Senior GRC Analyst – DoD / CMMC / FISMA
• *Engagement Type**
Contract to Hire (6+ Months) | Full-Time Conversion Opportunity
Remote (U.S. Based)
• *Compensation**
$55–$65/hr W2
• *Overview**
We are seeking a Senior GRC Analyst with hands-on experience supporting DoD and federal compliance programs, specifically CMMC 2.0 Level 2 and FISMA requirements within environments handling Controlled Unclassified Information (CUI).
This role is responsible for executing and sustaining NIST SP 800-171 and NIST SP 800-53 control frameworks, maintaining audit and certification readiness, and supporting authorization and assessment activities for government and defense-related systems.
The ideal candidate brings a strong blend of compliance expertise and technical validation experience, working directly with Engineering, DevOps, Cloud, and Security teams to ensure controls are not only documented, but effectively implemented, tested, and evidenced.
• *Key Responsibilities
• *CMMC & DoD Compliance
• Support CMMC 2.0 Level 2 implementation and readiness efforts for systems processing or storing CUI
• Implement, validate, and track NIST SP 800-171 controls, including evidence collection and remediation
• Prepare for DoD assessments and third-party audits, ensuring controls are fully implemented prior to review
• Maintain control traceability, POA&Ms, and remediation plans aligned with CMMC and DoD expectations
• *FISMA & Federal Security Compliance
• Execute FISMA compliance activities aligned to NIST SP 800-53 (Moderate baseline)
• Support federal authorization efforts, including SSP updates, control narratives, and evidence validation
• Drive continuous monitoring (ConMon) and ongoing audit readiness activities
• Partner with internal teams to remediate findings and close compliance gaps prior to government review
• *Technical Control Validation
• Collaborate with Engineering, CloudOps, and Security teams to validate implementation of technical controls, including:
• Identity and Access Management (IAM)
• Logging and monitoring
• Encryption (at rest and in transit)
• Vulnerability management
• Configuration management
• Incident response and contingency planning
• Validate control implementation within AWS environments supporting regulated workloads
• Review technical artifacts (architecture diagrams, system configurations, logs) to ensure audit-ready evidence
• *Risk & Supply Chain Security
• Conduct risk assessments for systems, services, and architectural changes involving CUI
• Support third-party and supply chain risk assessments aligned with DoD and federal requirements
• Track risks, findings, and remediation activities through POA&Ms and risk registers
• *Required Qualifications
• 6+ years of experience in GRC, cybersecurity compliance, or federal security programs
• Hands-on experience supporting CMMC 2.0 Level 2 and/or DoD environments handling CUI
• Strong working knowledge of:
• NIST SP 800-171
• NIST SP 800-53
• FISMA
• CMMC 2.0
• Experience validating technical security controls within AWS environments
• Experience working directly with Engineering and DevOps teams (not strictly advisory)
• Proven ability to produce audit-ready documentation and supporting evidence
• Strong communication skills with the ability to interface with technical and government stakeholders
• *Preferred Qualifications**
• Experience supporting CMMC assessments or readiness programs
• Experience supporting federal ATO / authorization processes
• Familiarity with CI/CD pipelines and cloud-native architectures
• Background in defense, government contracting, or regulated federal environments
• Relevant certifications (preferred, not required):
• CMMC Registered Practitioner (RP)
• CISSP, CISM, or CISA
• Cloud security certifications