Director of Technology - Governance, Risk, and Compliance

About The Position

Requirements

• 8 plus years of experience in Technical Governance, Risk, and Compliance, Risk Management, Audit, or Information Security, with a minimum of 3 years in a director or senior manager role leading a GRC function or compliance program.
• Expert-level understanding of NIST CSF, SP 800-171, and CMMC Level 2 frameworks, including the ability to develop SSPs, conduct gap assessments, and design control architecture.
• Hands-on experience managing NIST CSF, 800-171 compliance programs or leading CMMC Level 2 assessments and certification initiatives.
• Strong knowledge of SOX Section 404 requirements, particularly IT General Controls (ITGC), and ability to design controls that satisfy auditor expectations.
• Deep understanding of ITAR and EAR export control regulations as they apply to IT systems and data classification.
• Proficiency in risk management methodologies, including risk identification, quantification, prioritization, and remediation tracking using qualitative and quantitative approaches.
• Experience designing and operating control frameworks (ISO 27001, NIST CSF, SOC 2 Type II) and translating framework requirements into operational controls and audit evidence.
• Strong communication skills to present complex compliance and risk concepts to technical teams, executive leadership, boards of directors, and external auditors.
• Demonstrated ability to lead and mentor teams, manage budgets, and drive cross-functional initiatives.

Nice To Haves

• Experience with Aerospace, Defense, or Federal Contractor industries, including familiarity with CMMC enforcement, DoD contract requirements, and federal compliance culture.
• Hands-on experience conducting or participating in CMMC Level 2 assessments or FedRAMP authorizations.
• Experience as a Security Control Assessor (SCA) or CMMC Professional (CISSP with CMMC focus).
• Background in public company SOX compliance, including experience with Audit Committee interactions and SEC reporting requirements.
• Knowledge of GRC platforms and tools (Archer GRC, Audit Board, ServiceNow) for evidence management, risk tracking, and audit automation.
• Professional certifications such as CISSP, CISM, CRISC, Certified Regulatory Compliance Manager (CRCM), or Certified Compliance and Ethics Professional (CCEP).
• Advanced degree in Cybersecurity, Business Administration, Law, or Engineering.
• Experience with third-party risk management and vendor security assessment frameworks.
• Direct experience building compliance automation and audit evidence collection processes to scale compliance operations.

Responsibilities

• Develop and execute a comprehensive Cyber-focused Governance, Risk, and Compliance (GRC) strategy aligned with Archer's business objectives and regulatory obligations, including NIST SP 800-171, CMMC Level 2, SOX 404, and ITAR/EAR requirements.
• Lead the design and implementation of System Security Plans (SSPs) and Plans of Action and Milestones (POA&Ms) to achieve and maintain NIST 800-171 and CMMC Level 2 compliance across enterprise infrastructure and systems.
• Establish and manage an enterprise-wide risk management program that identifies, assesses, prioritizes, and tracks cybersecurity, operational, and compliance risks, communicating risk exposure clearly to the board and executive leadership.
• Design and enforce a control framework (based on NIST SP 800-171, CMMC practices, SOX ITGC, and ISO 27001) that defines roles, responsibilities, and audit expectations across the organization.
• Conduct or coordinate regular compliance assessments and internal audits to ensure adherence to regulatory frameworks, identifying gaps and designing remediation strategies with clear timelines and accountability.
• Manage relationships with external auditors, assessors, and regulators, including Security Control Assessors (SCAs) for CMMC certification and SOX auditors, to ensure timely evidence collection and audit readiness.
• Develop and maintain comprehensive compliance documentation, including policies, procedures, risk registers, control matrices, and audit evidence repositories.
• Lead the design of third-party and vendor risk management processes, including technical security assessments, contractual compliance requirements, and ongoing monitoring of vendor compliance posture.
• Drive compliance training and awareness programs across the organization, ensuring all employees understand their roles in maintaining security and compliance standards.
• Stay current with emerging regulatory changes, evolving industry standards, and evolving threat landscapes relevant to aerospace, defense, and public companies.
• Provide executive-level reporting to the Board, Audit Committee, and C-suite, translating technical compliance metrics into business risk language and strategic recommendations.