Governance, Risk & Compliance (GRC) Manager

About The Position

Requirements

• 5+ years in a governance, risk, and compliance role with demonstrated ownership of enterprise compliance programs in a regulated environment.
• Deep working knowledge of CMMC Level 2 and NIST SP 800-171, including SSP development, POA&M management, and C3PAO assessment preparation.
• Experience managing FedRAMP authorization processes, including boundary definition, control implementation documentation, and 3PAO coordination.
• Hands-on experience with SOC 2 Type II audits, including control mapping, evidence collection, and auditor engagement.
• Familiarity with ITAR compliance requirements, including technology control plans, export authorization processes, and CUI program management.
• Demonstrated ability to translate technical security controls into compliance documentation and audit evidence across multiple overlapping frameworks.
• Experience conducting risk assessments and maintaining enterprise risk registers with executive-level reporting.
• Strong technical fluency — this role works directly with security engineering and infrastructure teams and requires the ability to evaluate technical control implementations against compliance requirements.
• Ability to obtain and maintain a TS/SCI clearance.
• U.S. citizenship or status as a lawful permanent resident required to conform with ITAR export regulations.

Nice To Haves

• Active TS clearance or higher.
• Experience working within the Defense Industrial Base, including prime or subcontractor compliance environments with DFARS flow-down obligations.
• Familiarity with eMASS or similar government assessment and authorization management tools.
• Experience with GRC platforms for control tracking, evidence management, and audit workflow automation.
• Knowledge of Northwood's core infrastructure environment, including AWS GovCloud, Microsoft GCC, and on-premises security tooling, and how these map to FedRAMP and CMMC control boundaries.
• Experience developing and delivering security awareness and CUI handling training programs.
• Familiarity with DFARS 252.204-7012 incident reporting obligations and coordination with DIBCAC or DCSA.
• Professional certifications such as CISSP, CISM, CISA, CCSK, or equivalent GRC credentials.
• CMMC Registered Practitioner (RP) or Certified Professional (CP) designation.

Responsibilities

• Own Northwood's compliance program across CMMC Level 2, FedRAMP, SOC 2 Type II, and ITAR, including control mapping, gap assessment, remediation tracking, and audit preparation.
• Maintain Northwood's System Security Plan (SSP), Plan of Action and Milestones (POA&M), and associated compliance documentation in alignment with NIST 800-171 and applicable frameworks.
• Coordinate and manage third-party assessments, including C3PAO engagements for CMMC, FedRAMP 3PAO assessments, and SOC 2 audits, serving as the primary assessor liaison.
• Monitor the regulatory environment for changes to CMMC, FedRAMP, DFARS, and ITAR requirements and assess impact on Northwood's compliance posture.
• Build and maintain Northwood's enterprise risk management program, including risk register development, risk scoring methodology, and executive-level risk reporting.
• Conduct and facilitate periodic risk assessments across security domains, incorporating input from security engineering, network, product, and operations teams.
• Identify, track, and drive remediation of compliance gaps and security control deficiencies, working directly with technical teams to ensure timely closure.
• Develop and maintain risk acceptance processes, exception management workflows, and compensating control documentation.
• Develop, maintain, and enforce Northwood's security policy library, including acceptable use, access control, incident response, data classification, and CUI handling policies.
• Map Northwood's control environment across overlapping frameworks — NIST 800-171, NIST 800-53, SOC 2 Trust Services Criteria, and FedRAMP — to reduce duplicative compliance effort and maximize control reuse.
• Define and maintain the control evidence collection program, ensuring audit artifacts are continuously gathered, organized, and accessible for assessment cycles.
• Partner with the Security Engineering Lead, Security Operations Lead, and Product Security Lead to validate that technical controls are implemented in alignment with documented policies and compliance requirements.
• Own Northwood's CUI program, including data classification guidance, CUI handling procedures, marking standards, and employee training.
• Maintain ITAR compliance program documentation, including technology control plans, export authorization tracking, and coordination with Northwood's legal counsel on regulatory obligations.
• Ensure network segmentation, access controls, and data handling practices across Northwood's infrastructure appropriately enforce CUI and ITAR boundaries in coordination with security and network engineering teams.
• Serve as the primary compliance point of contact for government customers, prime contractors, and subcontractors, including responding to security questionnaires, flow-down requirement reviews, and customer audit requests.
• Build and maintain audit readiness posture year-round, ensuring evidence collection, control testing, and documentation currency do not become point-in-time exercises.
• Brief executive leadership and the Head of Security on compliance status, upcoming assessment milestones, and material risk items requiring business-level decisions.
• Develop and deliver security awareness and compliance training programs for Northwood employees, with targeted content for personnel handling CUI or operating in ITAR-controlled environments.

Benefits

• To conform to U.S. Government space technology export regulations, including the International Traffic in Arms Regulations (ITAR) you must be a U.S. citizen, lawful permanent resident of the U.S., protected individual as defined by 8 U.S.C. 1324b(a)(3), or eligible to obtain the required authorizations from the U.S. Department of State.
• Northwood is an Equal Opportunity Employer; employment with Northwood is governed on the basis of merit, competence and qualifications and will not be influenced in any manner by race, color, religion, gender, national origin/ethnicity, veteran status, disability status, age, sexual orientation, gender identity, marital status, mental or physical disability or any other legally protected status.