Information Systems Security Engineer
Boston, MA, USA
About you:
You have spent years working inside the DoD ecosystem and you know what program security actually looks like. You have sat in customer meetings where security requirements get argued over, built authorization packages that survived an assessor, and spent enough time with systems developers and government security reps to know that the best security engineers are the ones who show up before the design is finalized. You approach security as a systems problem and you bring the technical depth to back it up.
Merlin Labs builds autonomous aviation systems for demanding defense customers, and we are looking for a security engineer who wants to help us do that correctly. You will be working alongside engineers who care about getting this right, interfacing with government customers directly, and shaping how security engineering gets done at a company that is growing fast and taking on more complex programs. If that is the kind of ownership you are looking for, this is the role.
Responsibilities:
Apply systems security engineering methods across the architecture, design, evaluation, and integration of Merlin's defense programs and products, working alongside engineering teams to embed security requirements early rather than retrofitting them once a system is built.
Support RMF accreditation and authorization activities for supported programs, including categorization, controls selection and implementation, security assessment, and body of evidence package development through all required RMF steps.
Engage with government customers and their security representatives to define, document, and implement security protection requirements with the technical rigor and fidelity that DoD authorization demands.
Apply and verify DISA SRGs and STIGs across program environments, and maintain the configuration management processes that keep systems compliant as they evolve through their operational lifecycle.
Conduct vulnerability assessments using tools such as Tenable NESSUS and ACAS, coordinate remediation with engineering teams, and manage the ongoing security posture of supported systems.
Evaluate and advise on the selection of COTS, GOTS, and open-source tools entering the program environment, following DoD-approved software approval processes and ensuring security implications are understood before adoption.
Support DevSecOps security integration by bringing defense-grade practices into our CI/CD pipeline, including static application security testing and security-gated build processes for government-facing deliverables.
Qualifications:
Bachelor's degree with 5 years of cybersecurity experience on DoD or government programs.
Direct experience with RMF accreditation and authorization, including body of evidence package development and working with government ISSOs, SCAs, or authorizing official representatives through the authorization lifecycle.
Hands-on experience applying DISA SRGs and STIGs and conducting vulnerability assessments with tools such as Tenable NESSUS, ACAS, or SCC.
Active clearance. TS preferred.
Nice to Have:
Experience with government and commercial security tooling and security integration in a DevSecOps environment, or equivalent tools used in a defense or government program context.
Familiarity with SIEM platforms and development of detection rulesets and dashboards in a defense program or enterprise security context.
Background in aerospace, aviation, autonomous systems, or another safety-critical engineering domain where security and reliability requirements intersect.