Senior Cybersecurity · GRC Engineering

Jose
Rodriguez

Senior Cybersecurity / ISSO and USMC veteran with 9+ years securing DoD and federal systems — from full RMF lifecycle execution in eMASS to compliance-as-code engineering on AWS.

View Projects Certifications Contact
9+
Years Experience
8
Certifications
18+
Team Supervised
ATO Approvals
Top Secret — Eligible for Reactivation
Profile

About
Me

Status Open to Opportunities
Location Sanford, FL 32771
Clearance Top Secret — Eligible for Reactivation
Education B.S. IT & Security — Campbell University
Military U.S. Marine Corps Veteran

I'm a Senior Cybersecurity / ISSO professional and bilingual U.S. Marine Corps veteran with over 9 years of hands-on experience securing mission-critical DoD, federal civilian, and healthcare systems from threat assessment through authorization.

My specialty is the full RMF lifecycle in eMASS — I've led control selection through ATO and continuous monitoring across Army, Navy, and federal civilian environments, achieving consecutive Authorization to Operate approvals on mission-critical systems.

What makes me different: I don't just execute compliance checklists — I build GRC as code. My portfolio implements NIST 800-53 controls as Terraform, AWS infrastructure, and machine-readable OSCAL — bridging traditional GRC documentation with modern DevSecOps engineering.

Most recently, I supervised a team of 18+ ISSOs, Security Control Assessors, and Information Security Managers delivering consecutive ATO approvals — operating with the precision of a technical analyst and the leadership of a senior advisor.

Capabilities

Core Skills

Cloud & Infrastructure
  • AWS (EC2, S3, IAM, Lambda)
  • AWS Bedrock & EventBridge
  • AWS Security Hub
  • Terraform & CloudFormation
  • Checkov Policy-as-Code
  • Docker & GitHub Actions CI/CD
  • Windows Server & Active Directory
  • Linux Administration
Frameworks & Compliance
  • RMF (NIST 800-37)
  • NIST 800-53 Rev 4 & 5
  • NIST 800-171
  • FISMA & FedRAMP
  • CNSSI 1253
  • DISA STIG / SRG
  • OSCAL 1.1.2
  • SSP / POA&M / SAR / RAR
GRC & Security Tools
  • eMASS / eMASSter
  • ACAS / Tenable Nessus
  • SCAP Compliance Checker
  • STIG Viewer / Evaluate-STIG
  • Vulnerator
  • HBSS / VRAM
  • Continuous Monitoring
  • FISMA Reporting
Credentials

Certifications

GRC Engineering Club
Certified GRC Engineer — Practitioner (CGE-P)
Issued May 2026 Verify
ISC²
Certified Information Systems Security Professional (CISSP)
ID #921058 Verify
ISACA
Certified Information Security Manager (CISM)
ID #221843622 Verify
Amazon Web Services
AWS Certified Cloud Practitioner
AWS Certified Verify
Amazon Web Services
AWS Certified AI Practitioner
AWS Certified Verify
Amazon Web Services
AWS Cloud Quest: Generative AI Practitioner
Training Badge Verify
CompTIA
CompTIA Security+ Certification
CompTIA Certified Verify
Microsoft
MTA 98-349 Windows OS Fundamentals
Microsoft Certified Verify
GRC Engineering Portfolio

Project Highlights

01 Featured

MedVault — OSCAL-Driven Continuous ATO Pipeline

End-to-end NIST RMF execution for a FedRAMP Moderate cloud-native federal SaaS system. Terraform + Checkov policy-as-code, CI pipeline emitting machine-readable OSCAL Assessment Results, full OSCAL document family (Profile, Component Definitions, SSP with 13 control implementations), POA&M tracking, continuous monitoring dashboard, Trivy scanning, Cosign image signing, and CycloneDX SBOMs.

OSCAL 1.1.2 FedRAMP Moderate Terraform Checkov CI/CD Trivy + Cosign CycloneDX SBOM
View on GitHub
// OSCAL ARTIFACTS DELIVERED
Profile (FedRAMP Moderate)
Component Definitions
SSP — 13 controls implemented
Machine-readable Assessment Results
POA&M Tracking
ConMon Dashboard
02

OffboardIQ — AI-Powered RMF Offboarding Agent

An AWS Bedrock agent (Claude Haiku 4.5) automating full IAM employee offboarding in under 60 seconds via 4 Lambda action groups. Implements NIST SP 800-53 controls AC-2, AC-3, AC-6, PS-4, IA-4, AU-2/9/11/12, IR-6, SC-28, SI-12 with S3 evidence archival and DynamoDB audit logging. Solves orphaned-account audit findings in seconds, not weeks.

AWS Bedrock Claude Haiku 4.5 NIST 800-53 Lambda DynamoDB
GitHub →
03

NIST RMF Automated POA&M System

AWS-native automated POA&M pipeline using Security Hub + GuardDuty + EventBridge + Lambda + DynamoDB. Maps findings to NIST 800-53 control families with risk-based milestone scheduling (HIGH 30 / MED 90 / LOW 180 days). Implements CA-7 continuous monitoring with REST API and dashboard — directly addressing the most common ATO bottleneck.

Security Hub GuardDuty EventBridge CA-7 ConMon
GitHub →
04

GRC Infrastructure as Code — AWS

Secure AWS EC2 deployment using CloudFormation with embedded GRC controls. Demonstrates compliance-as-code — infrastructure provisioned with security guardrails, least-privilege IAM policies, and audit logging baked in from day one.

CloudFormation EC2 IaC IAM
GitHub →
05

RMF System Tracker

A JavaScript-based tracker for managing systems through the NIST Risk Management Framework lifecycle. Tracks authorization status, control implementation states, and assessment milestones across multiple systems — bringing visibility to what's usually a manual, spreadsheet-driven process.

JavaScript NIST 800-37 ATO Tracking
GitHub →
06

GRC AWS EC2 Monitor

Python-based monitoring tool targeting AWS EC2 environments for GRC compliance visibility. Surfaces configuration states and security posture data relevant to continuous monitoring requirements under RMF — bridging cloud infrastructure and compliance reporting.

Python AWS EC2 ConMon
GitHub →
07

AI Security Training Platform

Interactive JavaScript-based platform for cybersecurity awareness and security training. Reflects security awareness program development work from real-world DoD healthcare environments — translating enterprise training program design into a deployable web tool.

JavaScript Security Awareness AI-Assisted
GitHub →
History

Experience

Cybersecurity Supervisor
COLSA Corporation — Orlando, FL
Jul 2021 — Sep 2025
  • Supervised 18 personnel — 5 Security Control Assessors, 2 Information Security Managers, and 11 ISSOs — across multiple programs supporting Army and DoD systems.
  • Directed RMF lifecycle execution and compliance reviews for enclaves and mission-critical applications; conducted pre/post-assessment teleconferences leading to consecutive ATO approvals.
  • Led end-to-end QA reviews of all RMF artifacts within eMASS prior to AO review, ensuring compliance, accuracy, and audit readiness across multiple DoD authorization packages.
  • Annotated assessment procedure (AP) test results in eMASS and produced final SARs and RARs supporting ATO decisions.
Senior Cybersecurity Analyst
ECS — Orlando, FL
Feb 2021 — Apr 2021
  • Conducted Security Control Assessments leading to a 3-year ATO; drafted POA&Ms with technical mitigation strategies and milestones.
  • Ran and analyzed ACAS scans, uploaded test results into eMASS, and coordinated remediation with engineers; provided STIG and SDLC security guidance.
  • Authored Information Security Plans, Configuration Management Plans, Incident Response Plans, and Contingency Plans; supported penetration testing.
Information System Security Officer (ISSO)
Naval Air Warfare Training Systems Division (NAWCTSD)
Jul 2020 — Feb 2021
  • Developed and maintained RMF A&A packages for IDEA program systems, ensuring authorization readiness and continuous compliance.
  • Managed continuous monitoring strategies, vulnerability reporting in VRAM, and authorization status tracking across multiple training systems.
  • Utilized ACAS, SCAP Compliance Checker, and Vulnerator for system scans and security posture reporting; oversaw eMASS documentation and artifact integrity.
ISSO / IT Specialist (INFOSEC)
Naval Medical Center Camp Lejeune — NC
Jul 2018 — Jul 2020
  • Led cybersecurity governance, risk management, and compliance for classified and unclassified defense programs; served as primary cybersecurity advisor to program managers, system owners, and senior leadership.
  • Oversaw development of SSPs, SARs, POA&Ms, and executive cybersecurity briefings; coordinated incident response and corrective action planning; assisted RMF Program Manager in maintaining network C&A.
  • Operated ACAS for enterprise vulnerability management; managed HBSS product outages and STIG-aligned patching across the network.
Information Security Analyst & Sys Admin
Naval Medical Center Camp Lejeune — NC
Jul 2016 — Jul 2018
  • Implemented cybersecurity controls protecting 2,000+ end users across clinical and administrative systems handling sensitive healthcare data; administered Windows servers, workstations, and networked systems.
  • Managed account provisioning, RBAC, and deactivation to enforce least privilege; reported and tracked NTDs, CTOs, and IAVAs in OCRS while maintaining HIPAA compliance.
Aircraft Maintenance Admin Specialist
U.S. Marine Corps — New River, NC
Apr 2007 — Apr 2011
  • Maintained OOMA NALCOMIS accounts, privileges, and security for 100+ maintenance personnel; managed backup/recovery and equipment inventory.
  • Earliest hands-on experience with access management, system administration, and information security in a high-tempo operational environment.
Now

Currently Building

AWS Cloud Security

Building cloud-native security automation on AWS — IAM policy governance, Security Hub integrations, and compliance-as-code pipelines for FedRAMP workloads.

OSCAL & FedRAMP

Deepening FedRAMP High and Moderate authorization expertise — OSCAL document family generation, 3PAO assessment processes, and continuous monitoring at scale.

AI Governance & NIST AI RMF

Exploring AI/ML security governance under NIST AI RMF 1.0 — mapping traditional cybersecurity controls to emerging AI system threat models and compliance requirements.

Get In Touch

Let's
Connect

Open to cybersecurity roles in GRC engineering, cloud security, and federal or defense environments. TS clearance — eligible for reactivation. Available for immediate consideration.

Whether you're looking for a senior GRC engineer, a cloud security architect with federal experience, or a cybersecurity program lead — let's talk.

LinkedIn
linkedin.com/in/jose-rodriguez-01097233
Email
jose.a.rodriguez14@hotmail.com
GitHub
github.com/joserodriguezthe1