Field CISO

Field CISO

Department: Sales

Reports To: CEO

Location: New York, NY or Washington, D.C. Metro Area

Classification: Full-Time, Exempt

Estimated Compensation Range: $195k-230k

Focus: Lead technical architecture reviews to partner with and support customer engineering teams deploying into Knox's FedRAMP boundary.

About Knox

Knox runs the largest Federal managed cloud, building and operating secure cloud and AI environments that support the U.S. government’s most critical missions — from national security and public safety to essential public services. Our customers rely on Knox to deploy production systems that meet the highest standards for security, reliability, and compliance.

Work at Knox is high-impact and purpose-driven. The problems we solve are high-stakes, the expectations are high, and the results are visible. Speed, rigor, and trust matter here - because the environments we secure cannot fail. Your contributions are visible, your expertise is relied upon, and the impact of your work is immediate and measurable. We operate at federal scale, securing some of the most sensitive government environments in the country - because the systems we build must perform without fail.

The Role

You are the technical expert on every customer call. When a prospect asks whether their Istio service mesh needs FIPS-hardened images, whether they can keep their Auth0 integration, or how to handle encryption in transit between pods in an EKS cluster, you are the person with the answer.

This is a technical pre-sales and post-sales architecture role, not a sales role. You will conduct architecture reviews, walk customers through gap analysis findings, guide remediation efforts, and help engineering teams deploy into Knox's FedRAMP boundary. You work with cloud architects, DevOps leads, and CISOs at companies ranging from Series B startups to Fortune 500 enterprises who are bringing their SaaS products to federal and DoD markets.

Responsibilities

• Architecture Reviews — Evaluate customer infrastructure diagrams, data flows, and network topologies against FedRAMP requirements. Identify red flags.

• Gap Analysis Walkthroughs — Present scanning results (NIST 800-53 gaps, vulnerability scans, DAST/pen test, IaC scans) to customer engineering teams. Translate findings into actionable remediation steps.

• Remediation Guidance — Help customers work through all findings: replacing non-authorized third-party services, hardening container images, enabling encryption in transit, configuring identity federation, and tightening policies.

• Sub-Processor Assessment — Evaluate whether a customer's third-party tools (monitoring, logging, CDN, auth, ITSM) are FedRAMP authorized or not.

• Deployment Planning — Guide customers through deploying into Knox's cloud: CI/CD pipeline configuration, secrets management, service mesh configuration, and database migration.

• Compliance Translation — Bridge the gap between FedRAMP control language and engineering implementation. Explain what NIST 800-53 controls mean in terms of Terraform configs, Kubernetes manifests, and CI/CD pipelines and cloud configuration across AWS, Azure and GCP.

• Ongoing Technical Support — Help customers interpret scan results, develop deviation rationales for findings that can't be directly remediated, and plan architecture changes that maintain compliance.

Required Qualifications

• Cloud Infrastructure (AWS / Azure / GCP) —Deep understanding of cloud service authorization scoping. You must know which AWS services are FedRAMP authorized in commercial regions vs. GovCloud, when GovCloud is required (High/IL4) vs. when commercial regions suffice (Moderate), and how GCP Assured Workloads differs from the standard GCP model. Intelligently guide customers on topics related to network architecture, subnet design, cross-account connectivity, and multi-region strategies.

• FedRAMP & NIST 800-53 Compliance Architecture — Working knowledge of FedRAMP Moderate, High, and DoD IL4/IL5 control baselines. You need to explain the difference between impact levels, map customer architectures to control families, understand ATO inheritance models, and speak fluently about the SSP and authorization package, POA&Ms, deviation rationales, and continuous monitoring requirements. You should understand FedRAMP Rev 5 and be tracking FedRAMP 20x developments.

• Container Security & Software Supply Chain — FIPS-compliant container images: You will field questions about hardened base images from supply chain vendors, explain how software bill of materials (SBOM) scanning works, guide customers through CVE remediation workflows, and assist with image provenance and signing.

• Kubernetes & Service Mesh — Working knowledge of EKS, AKS and GKE. You need hands-on experience with Kubernetes networking, pod security policies, and service mesh architectures (Istio, Linkerd, AWS App Mesh). The most common deep-dive question: how to achieve FIPS-validated mTLS for all pod-to-pod communication. You should understand sidecar injection, Helm chart management, and the security implications of different ingress controllers.

• Infrastructure as Code & CI/CD — You must be comfortable reviewing Terraform, Pulumi, CloudFormation, or Ansible configurations and identifying NIST compliance gaps. You need to explain CI/CD best practices and compliant configurations, and help customers architect their deployment pipelines.

• Identity & Access Management — Technical understanding of SAML and OIDC implementations. Assisting customers with integrating Okta, Azure AD, or agency-specific identity providers. You should understand CAC/PIV smartcard authentication for DoD customers, MFA enforcement, session management requirements, and how PAM solutions function.

• Cryptography & Data Protection — You need practical knowledge of FIPS 140-2/3 validation, encryption in transit (TLS configuration, mTLS between services), encryption at rest (KMS key management, key rotation), and data isolation strategies for multi-tenant architectures (per-tenant encryption keys, crypto-shred on customer departure).

Bonus / Preferred

• Third-party ecosystem knowledge — Which security, monitoring, and DevOps tools are FedRAMP authorized and at what levels. Knowing the authorized alternatives for common tools.

• FedRAMP 20x awareness — The program is in pilot and evolving. Understanding real-time automated compliance reporting and how it differs from traditional annual audits positions you to advise customers on future-proofing.

• Multi-cloud architecture — Some customers operate across AWS and GCP, or Azure and AWS. Experience architecting cross-cloud connectivity while maintaining FedRAMP boundary integrity.

• 3PAO assessment experience — Familiarity with the audit process from a 3PAO. Understanding what auditors expect helps you prepare customers proactively.

• DoD IL4/IL5 specific requirements — Understanding the additional data isolation and access restrictions that apply at impact levels beyond FedRAMP High and DISA IL-4.

• Federal go-to-market context — Not selling, but understanding how agencies evaluate and procure software, how the FedRAMP Marketplace works, and what agency risk acceptance processes look like.

Tools You'll Work With

• Security scanning — CrowdStrike Falcon (SIEM, EDR/MDR/CSPM), Wiz, DAST Scanners

• Cloud platforms — AWS (commercial + GovCloud), Azure, GCP Assured Workloads

• Container supply chain — Chainguard, RapidFort, Minimus, etc.

• Orchestration — Kubernetes (EKS, AKS), Helm, Istio, Linkerd, AWS App Mesh

• IaC & CI/CD — Terraform, Pulumi, CloudFormation, GitHub Actions, ArgoCD, Jenkins, Ansible

• Identity & Access — Okta, EntraID, PAM solutions

• Compliance & Audit — 3PAOs, GRC tools like Vanta, Drata, Regscale

• Monitoring — Datadog, Grafana/Prometheus, CloudWatch, CrowdStrike LogScale

• ITSM — ServiceNow

Hiring Requirement: Due to the nature of our work with federal government clients and compliance with applicable regulations, this position requires U.S. citizenship. Candidates must be able to provide documentation verifying U.S. citizenship status as part of the background check process.

Any offer of employment is contingent upon the successful completion of all required pre-employment screenings, including a background check, in accordance with applicable laws and government contract requirements.

Benefits & Perks

Knox offers a competitive employee benefits package including Medical, Dental, Vision, Life & Disability, unlimited PEO, and an employee funded 401k plan. Please note, benefits are subject to change.

We are an Equal Opportunity Employer. We celebrate diversity and are committed to creating an inclusive environment for all employees. Employment decisions are made without regard to race, color, religion, sex, sexual orientation, gender identity or expression, national origin, age, disability, veteran status, or any other legally protected status.