By Light Professional IT Services LLC readies warfighters and federal agencies with technology and systems engineered to connect, protect, and prepare individuals and teams for whatever comes next. Headquartered in McLean, VA, By Light supports defense, civilian, and commercial IT customers worldwide.

Cole Engineering Services (CESI), a By Light company, is recognized as a premier provider of modeling and simulation (M&S) training solutions to the Federal Government and industry. Since 2004, CESI has been at the forefront of developing, maintaining, and integrating simulation-based training, serious gaming, technical services, training and other support in live, virtual, constructive, and gaming (LVCG) domains.  CESI also designs, builds and runs infrastructure, platforms, applications and processes that enable cyber training for the integrated multi-domain force. Our vision is to become a worldwide full spectrum LVCG and cyber training/analysis developer, integrator and services provider.

Cole Engineering Services, Inc. is seeking a highly qualified Senior Cloud Infrastructure Engineer to lead implementation, security, and operations of mission-critical cloud environments that power DoD cyber training capabilities and applications. You will manage and develop resilient, compliant, and cost-optimized cloud platforms supporting cyber ranges, training orchestration, and multi-tenant applications in FedRamp approved cloud environments. You will partner closely with cybersecurity, DevSecOps, networking, and training operations teams to deliver secure, scalable capabilities aligned to DoD RMF, DISA STIGs, and the DoD Cloud Computing SRG (Impact Levels IL2–IL6).

In this role, you will be a key technical leader ensuring the DoD’s cyber training enterprise platforms are secure, resilient, and efficient, enabling cyber operators to execute complex cyber exercises at scale while meeting stringent compliance and mission requirements.

Primary Position Functions:

• Support the design and maintain landing zones using cloud applications such as AWS Organizations, Control Tower, SCP guardrails, Identity and Access Management (IAM) multi-account patterns, and VPC architectures (Transit Gateway, PrivateLink, NAT, IGW) for enclave isolation and cross-domain needs.
• Engineer high-availability, multi-Region solutions leveraging cloud tools such as EC2, EKS/ECS Fargate, RDS/Aurora, DynamoDB, S3/EFS/FSx, Load Balancers, Route 53, and API Gateway.
• Implement Zero Trust-aligned patterns (micro-segmentation, strong identity, continuous verification) consistent with DoD Zero Trust guidance.
• Implement security controls and evidence generation for RMF ATO packages (SSP, SAR, POA&M) in coordination with cybersecurity teams.
• Apply DISA STIGs (OS, DB, Kubernetes, Container) and SRG requirements for workloads at IL2–IL6
• Tailor and automate STIG application using IaC and configuration management.
• Integrate encryption and key management with cloud tools such as AWS KMS/HSM; enforce IAM least privilege, SCPs, permission boundaries, ABAC, and robust secrets management.
• Implement cloud logging and metrics tools such as  CloudTrail/CloudWatch/GuardDuty/Config for comprehensive audit and detection.
• Align architectures with FedRAMP Moderate/High baselines when required and ensure boundary compliance for controlled workloads.

Networking and Connectivity

• Develop secure connectivity (AWS Direct Connect/VPN), hybrid routing, and segmentation; implement TLS mutual auth, certificate management, and private service endpoints.
• Design logging and telemetry pipelines (CloudWatch, OpenTelemetry, Kinesis, S3, SIEM integration such as Splunk/ELK) with retention, metadata/tagging, and data lifecycle policies.
• Own SLOs/SLAs for platform services.
• Implement autoscaling, health checks, and proactive capacity management.
• Lead cost management and alerting practices of cloud environments in coordination with project leads.
• Provide Tier 3 support, on-call rotations during exercises, and incident response coordination with cybersecurity and training operations.

Program and Stakeholder Engagement

• Collaborate with agile teams and product owners to translate training requirements into platform capabilities.
• Provide mentorship for junior engineers.
• Establish standards, design reviews, and repeatable processes.
• Present cloud solutions to project leadership and accreditation authorities.

• 8–12+ years of experience in cloud/platform engineering with at least 5 years focused on Amazon Web Services (AWS) with a demonstrated leadership delivering secure, scalable, production-grade cloud-based systems.
• DoD 8570/8140 compliance: IAT II (Security+) required; IAT III/CISSP or CASP+ preferred
• Associate or bachelor’s degree in a related technical discipline such as computer science or information technology from an accredited college or university.

• AWS Certifications: Certified Solutions Architect – Professional, Security – Specialty, and/or DevOps Engineer – Professional.

Please note that pursuant to a government contract, this specific position requires U. S. Citizenship status with ability to obtain a SECRET to TOP SECRET security clearance.  Security Clearance requirements will be specified in the Government's Task Order.

Active DoD Secret clearance preferred; If not already cleared, candidate will be required to obtain and maintain a Top Secret/SCI clearance as a condition of employment.

This job description is not designed to cover or contain a comprehensive listing of activities, duties or responsibilities that are required of the employee. The above is intended to describe the general contents of and requirements for the performance of this job.

CESI recognizes that our strength is our people. We support every employee as an individual to build strong teams across the enterprise.  Our benefit package includes:

• Medical, Dental & Vision Coverage
• Wellness Program
• 401(k) Matching
• Disability (Short Term & Long Term)
• Employee Assistance Program
• Life Insurance
• Education & Training
• Generous Leave Policy (11 Federal Holidays, PTO, Military Leave, Bereavement and Jury Duty)

CESI is committed to principles of inclusion and equal employment opportunity.  We foster a non-discriminatory, professional work environment for all our teams.  We do not discriminate based on race, color, religion, sex, pregnancy, sexual orientation, gender identity, genetic information, national origin, age, marital status, disability, or veteran status.