Job Description

Job Title: Senior GRC Analyst

Role Summary
We are seeking a Senior GRC Analyst with deep, hands-on expertise in DoD and federal compliance programs, particularly CMMC 2.0 Level 2 and FISMA, in environments handling Controlled Unclassified Information (CUI). This role focuses on implementing, validating, and sustaining NIST SP 800-171 and NIST SP 800-53 controls; maintaining audit and authorization readiness; and collaborating cross-functionally with Engineering, DevOps, Cloud, and Security teams to ensure controls are effectively implemented, evidenced, and continuously monitored. Key Responsibilities

• CMMC & DoD Compliance
  Drive CMMC 2.0 Level 2 implementation and readiness for CUI-processing systems.
  Implement, validate, track, and remediate NIST SP 800-171 controls, including evidence gathering and POA&M management.
  Prepare for DoD assessments and third-party audits by ensuring full control implementation and traceability.
• FISMA & Federal Security Requirements
  Execute FISMA-aligned activities using NIST SP 800-53 (Moderate baseline).
  Support federal authorization efforts, including System Security Plan (SSP) updates, control narratives, evidence validation, and continuous monitoring (ConMon).
  Address audit findings and remediate gaps in collaboration with internal stakeholders.
• Technical Control Validation
  Partner with Engineering, CloudOps, and Security teams to validate technical controls in AWS-regulated environments, covering:
  • Identity and Access Management (IAM)
  • Logging, monitoring, and auditability
  • Encryption (at rest and in transit)
  • Vulnerability and configuration management
  • Incident response and contingency planning
    Review technical artifacts (e.g., architecture diagrams, configurations, logs) to confirm audit-ready evidence.
• Risk & Supply Chain Security
  Perform security and risk assessments for systems, services, and changes involving CUI.
  Conduct third-party/supply chain risk evaluations per DoD and federal standards.
  Maintain risk registers, track findings, and manage remediation via POA&Ms.

Required Qualifications
Core Experience

• 6+ years in GRC, cybersecurity compliance, or federal security programs.
• Direct, hands-on experience with CMMC 2.0 Level 2 and/or DoD environments managing CUI.
• Proven collaboration with engineering/DevOps teams on control implementation (beyond advisory roles).

Technical & Framework Expertise

• Strong proficiency in:
  • NIST SP 800-171 (protecting CUI)
  • NIST SP 800-53 (FISMA Moderate baseline)
  • FISMA requirements
  • CMMC 2.0 framework
• Demonstrated ability to validate technical security controls in AWS cloud environments.

Documentation & Communication Skills

• Expertise in producing audit-ready documentation, evidence packages, control narratives, and reports tailored to regulated/government audiences.
• Excellent written and verbal communication for cross-functional and executive/government interactions.

Preferred Qualifications

• Prior involvement in CMMC assessments or readiness programs.
• Experience supporting federal Authority to Operate (ATO) or authorization processes.
• Familiarity with CI/CD pipelines and cloud-native architectures.
• Background in defense, government contracting, or highly regulated federal environments.
• Relevant certifications (preferred):
  • CMMC Registered Practitioner (RP)
  • CISSP, CISM, or CISA
  • Cloud security certifications (e.g., AWS Security Specialty)

Job Tags

Similar Jobs