Governance, Risk, and Compliance Engineer

IonQ

1d•$83,430 - $109,232•Hybrid

About The Position

We are looking for a Governance, Risk, and Compliance (GRC) Engineer to join our Security team. As a GRC Engineer, you’ll be part of a cross-functional team whose mission is to lead IonQ on its journey to build the world’s best quantum computers to solve the world’s most complex problems. Quantum computing and national security are inseparable. IonQ operates at the intersection of cutting-edge research and the defense industrial base, making rigorous cybersecurity compliance a core business imperative. In this role, you will own and drive IonQ’s Cybersecurity Maturity Model Certification (CMMC) posture, from implementing technical controls and maintaining System Security Plans to guiding internal teams through audit readiness. The ideal candidate is a detail-oriented practitioner who can translate complex regulatory requirements into practical, operational controls. In your first 90 days you will conduct a gap assessment of our current CMMC posture, map CUI data flows across our environments, and begin building or maturing our SSP and associated artifacts.

Requirements

2–4 years of professional experience in cybersecurity, compliance, or IT security, with direct exposure to NIST SP 800-171 or CMMC compliance programs.
Experience developing or contributing to SSPs, POA&Ms, and assessment artifacts, and participating in CUI environment scoping.
Working knowledge of DFARS cybersecurity clauses (7012, 7019, 7020) and the CMMC 2.0 framework.
A technical background in systems administration, cloud security, or security engineering sufficient to engage with IT and engineering teams on control implementation.
Bachelor’s degree in Computer Science, Information Security, or equivalent practical experience.

Nice To Haves

Familiarity with ITAR and EAR and how export control obligations intersect with CUI handling in a defense-adjacent research environment.
Hands-on experience with GRC platforms (e.g., Hyperproof, Drata, Anecdotes AI) and security tooling such as CSPM or vulnerability scanners.
Prior experience in a defense contractor, national laboratory, government, or high-security research environment.
CMMC certifications (CCP or CCA) are a strong plus, as are CISSP, CISM, CISA, or CRISC.

Responsibilities

Own end-to-end CMMC implementation and audit readiness, including scoping, control mapping, SSP and POA&M development, evidence collection, and remediation tracking.
Interpret and apply DFARS clause requirements, including DFARS 252.204-7012, 252.204-7019, and 252.204-7020, translating contractual obligations into operational controls and maintaining accurate SPRS submissions.
Conduct recurring internal audits of NIST 800-171 security controls on a defined cadence to validate continued compliance, and support preparation for C3PAO assessments including evidence packages and assessment logistics.
Assess CUI environments to meet CMMC boundary requirements, including network segmentation, access control, media protection, and FIPS-validated encryption, and evaluate cloud environments against CMMC scoping guidance.
Implement technical controls across NIST 800-171 practice families, including MFA, audit logging, configuration management, incident response, and vulnerability management.
Serve as a CMMC subject matter resource, contributing to compliance roadmaps, facilitating readiness workshops, and advising on DFARS flow-down requirements for subcontractors.
Collaborate with legal and contracts teams to review FAR/DFARS clauses in new and existing contracts, flagging CUI obligations and CMMC level requirements, and coordinate on ITAR and EAR obligations as they intersect with CUI handling.
Support the organization’s GRC platform for evidence management, POA&M tracking, and risk register maintenance, and contribute to compliance dashboards for leadership.