Senior GRC Analyst
Job Description
Job Title: Senior GRC Analyst – DoD / CMMC / FISMA
Engagement Type: Contract-to-Hire (6+ months) | Full-Time | Remote (U.S.-based)
Hourly Range of $65/hour 1099 or C2C
Role Summary
Our Client is seeking a Senior GRC Analyst with deep, hands-on experience supporting DoD and federal compliance programs, specifically CMMC 2.0 Level 2 and FISMA within environments handling Controlled Unclassified Information (CUI).
This role is responsible for executing and sustaining NIST SP 800-171 and NIST SP 800-53 control implementation, maintaining audit and certification readiness, and supporting authorization and assessment activities. The position requires close collaboration with Engineering, DevOps, Cloud, and Security teams to ensure controls are implemented, validated, and supported by audit-ready evidence.
Core Skill Categories & Responsibilities
Governance, Risk & Compliance (GRC)
- Execute and maintain CMMC 2.0 Level 2 compliance programs
- Support FISMA compliance aligned to NIST SP 800-53 (Moderate baseline)
- Maintain System Security Plans (SSPs), POA&Ms, and control traceability
- Drive continuous monitoring (ConMon) and audit readiness initiatives
- Support DoD and federal audit preparation, assessments, and certification readiness
Security Frameworks & Standards
- Implement and validate controls aligned to:
- NIST SP 800-171
- NIST SP 800-53
- CMMC 2.0
- FISMA
- Map controls to compliance requirements and maintain alignment across systems handling CUI
Technical Security Controls (Validation & Implementation)
- Validate implementation of security controls across:
- Identity & Access Management (IAM)
- Logging, Monitoring, and Auditability
- Encryption (at rest and in transit)
- Vulnerability Management
- Configuration Management
- Incident Response & Contingency Planning
- Review and assess technical artifacts (architecture diagrams, configurations, logs)
- Ensure controls are properly implemented in AWS cloud environments
Cloud & DevOps Collaboration
- Partner with Engineering, CloudOps, and DevOps teams to implement and remediate controls
- Support cloud-native architectures and CI/CD pipeline security considerations
- Translate compliance requirements into technical solutions and configurations
Risk Management & Assessment
- Conduct risk assessments for systems, services, and architectural changes
- Manage risk registers, findings, and remediation tracking
- Perform third-party and supply chain risk assessments aligned with DoD requirements
Audit, Authorization & Evidence Management
- Produce and maintain audit-ready documentation and evidence
- Support Authority to Operate (ATO) and federal authorization processes
- Validate and present evidence artifacts during audits and assessments
- Collaborate with stakeholders to remediate findings prior to government review
Required Qualifications
Experience
- 6+ years in GRC, cybersecurity compliance, or federal security programs
- Hands-on experience with:
- CMMC 2.0 Level 2
- DoD environments handling CUI
- Proven experience working directly with engineering and DevOps teams
Technical & Compliance Knowledge
- Strong knowledge of:
- NIST SP 800-171
- NIST SP 800-53
- FISMA
- CMMC 2.0
- Experience validating technical security controls in AWS
- Ability to translate compliance requirements into implemented controls and evidence
Tools & Technologies
- Cloud platforms: AWS
- GRC artifacts: SSPs, POA&Ms, Risk Registers
- Security domains: IAM, logging, encryption, vulnerability management
Preferred Qualifications
Certifications
- CMMC Registered Practitioner (RP)
- CISSP, CISM, or CISA
- Cloud Security Certifications (e.g., AWS Security, CCSP)
Additional Experience
- Experience supporting CMMC assessments or readiness programs
- Experience with federal ATO / authorization processes
- Familiarity with CI/CD pipelines and cloud-native architectures
- Background in defense, government contracting, or regulated environments