Governance Risk and Compliance (GRC) Compliance Specialist

ForeFlight•Austin, TX

1d•Remote

About The Position

Jeppesen ForeFlight builds industry-leading aviation software used by pilots, aircraft operators, and major airlines worldwide. As a high-growth, private equity-backed company, we are focused on scaling our operations, strengthening our financial infrastructure, and driving operational excellence across the business. Our team combines deep domain expertise with a collaborative, high-performance culture to solve complex challenges and support continued growth. Jeppesen ForeFlight is seeking a Governance, Risk, and Compliance (GRC) Specialist to drive the operational execution of our risk and control program. This is a multifaceted role performing a host of compliance duties across our software business. The GRC Specialist will work across a variety of national and international frameworks, including NIST 800-53, ISO 27001, and others, ensuring Jeppesen ForeFlight meets and exceeds the security controls supporting these frameworks. The role will analyze security controls across our framework set, assess current state versus required state, identify deficiencies, plan and track corrective actions, and conduct internal reviews of both process and technical control implementation. We have a defined risk and control methodology in place; this role exists to close the gap between methodology and consistent day-to-day execution at scale, while translating control requirements across frameworks into a unified control model that reduces duplication and improves traceability. We’re hiring this role with a GRC engineering mindset. We want someone who treats compliance as an engineering problem, automating evidence collection, instrumenting controls to produce continuous signals, and partnering with engineering and security to make compliance a byproduct of how we already operate, not a separate manual track. This role works across the organization and is expected to communicate effectively with leadership, operations, security, and engineering. 100% remote, US-based. Limited travel may be required to support audit and compliance efforts; not estimated to exceed 10% of the employee’s time.

Requirements

Bachelor’s degree or equivalent experience in a technical field (e.g., military experience qualifies)
5+ years in GRC, risk management, IT audit, or security compliance, with hands-on operational ownership of a control program
Demonstrated experience applying NIST 800-53 or equivalent DoD cybersecurity controls (STIGs, RMF, etc.), including control selection, tailoring, assessment, and evidence generation
Working knowledge of additional frameworks (ISO 27001, SOC 2, NIS2, COBIT, or similar) and experience harmonizing them into a unified control set
Hands-on experience administering a GRC or compliance automation platform, including configuring workflows and building integrations
Comfort with scripting or API integrations for evidence automation, control monitoring, and reporting
Familiarity with cloud environments (AWS, GCP, or Azure) and how IAM, logging, and configuration management map to compliance requirements
Experience with vulnerability management, patch management, or system hardening
Strong written communication, able to translate control language for engineers and engineering language for auditors
Demonstrated bias toward automation and repeatable systems over manual, periodic effort
Problem solver with a desire to see problems as challenges to be resolved

Nice To Haves

Military or federal background (military cybersecurity, DoD compliance, or government) cloud environments
Ability to learn / support workloads at DoD Impact Level 5 (IL5) or Impact Level 6 (IL6)
Experience supporting a CMMC certification, FedRAMP authorization, or RMF accreditation package
Compliance-as-code or policy-as-code experience (OPA,Terraform Sentinel, AWS Config rules, OSCAL)
CI/CD-integrated control testing or automated evidence pipelines
Security or compliance certification such as CISM, CRISC, CCSP, or ISO27001
Experience working with Change Control Boards (CCBs) or other oversight groups
Experience with regulations such as FISMA, ITAR, HIPAA, or GDPR
Background in technical roles such as security operations, boundary defense, vulnerability management, or systems administration

Responsibilities

Drive day-to-day execution of the risk lifecycle (intake, assessment, control validation, remediation, tracking) and oversee the ISMS, including the risk register, Statement of Applicability (SoA), and corrective actions
Lead audit cycles end-to-end across multiple frameworks (NIST 800-53, ISO 27001, CMMC, SOC 2, etc.), scoping, evidence collection, and control testing
Translate control requirements across frameworks into a unified control model with crosswalks so a single piece of evidence satisfies multiple obligations; identify and remediate deficiencies between control expectations and current implementation
Administer and extend our compliance automation platform, improving control mapping, evidence workflows, and integrations with cloud infrastructure, identity systems, ticketing, and CI/CD pipelines; translate written policies into enforceable, testable controls to move us toward continuous compliance
Define, write, and maintain corporate security policies, standards, procedures, and baselines
Assist with the vendor security risk program, due diligence, technical reviews, and ongoing monitoring
Communicate effectively from C-Level executives to operations and engineering; demonstrate willingness to speak truth on security compliance and express deficiencies clearly when they exist
Produce executive reporting on compliance metrics, audit readiness, and risk trends