We are seeking a Governance, Risk, and Compliance (GRC) Analyst to help build, manage, and scale our information security compliance programs. You will play a hands-on role in maintaining and operationalizing controls for frameworks like CMMC, NIST 800-171, NIST 800-53, and ITAR, while supporting internal risk assessments, customer security reviews, and policy lifecycle management.
This role is ideal for someone who thrives on structured thinking, translating security requirements into business-aligned controls, and keeping fast-moving teams inspection-ready. You’ll work closely with the InfoSec, IT, legal, and engineering teams while supporting both internal leadership and external customer compliance engagements.

Responsibilities

• Maintain and track compliance with NIST 800-171, 800-53, CMMC, and ITAR obligations across systems, personnel, and vendors
• Own and manage security documentation, including System Security Plans (SSPs), POA&Ms, RA/RM, and associated audit artifacts
• Leverage Onspring to manage control mappings, evidence collection, policy lifecycle tracking, and compliance reporting
• Assist in the development, revision, and review of security policies, standards, and procedures to ensure alignment with current frameworks
• Collaborate with IT, Security, and Engineering teams to monitor and verify the implementation of technical and administrative controls
• Coordinate and support internal risk assessments, gap analyses, and customer security reviews
• Track and report on compliance status, risk findings, and remediation activities to InfoSec leadership and executive stakeholders
• Support risk-based decision making by conducting internal control reviews and supplier/vendor compliance assessments
• Facilitate end-user security training, compliance briefings, and evidence collection workflows
• Participate in continuous improvement of compliance processes, playbooks, and tooling as the company scales

Minimum Qualifications

• 3+ years in a GRC, information security, compliance, or audit support role
• Experience working with, NIST 800-171 and 800-53, CMMC Level 2 or 3, and ITAR and/or export control regimes
• Experience with POA&M management, SSP development, risk assessments, and control mapping
• Experience interfacing with customer security teams or supporting customer-driven compliance reviews
• Demonstrated experience with Onspring or similar GRC platforms (ServiceNow GRC, Archer, etc.)

Preferred Skills and Experience

• Experience supporting defense contractors, aerospace manufacturers, or similar regulated industries
• Demonstrated knowledge of insider threat program requirements, third-party risk programs, or DFARS compliance
• Familiarity with vulnerability management workflows and secure system baselining
• Security certifications such as CAP, CISA, Security+, or Certified CMMC Professional (CCP)
• Strong writing, documentation, and communication skills

• Maintain and track compliance with NIST 800-171, 800-53, CMMC, and ITAR obligations across systems, personnel, and vendors
• Own and manage security documentation, including System Security Plans (SSPs), POA&Ms, RA/RM, and associated audit artifacts
• Leverage Onspring to manage control mappings, evidence collection, policy lifecycle tracking, and compliance reporting
• Assist in the development, revision, and review of security policies, standards, and procedures to ensure alignment with current frameworks
• Collaborate with IT, Security, and Engineering teams to monitor and verify the implementation of technical and administrative controls
• Coordinate and support internal risk assessments, gap analyses, and customer security reviews
• Track and report on compliance status, risk findings, and remediation activities to InfoSec leadership and executive stakeholders
• Support risk-based decision making by conducting internal control reviews and supplier/vendor compliance assessments
• Facilitate end-user security training, compliance briefings, and evidence collection workflows
• Participate in continuous improvement of compliance processes, playbooks, and tooling as the company scale