer and other standard office equipment for documentation, communication, and coordination tasks.
Background Check
This position will require successfully completing a post-offer background check. Qualified candidates with a criminal history will be considered and are not automatically disqualified, consistent with federal and state law.
EEO and ITAR/EAR Work Authorization Disclosure
Red Cat Holdings provides equal employment opportunities (EEO) to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws. This position requires direct or indirect access to hardware, software, technology or technical data controlled under the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR). Successful candidates for positions subject to ITAR/EAR restrictions must provide proof of U.S. Citizenship or Permanent Residence and must not require sponsorship for export-restricted work authorization.
E-Verify
The company participates E-Verify (https://www.e-verify.gov/sites/default/files/everify/posters/EVerifyParticipationPoster.pdf) ensure eligibility for employment and compliance with Right to Work (https://www.e-verify.gov/sites/default/files/everify/posters/IER_RightToWorkPoster%20Eng_Es.pdf) rules.
Compensation: Base pay, plus generous annual equity package and potential bonuses.