Cybersecurity GRC Manager

About The Position

Requirements

• 5+ years of progressive experience in IT Security Governance, Risk & Compliance (GRC) or related disciplines.
• Strong working knowledge of CMMC and NIST SP 800-171 requirements, SOX IT General Controls (ITGCs), Third-Party Risk Management (TPRM), and IT security risk management frameworks.
• Demonstrated ability to develop and maintain security policies, procedures, and standards that are clear, enforceable, and audit-ready.
• Hands-on experience supporting internal and external audits, including evidence preparation, walkthrough facilitation, and remediation of findings.
• Strong analytical, organizational, documentation, and communication skills.
• Proven ability to manage multiple concurrent workstreams and drive activities to timely completion with minimal supervision.
• U.S. Person status as defined under ITAR (22 CFR §120.62), required due to access to export-controlled information and Controlled Unclassified Information (CUI).

Nice To Haves

• Experience in regulated environments such as a public company, defense, aerospace, manufacturing, or other highly regulated industries.
• Familiarity with frameworks such as NIST SP 800-171, NIST SP 800-53, ISO/IEC 27001/27002, NIST CSF, COSO, COBIT.
• Experience with GRC tools (e.g., AuditBoard/Optro, Archer, ZenGRC, or similar).
• Working knowledge of safeguarding CUI and export control requirements (ITAR, EAR, DFARS 252.204-7012).
• Experience with cloud security compliance in Microsoft 365 / Azure environments, including GCC-High.
• Experience developing or maintaining System Security Plans (SSPs) and POA&Ms.
• Professional certifications such as CISA, CISM, CRISC, CISSP, RP, CCP.

Responsibilities

• Develop, maintain, and govern information security policies, standards, and procedures, ensuring alignment with regulatory, contractual, and customer requirements.
• Ensure policies and related documentation are clear, practical, enforceable, and reviewed on a defined, documented cadence.
• Translate external regulatory, contractual, and customer security requirements into internal control expectations and actionable guidance.
• Monitor changes in regulatory requirements and industry frameworks, assessing organizational impact and driving updates to policies and controls as needed.
• Manage the policy exception and waiver process, ensuring risk assessment, appropriate approval, time-bound tracking, and resolution.
• Support and manage compliance with CMMC Level 2, SOX, and other regulatory or customer-driven security requirements.
• Develop and maintain CMMC program documentation, including system boundaries, data flows, interconnections, and control implementations.
• Maintain the organization’s SPRS score in coordination with Cybersecurity, Infrastructure, and control owners, ensuring alignment with the current security assessment posture.
• Support SOX IT General Controls (ITGCs), including access reviews, change management, and IT operations controls.
• Manage remediation activities across audit findings, control gaps, and POA&Ms, ensuring clear ownership, validated closure evidence, and timely resolution.
• Serve as the primary point of contact for internal and external audits, coordinating walkthroughs, evidence collection, control testing, and ensuring timely, high-quality responses.
• Conduct IT security risk assessments, documenting risks, impacts, likelihood, and mitigation plans.
• Maintain the enterprise IT security risk register and track risks through remediation or formal risk acceptance.
• Provide risk-based guidance to stakeholders on control design, security architecture decisions, and risk acceptance.
• Develop and maintain GRC dashboards, metrics, and reporting to provide visibility into risk posture, control effectiveness, and program health.
• Prepare and deliver risk briefings and GRC program updates to senior leadership, ensuring informed decision-making and documented risk acceptance.
• Support and mature the Third-Party Risk Management (TPRM) program, including risk assessments and ongoing monitoring.
• Support the development and delivery of security awareness and compliance training programs aligned with organizational and regulatory requirements.
• Identify opportunities for process improvement and automation within GRC workflows, including evaluation and implementation of GRC tooling.
• Manage day-to-day activities of GRC analysts.
• Conduct performance reviews and annual goal setting.
• Drive team development, capability building, and professional growth.

Benefits

• No relocation offered for this position
• No sponsorship offered for this position