Stefan James
Security Consultant & Cloud Security Engineer
Enterprise Security, Cloud Scale
I'm a Security Consultant and Cloud Security Engineer with 16+ years of hands-on experience protecting federal agencies, healthcare systems, and enterprise environments. My work spans cloud security architecture, NIST RMF compliance, vulnerability management, and DevSecOps — with a focus on building security programs that actually scale.
With a deep background in AWS Cloud Security, NIST RMF, and NIST 800-53 assessments, I bring an enterprise-grade mindset to every engagement. I don't just check compliance boxes — I look at the system as a whole and build controls that reduce real risk.
Outside of enterprise security, I'm expanding into Web3 security — applying vulnerability assessment methodology to smart contract auditing and decentralized applications.
Cloud Security
AWS & Infrastructure Protection
NIST Compliance
RMF & 800-53 Standards
DevSecOps
CI/CD Security Integration
Threat Models
STRIDE & DREAD Analysis
Things I've Built
Security assessments, cloud automation, DevSecOps tooling, and Web3 security research.
AWS Cloud Security Assessment
End-to-end AWS cloud security assessment aligned with NIST 800-53, HIPAA, and IRS Pub 1075 frameworks. Includes audit checklist, remediation roadmap, and sample security report deliverable.
AWS Lambda Inactive IAM Users
Automated Lambda function that detects and optionally disables IAM users inactive for 90+ days. Enforces least-privilege hygiene across AWS accounts.
Pharma Chain — Blockchain Supply Chain DApp
Web3-enabled pharmaceutical supply chain tracking application. Conducted a comprehensive security audit of Solidity contracts, identifying access control vulnerabilities and publishing a structured audit report aligned with SWC Registry standards.
Smart Contract Security Audit Portfolio
Public portfolio documenting smart contract security assessments and vulnerability findings. Combines manual code review with automated analysis using Hardhat, Foundry, and Slither.
SonarQube CI/CD Integration
Jenkins pipeline integration with SonarQube SAST/DAST tooling. Blocked 600+ critical security defects pre-production and enforced DevSecOps compliance across build pipelines.
Tools & Technologies
The stack I use to secure, assess, and automate across cloud and enterprise environments.
Compliance & Frameworks
Security Tools
Cloud & Infrastructure
DevSecOps & CI/CD
Collaboration & ITSM
Web3 & Blockchain
Certifications
Career Timeline
16+ years delivering measurable security impact across federal agencies, healthcare, and private sector.
Security Consultant & Cloud Security Engineer
James Consulting Group, LLC
Clients: IRS, USDA, HHS, NIH, SEC, VA, USPTO, USCIS, DHCF, Prince George's County, State of Maryland
- •Directed security control assessments for IRS and NIH systems, validating compliance with NIST 800-53, FedRAMP, HIPAA, and IRS Pub 1075, securing multiple ATOs across hybrid AWS/on-prem environments.
- •Performed AWS cloud security assessments, reviewing IAM, encryption, logging, and networking; authored SSPs, POA&Ms, SARs, and CAPs supporting ATO packages.
- •Administered AWS Security Hub and GuardDuty, maintaining 90%+ compliance and prioritizing remediation timelines (critical <14 days).
- •Automated POA&M creation, evidence reviews, and audit reporting using Generative AI (OpenAI, Claude), cutting audit prep time by 50%.
- •Integrated Jenkins with SonarQube (SAST/DAST) in CI/CD pipelines, blocking 600+ vulnerabilities pre-production.
Sr. Cyber Security Engineer
Infor, Inc
Infor Government Solutions (IGS)
- •Conducted vulnerability assessments using Nessus, Qualys, DBProtect, and AquaSec across government customer systems, networks, and applications.
- •Executed a cost-optimization initiative implementing Nessus Manager instead of DBProtect, achieving $204K in savings.
- •Performed security control assessments, conducted interviews, reviewed documentation, and validated compliance with NIST controls.
- •Generated Security Assessment Reports (SARs) documenting findings, vulnerabilities, and residual risks in compliance with NIST guidelines.
DevSecOps Engineer
Infor, Inc
Learning Management Systems (LMS)
- •Integrated SonarQube SAST in Jenkins CI/CD pipelines, blocking 600+ critical security defects pre-production.
- •Developed automated CI/CD build/deployment pipelines using Jenkins, Terraform, and GitLab.
- •Collaborated with development teams to remediate security issues identified by SonarQube, ensuring secure software delivery.
- •Conducted security training and awareness programs for development and operations teams.
- •Assisted in GitLab setup, installation, and migration projects; managed users, groups, projects, upgrades, and patches.
Security Control Assessor (FedRAMP, NIST SP)
Veterinarian Electronic Assistant (VEA)
Clients: NIH (OLAW)
- •Supported security control assessments for information systems using NIST SP 800-53 Rev. 4 security controls.
- •Developed security authorization documents including SSPs, POA&Ms, Risk Assessments, and security control baselines.
- •Collaborated with ISSOs to create and manage POA&M items for system vulnerabilities and track remediation to closure.
Sr. Cyber Security Specialist
Grove Research Solutions, Inc
Clients: NIH (NHLBI)
- •Analyzed log files from host, network, firewall, and IDS sources to identify threats to network security.
- •Performed vulnerability scans and continuous monitoring using NIST 800-137 with Nessus across Windows and Linux environments.
- •Conducted risk and vulnerability assessments of planned and installed information systems to identify protection needs.
Sr. Cyber Security Specialist
Medical Science & Computing, LLC
Clients: NIH (NHLBI)
- •Ran ACAS scans, monitored environment for abnormalities, and submitted hardening/patching reports to senior admin.
- •Implemented firewall blocks on malicious domains, emails, URLs, hashes, and IOCs to prevent enterprise compromise.
- •Collaborated with ISSO on cybersecurity analysis of organizational policies and procedures for compliance.
Information Security Specialist
Collabera, Inc
Clients: USPTO
- •Monitored SIEM and logging environments with Splunk for security events, threats, and intrusions.
- •Performed security evaluations, audits, and server logging reviews to verify secure operations.
- •Conducted security assessments to determine effectiveness and compliance of implemented security controls.
IT Specialist
U.S. Department of Agriculture
- •Implemented a custom web application converting hard copy personnel folders to electronic personnel folders (e-OPF).
- •Managed user accounts, permissions, and access rights; enforced security policies and authentication controls.
- •Deployed server and OS patching, maintained IT asset inventory, and ensured compliance with licensing agreements.