About the Role:

The candidate will serve as a highly skilled Sr. GRC Engineer responsible for maintaining the cybersecurity posture of a federal program, system, or enclave. They will ensure that security and privacy requirements are effectively implemented, continuously monitored, and aligned with Federal standards. They will work in close collaboration with the client system owner and act as the principal advisor on all matters related to security and privacy controls, bringing deep expertise in managing the security lifecycle of complex organizational systems.

The ideal candidate will champion the organization’s transition to GRC Engineering. They will promote a dynamic, risk informed posture that moves beyond static compliance and integrates modernization initiatives such as supply chain risk management, devsecops practices, zero trust architectures, AI and machine learning enabled security, and support for responsible citizen development. Their approach will span both IT and OT environments and will adapt to evolving cyber threats, mission needs, and operational constraints.

They will guide stakeholders and engineering teams in adopting continuous assurance, automated control evidence, integrated risk scoring, and scalable control inheritance. Through this leadership, they will strengthen system resiliency, improve decision quality, and accelerate secure mission delivery while advancing the organization toward a modern, engineering driven security model.

Role Responsibilities:

• Serve as an advocate for innovation within the GRC program by identifying opportunities to modernize processes, reduce manual effort, and introduce engineering driven practices.

• Promote and support migration to cloud and hybrid architectures by aligning security planning, controls, and monitoring activities with cloudnative capabilities and shared responsibility models.

• Drive adoption of continuous monitoring practices that emphasize automated data collection, real time visibility, and rapid detection of risk indicators.

• Implement and support automated alerting mechanisms, dashboards, and analytics that enhance situational awareness and support operational decision making.

• Work closely with client stakeholders, engineering teams, and system owners to educate, demonstrate, and introduce new capabilities such as policy as code, automated evidence generation, and integrated risk scoring.

• Encourage the integration of devsecops practices, supply chain risk management, zero trust principles, and AI or ML enabled analysis into GRC workflows to improve agility and resilience.

• Facilitate collaboration across IT and OT environments to ensure modernization initiatives support mission needs while maintaining consistent security and privacy protections.

• Identify the security and privacy requirements allocated to a system and to the organization.

• Identify the characteristics of a system and contribute to determining the boundary of a system.

• Collaborate with the System Owner to categorize the system and document the security categorization results as part of system requirements.

• Identify stakeholders who have a security and/or privacy interest in the development, implementation, operation, or sustainment of a system.

• Identify the stakeholder protection needs and stakeholder security and privacy requirements.

• Identify the types of information to be processed, stored, or transmitted by a system.

• Identify stakeholder assets that require protection.

• Conduct an initial risk assessment of stakeholder assets and update the risk assessment on an ongoing basis.

• Select the security and privacy controls for a system and document the functional description of the planned control implementations in a security/privacy plan.

• Develop a strategy for monitoring security and privacy control effectiveness; coordinate the system-level strategy with the organization and mission/business process-level monitoring strategy.

• Develop, review, and approve a plan to assess the security and privacy controls in a system and the organization.

• Document changes to planned security and privacy control implementation and establish the configuration baseline for a system.

• Respond to system risk posture based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in a plan of action and milestones (POA&M).

• Prepare a plan of action and milestones based on the findings and recommendations of a security assessment report excluding any remediation actions taken.

• Update a security plan, security assessment report, and plan of action and milestones based on the results of a continuous monitoring process.

• Review the security and privacy status of a system (including the effectiveness of security and privacy controls) on an ongoing basis to determine whether the risk remains acceptable.

• Report the security status of a system (including the effectiveness of security and privacy controls) to an authorizing official on an ongoing basis in accordance with the monitoring strategy.

• Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.

• Ensure that security improvement actions are evaluated, validated, and implemented as required.

Required Education & Qualifications:

• Bachelor's degree in Computer Science, Information Systems, or related degree or an additional three (3) years of relevant experience.

• 7+ years of relevant cyber security experience.

• 3+ years of ISSO experience.

• Requires subject matter expertise at the intersection of technology and security to effectively guide system teams in designing, developing, implementing, and maintaining secure solutions for the agency.

• Experience leading a team, coordinating work, and driving performance through effective communication and coaching.

• Must be a seasoned security professional with the ability to develop high quality, responsive technical security artifacts

• Experienced practitioner who can create technically sound, actionable security deliverables, not a technical writer focused solely on compliance documentation.

• Knowledge of the organization’s enterprise information technology (IT) goals and

objectives.

• Strong foundational and operational knowledge of DevSecOps and CI/CD pipelines, Zero Trust (ZT) implementations, Supply Chain Risk Management (SCRM), security considerations for citizen development, Artificial Intelligence (AI), and Operational Technology.

• Expertise in FedRAMP standards and processes, strong understanding of Infrastructure as a Service (IaaS), Platform-as-a-Service (PaaS) and Software as a Service (SaaS) cloud services and common platforms such as Azure, Microsoft 365, Salesforce, ServiceNow, Appian, MuleSoft, etc.

• Solid understanding of DevSecOps principles (continuous integration, continuous delivery and continuous security) to rapidly deliver application while reducing security vulnerabilities.

• Familiar with Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA), secrets management, and popular code repositories to include GitHub. Operational knowledge of Infrastructure as Code (IaC), virtualization and containerization technologies and implementations.

• Experience with endpoint protection, integrity monitoring and Security Information and Event Management (SIEM) tools.

• Expertise in authentication, authorization and identity federation principles and corresponding protocols/standards to include Security Assertion Markup Language (SAML), Open Authorization (OAUTH) and OpenID Connect (OIDC).

• Experience versed with Public Key Infrastructure (PKI) and encryption technology implementations, Federal Information Processing Standards (FIPS) standards and corresponding requirements.

• Possess foundational knowledge of network technologies, topologies and architectures, and corresponding protection mechanisms.

• Familiar with Open Security Control Assessment Language (OSCAL) to provide machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results.

• Must have expertise in analyzing and interpreting software vulnerabilities to include Common Vulnerabilities and Exposures (CVE), Common Weakness Enumeration (CWE) and Common Vulnerability Scoring System (CVSS) formats.

• Prior Experience serving as an ISSO and managing a portfolio of Federal information systems. Achieving system ATO’s, managing PO&AMS, briefing senior leadership deep functional and technical knowledge of the NIST RMF CSF steps.  

• Experience with creating policies that reflect system security and privacy objectives.

• Experience in applying confidentiality, integrity, and availability principles.

• Experience in assessing security and privacy controls based on cybersecurity and privacy related principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.).

• Experience to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

• Experience in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect the security and privacy of the system

• Experience in technical writing.

• Experience in writing about facts and ideas in a clear, convincing, and organized manner.

• Experience in evaluating the trustworthiness of the supplier and/or product.

Desired Skills:

• One of the following certifications are preferred: CASP, GPEN, GMON, GISP, GSEC, GSLC, CISM, CISA, CAP, CCSP, SSCP, CISSP, CISSP-ISSMP.

• Demonstrated practical experience managing cloud and hybrid systems, including configuration, monitoring, security operations, and lifecycle sustainment.

• Experience supporting the successful achievement of Authorizations to Operate (ATOs) for cloud and hybrid environments using NIST RMF, FedRAMP baselines, and agency specific requirements.

• Experience implementing policy as code (PaC) to automate control enforcement, compliance validation, and security evidence collection.

• Ability to introduce automation, engineering practices, and innovation into GRC programs to improve efficiency, reduce manual work, and enhance continuous monitoring.

Clearance and Location Requirements:

• Ability to obtain a Public Trust clearance is required.

• This position is currently fully remote.

Washington, DC

Fully Remote

Apply now

Need help? Lets talk.

We're ready to discuss your needs or dive in on your cyber defense journey. Let us know how we can help.

Contact us
Work Together
sales@nrlabs.com
HomeAbout UsServicesLeadership
CareersPenetration TestingMedia
Let’s Talk
HomeAbout UsLeadershipCareersMedia
© NR Labs LLC All Rights Reserved 2025.
Designed by JSI STUDIO
Max file size 10MB.
Uploading...
fileuploaded.jpg
Upload failed. Max size for files is 10 MB.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.