Senior GRC Analyst

Job Title: Senior GRC Analyst – DoD / CMMC / FISMAEngagement Type: Contract-to-Hire (6+ months) | Full-Time | Remote (U.S.-based)Hourly Range of $65/hour 1099 or C2CMUST BE US CITIZENRole SummaryOur Client is seeking a Senior GRC Analyst with deep, hands-on experience supporting DoD and federal compliance programs, specifically CMMC 2.0 Level 2 and FISMA within environments handling Controlled Unclassified Information (CUI).This role is responsible for executing and sustaining NIST SP 800-171 and NIST SP 800-53 control implementation, maintaining audit and certification readiness, and supporting authorization and assessment activities. The position requires close collaboration with Engineering, DevOps, Cloud, and Security teams to ensure controls are implemented, validated, and supported by audit-ready evidence.Core Skill Categories & ResponsibilitiesGovernance, Risk & Compliance (GRC)Execute and maintain CMMC 2.0 Level 2 compliance programsSupport FISMA compliance aligned to NIST SP 800-53 (Moderate baseline)Maintain System Security Plans (SSPs), POA&Ms, and control traceabilityDrive continuous monitoring (ConMon) and audit readiness initiativesSupport DoD and federal audit preparation, assessments, and certification readinessSecurity Frameworks & StandardsImplement and validate controls aligned to:NIST SP 800-171NIST SP 800-53CMMC 2.0FISMAMap controls to compliance requirements and maintain alignment across systems handling CUITechnical Security Controls (Validation & Implementation)Validate implementation of security controls across:Identity & Access Management (IAM)Logging, Monitoring, and AuditabilityEncryption (at rest and in transit)Vulnerability ManagementConfiguration ManagementIncident Response & Contingency PlanningReview and assess technical artifacts (architecture diagrams, configurations, logs)Ensure controls are properly implemented in AWS cloud environmentsCloud & DevOps CollaborationPartner with Engineering, CloudOps, and DevOps teams to implement and remediate controlsSupport cloud-native architectures and CI/CD pipeline security considerationsTranslate compliance requirements into technical solutions and configurationsRisk Management & AssessmentConduct risk assessments for systems, services, and architectural changesManage risk registers, findings, and remediation trackingPerform third-party and supply chain risk assessments aligned with DoD requirementsAudit, Authorization & Evidence ManagementProduce and maintain audit-ready documentation and evidenceSupport Authority to Operate (ATO) and federal authorization processesValidate and present evidence artifacts during audits and assessmentsCollaborate with stakeholders to remediate findings prior to government reviewRequired QualificationsExperience6+ years in GRC, cybersecurity compliance, or federal security programsHands-on experience with:CMMC 2.0 Level 2DoD environments handling CUIProven experience working directly with engineering and DevOps teamsTechnical & Compliance KnowledgeStrong knowledge of:NIST SP 800-171NIST SP 800-53FISMACMMC 2.0Experience validating technical security controls in AWSAbility to translate compliance requirements into implemented controls and evidenceTools & TechnologiesCloud platforms: AWSGRC artifacts: SSPs, POA&Ms, Risk RegistersSecurity domains: IAM, logging, encryption, vulnerability managementPreferred QualificationsCertificationsCMMC Registered Practitioner (RP)CISSP, CISM, or CISACloud Security Certifications (e.g., AWS Security, CCSP)Additional ExperienceExperience supporting CMMC assessments or readiness programsExperience with federal ATO / authorization processesFamiliarity with CI/CD pipelines and cloud-native architecturesBackground in defense, government contracting, or regulated environments