Sr. GRC Engineer

About the Role:

This role requires deep subject matter expertise at the intersection of technology and cybersecurity to effectively guide system teams in designing, developing, implementing, and maintaining secure solutions for the agency. The individual must be a seasoned security professional capable of producing high quality, technically sound, and actionable security artifacts. While the individual will generate significant documentation in support of Risk Management Framework activities, this position requires an experienced practitioner who can apply engineering rigor and develop meaningful security deliverables, not a technical writer focused solely on compliance documentation.

The candidate will serve as a highly skilled Sr. GRC Engineer responsible for maintaining the cybersecurity posture of a federal program, system, or enclave. The individual will champion the organization’s transition to GRC Engineering and promote a dynamic, risk informed posture that extends beyond static compliance. This includes integrating modernization initiatives such as supply chain risk management, DevSecOps practices, Zero Trust architectures, AI and machine learning enabled security, and support for responsible citizen development. Their work will span both IT and OT environments and will adapt to evolving cyber threats, mission needs, and operational constraints.

This position will guide stakeholders and engineering teams in adopting continuous assurance, automated control evidence, integrated risk scoring, and scalable control inheritance. Through this leadership, they will strengthen system resiliency, improve decision quality, and accelerate secure mission delivery while advancing the organization toward a modern, engineering driven security model.

‍

Required Qualifications:

• Bachelor's degree in Computer Science, Information Systems, or a related field, or an additional three years of relevant experience.

• Seven or more years of relevant cybersecurity experience.

• Three or more years of experience serving as an ISSO for a Federal agency.

• Knowledge of the organization’s enterprise IT goals and objectives.

• Strong foundational and operational knowledge of DevSecOps and CI or CD pipelines, Zero Trust implementations, Supply Chain Risk Management, citizen development considerations, Artificial Intelligence, and Operational Technology.

• Expertise in FedRAMP standards and processes and strong understanding of IaaS, PaaS, and SaaS cloud service models including Azure, Microsoft 365, Salesforce, ServiceNow, Appian, and MuleSoft.

• Solid understanding of continuous integration, continuous delivery, and continuous security principles.

• Familiarity with SAST, DAST, Software Composition Analysis, secrets management, and GitHub.

• Operational knowledge of Infrastructure as Code, virtualization, and containerization.

• Proficiency with endpoint protection, integrity monitoring, and SIEM tools.

• Expertise in authentication, authorization, and identity federation including SAML, OAuth, and OIDC.

• Familiarity with PKI, encryption technologies, and applicable FIPS implementation requirements.

• Foundational understanding of network technologies, topologies, architectures, and protection mechanisms.

• Familiarity with OSCAL for machinereadable control catalogs, baselines, SSPs, and assessment documentation.

• Ability to analyze and interpret software vulnerabilities using CVE, CWE, and CVSS.

• Prior experience serving as an ISSO for a portfolio of Federal systems.

• Experience achieving ATOs, managing POA or Ms, and briefing senior leadership.

• Deep functional and technical knowledge of NIST RMF and CSF processes and documentation.

• Experience with creating policies that reflect system security and privacy objectives.

• Experience in applying confidentiality, integrity, and availability principles.

• Experience in assessing security and privacy controls based on cybersecurity and privacy related principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.).

• Experience to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

• Experience in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect the security and privacy of the system

• Experience in technical writing.

• Experience in writing about facts and ideas in a clear, convincing, and organized manner.

• Experience in evaluating the trustworthiness of the supplier and/or product.

‍

‍

Preferred Qualifications:

• One or more preferred certifications: CASP, GPEN, GMON, GISP, GSEC, GSLC, CISM, CISA, CAP, CCSP, SSCP, CISSP, or CISSP-ISSMP.

• Experience implementing policy as code to automate control enforcement, compliance validation, and evidence collection.

• Ability to introduce automation, engineering practices, and innovation into GRC programs to improve efficiency and enhance continuous monitoring.

‍

Clearance and Location Requirements:

• Ability to obtain a Public Trust clearance is required.

• This position is currently fully remote.

‍