GRCAnalyst

About the Role: The GRC Analyst, Federal contribute to a shared control inventory used by compliance, security, and program teams. Interpret framework language and authoritative guidance (NIST publications, DoD guidance, regulator FAQs) in the context of specific company systems and business scenarios and escalate ambiguity for formal risk decisions when appropriate. Governance, Policy track decisions and ensure follow-through on conditions or expirations. Track open compliance findings and remediation activities, prepare status updates, and flag aging or high-severity items for escalation. Third-Party validate that evidence is accurate, complete, and appropriately scoped before submission. Participate in assessor and auditor interviews as a subject matter contributor on specific controls and artifacts. Cross-Functional Collaboration Partner with legal and sourcing on contract review, redlines, and flow-down language; with security program management on milestones, schedules, and audit coordination; and with security engineering and IT on evidence, control implementation detail, and remediation planning. Serve as a knowledgeable point of contact for internal teams seeking to understand what a given regulatory or contractual requirement means in practice. What Success Looks Like in Year One Established a repeatable contract review intake process with legal and sourcing, including a maintained library of standard cybersecurity flow-down clauses and review turnaround expectations. Produced an end-to-end Requirements Traceability Matrix for at least one active federal program, traceable from contract clauses through framework controls to evidence sources. Stood up the operational risk register and routine risk reporting cadence, with at least one full assessment cycle completed and risk treatment decisions documented. Maintained the ISMS documentation set in audit-ready condition through at least one external assessment or surveillance cycle. Required Qualifications: Fi