GRC Analyst 0426

The Governance, Risk, and Compliance (GRC) Analyst supporting federal and customer programs is responsible for evaluating, documenting, and operationalizing cybersecurity and compliance requirements across the organization. This position works across contractual obligations, regulatory standards, and internal security controls—translating external requirements into clear internal actions and assessing how effectively those obligations are being met.

This individual plays a central role in reviewing contractual security language, aligning requirements to applicable frameworks and existing controls, and identifying gaps. The role also supports risk management processes, policy and governance activities, and audit or customer-facing security inquiries.

A significant portion of the work involves analyzing contract terms as new business is awarded and existing programs evolve. This person will act as a key reviewer of cybersecurity-related contract language and partner closely with legal and procurement teams during negotiations and revisions. The role is well suited for someone who enjoys detailed analysis of regulatory and contractual text as a core part of their responsibilities.

This is a highly detail-oriented and writing-heavy role that requires strong analytical thinking, familiarity with multiple compliance standards, and the ability to collaborate across technical and non-technical teams.

Key Responsibilities

Contract & Requirements Analysis

• Review contracts, statements of work, and related documents to identify cybersecurity, privacy, and data protection requirements.
• Translate contractual obligations into structured, actionable requirements that can be tracked and validated.
• Assess alignment between requirements and current security controls, identifying areas of full, partial, or non-compliance.
• Develop artifacts such as gap analyses, compliance matrices, and traceability documentation.
• Partner with legal and procurement teams on contract language, including negotiations and supplier flow-down requirements.

Framework Alignment & Interpretation

• Maintain working knowledge of relevant standards such as NIST frameworks, ISO 27001, FedRAMP, CMMC, and applicable international regulations.
• Map controls across frameworks to streamline compliance efforts and reduce redundancy.
• Interpret regulatory guidance and apply it to business systems and scenarios, escalating uncertainties when needed.

Governance & Policy Support

• Help maintain documentation within the organization’s information security management system (ISMS), ensuring accuracy and audit readiness.
• Support policy lifecycle activities including updates, version control, and exception handling.
• Contribute to reporting on compliance posture, including metrics and remediation progress.

Documentation & Deliverables

• Create and maintain compliance documentation such as security plans, remediation trackers, policies, and audit materials.
• Respond to customer, auditor, or regulator inquiries with clear and tailored written communication.

Risk Management

• Lead the risk assessment process, maintaining a risk register and documenting findings and mitigation strategies.
• Support risk acceptance and exception workflows, ensuring proper documentation and follow-through.
• Track and report on remediation activities and escalate high-risk or overdue items.

Third-Party Risk

• Participate in vendor and supplier security reviews, including assessment of questionnaires and control attestations.
• Support evaluation of supplier compliance with contractual security requirements.

Audit & Assessment Support

• Assist with internal and external audits, certifications, and assessments.
• Coordinate evidence collection and validation with internal stakeholders.
• Participate in audit discussions as a subject matter contributor when needed.

Cross-Functional Collaboration

• Work closely with legal, procurement, engineering, IT, and security teams to interpret and implement requirements.
• Act as a resource for internal stakeholders on regulatory and contractual compliance expectations.

What Success Looks Like (First Year)

• Establish a consistent intake and review process for contract-related security requirements.
• Deliver traceability documentation linking contract requirements to controls and evidence.
• Implement and maintain a formal risk management process and reporting cadence.
• Ensure security documentation remains audit-ready through at least one assessment cycle.

Required Qualifications

• 5 years of experience in GRC, IT audit, or a related cybersecurity discipline.
• Strong familiarity with NIST-based frameworks and control implementation practices.
• Experience developing compliance documentation such as security plans or control matrices.
• Hands-on involvement in audits or certification processes (e.g., ISO 27001, SOC 2, FedRAMP, or similar).
• Excellent writing and documentation skills.
• Ability and interest in interpreting contractual and regulatory language in detail.
• Experience collaborating across technical and business teams.
• Bachelor’s degree in a relevant field or equivalent experience.

Preferred Qualifications

• Experience with government or defense-related compliance requirements.
• Familiarity with international data protection and security regulations.
• Background working with sensitive or regulated data environments.
• Exposure to highly regulated industries such as aerospace, defense, or advanced technology.
• Experience reviewing or negotiating contract security terms.
• Familiarity with GRC platforms (e.g., enterprise risk or compliance tools).
• Relevant certifications (e.g., CISA, CISSP, CRISC, ISO 27001, or similar).
• Active security clearance or eligibility to obtain one.