Senior GRC Analyst – NIST, GovRAMP, FedRAMP

This is a fully remote position, open to applicants in Philippines.

📋 Description

• Oversee the ongoing development and enhancement of the System Security Plan (SSP), along with policies, procedures, and standards in accordance with NIST 800-53 and SOC 2.

• Take responsibility for the lifecycle of the Plan of Action and Milestones (POA&M): monitoring, aging, evidence of remediation, and monthly continuous monitoring deliverables.

• Manage the catalog of control evidence—tracking what evidence is available, its location, the date it was last updated, and what is due for renewal.

• Collaborate with the U.S. security team and Third-Party Assessment Organizations (3PAOs) to support GovRAMP, FedRAMP, and state-level (TX-RAMP) authorization and monitoring efforts.

• Oversee our comprehensive third-party risk management program, including security questionnaires, due diligence, contract evaluations, and periodic reassessments.

• Maintain the enterprise risk register, aid in making risk acceptance decisions, and convert technical risks into business terms for executive comprehension.

• Manage subcontractor flow-down obligations and ensure PII safeguarding certifications are upheld throughout all pertinent agreements.

• Monitor contractual security obligations across state customer contracts, ensuring all commitments are fulfilled on time.

• Maintain and control versions of our policy library—crafted in clear language rather than generic templates.

• Administer our security awareness training program, conduct phishing simulations, and manage Rules of Behavior enforcement.

• Develop tabletop exercise scenarios, facilitate the exercises, and create after-action reports with clearly assigned remediation responsibilities.

• Collaborate with HR and IT on security checklists for onboarding and offboarding, access reviews, and enforcement of acceptable use policies.

⛳️ Requirements

• Residing in the Philippines with night shift availability (to align with the U.S. team).

• More than 7 years of practical GRC experience, including at least 3 years focused on FedRAMP, GovRAMP, StateRAMP, TX-RAMP, or CMMC programs at a SaaS organization.

• Proven experience in authoring SSPs, POA&Ms, and continuous monitoring deliverables for successful authorizations—rather than merely contributing to others' projects.

• Profound knowledge of NIST 800-53, NIST 800-171, FIPS 199/200, SOC 2 (Type II), and the realistic aspects of gathering audit evidence.

• A proactive individual who can join an existing program, pinpoint areas for maturation, and execute tasks independently. If "figure it out and make it better" resonates with you, you’ll likely excel here.

• Outstanding written English skills—your documentation will be scrutinized by state auditors, executives, and 3PAOs.

• Experience managing a third-party risk management program and conducting vendor security reviews at scale.

• A bachelor's degree in Cybersecurity, Information Systems, or a related discipline; relevant certifications (CISSP, CISA, CRISC, CGRC/CAP, ISO 27001 Lead Implementer) are highly desirable.

• Bonus: familiarity with GRC tools (Drata, Vanta, Hyperproof, ServiceNow GRC) and prior experience working with U.S. state government clients.

🏝️ Benefits

• A senior individual contributor role with significant ownership over a specific segment of our GRC program.

• Enhancing the documentation framework (SSPs, policies, POA&Ms, risk register, vendor program) that supports our GovRAMP, FedRAMP, and state authorization initiatives.

• Contributing to a product that directly enables thousands of individuals to access workforce and educational services.

• Collaborating directly with security leadership, engineering, and executive stakeholders—minimal hierarchy, no excessive oversight.

• Promoting continuous enhancements of policies, controls, and evidence gathering throughout the organization.

• Enjoying a fully remote work environment.