GRC Analyst, Federal Programs

📋 Description

• Act as a member of Sword's GRC team, playing a key role in ensuring security compliance across all products and services, with a focus on federal programs;

• Define and uphold the CMMC assessment boundary, collaborating with infrastructure, engineering, and business teams to guarantee the accuracy and defensibility of the scope;

• Align NIST SP 800-171 practices with Sword's current environment and generate a clear, evidence-based gap analysis;

• Convert identified gaps into prioritized remediation actions with defined ownership, catering to audiences ranging from DevOps engineers to clinical operations managers;

• Develop and sustain the System Security Plan (SSP), Plan of Action and Milestones (POA&M), and all necessary artifacts for assessment;

• Act as Sword's main point of contact with the C3PAO and assessment team during formal CMMC assessments;

• Propel FedRAMP readiness concurrently, including control documentation, evidence gathering, and ongoing monitoring;

• Contribute to audits and compliance initiatives across other active frameworks, such as SOC 2 and HITRUST, as part of Sword's comprehensive GRC program;

⛳️ Requirements

• A minimum of 5 years of practical experience in GRC, compliance, or security, with at least 3 of those years concentrated on federal compliance frameworks like CMMC or FedRAMP;

• Proven track record of owning deliverables and driving remediation efforts through a CMMC, FedRAMP, or similar federal compliance initiative;

• Robust understanding of CMMC Level 2 practices, scoping methodology, and CUI handling requirements;

• Capability to generate compliance documentation — SSPs, POA&Ms, gap analyses, control narratives — with minimal supervision;

• Demonstrated ability to convey technical compliance requirements to non-technical stakeholders across engineering, operations, and business teams;

• Experience engaging directly with external auditors and assessors, including evidence organization and real-time responses during assessments;

• US citizenship is mandatory;

• Ability to obtain a federal Public Trust designation if required by a sponsoring agency;

• **Preferred Qualifications**

• CMMC Certified Professional (CCP) credential, or active pursuit of such;

• CMMC Certified Assessor (CCA) credential;

• Hands-on experience with FedRAMP authorization packages, continuous monitoring, and agency ATO processes;

• Background in defense contracting or regulated health tech sectors;

• Experience working across multiple compliance frameworks at the same time (HITRUST, SOC 2, ISO 27001);

• Familiarity with GRC platforms such as Hyperproof, Drata, or Vanta;

🏝️ Benefits

• Comprehensive health, dental, and vision insurance*

• Life and AD&D Insurance*

• Financial advisory services*

• Supplemental Insurance Benefits (Accident, Hospital and Critical Illness)*

• Health Savings Account*

• Equity shares*

• Discretionary PTO plan*

• Parental leave*

• 401(k)

• Flexible working hours

• Remote-first company

• Paid company holidays

• Free digital therapist services for you and your family