GRC Analyst, Federal Programs

Sword Health
$101,500 - $159,500Remote
Match Resume

About The Position

This position sits within Sword's GRC team, which is responsible for security compliance across all of Sword's products and services. The team operates across multiple frameworks and serves a broad set of internal stakeholders. Within that team, this role's primary focus is federal programs: owning Sword's CMMC certification effort and driving FedRAMP readiness as a co-equal priority. Beyond those two programs, this person will be expected to contribute to the broader GRC function as needs arise. This is not a checkbox compliance role. The person in this position will own the end-to-end CMMC journey — from scoping and gap analysis through cross-functional remediation and assessment readiness — while building toward the same depth of ownership on FedRAMP. You will work closely with teams across infrastructure, product engineering, security operations, clinical systems, and marketing, translating complex regulatory requirements into actionable, prioritized work that these teams can understand and execute. You will also serve as Sword's primary point of contact with external auditors and assessors during assessment cycles. This role requires someone who can move fluidly between deep technical detail and clear stakeholder communication — someone who is just as comfortable reviewing a system security plan as they are presenting a remediation roadmap to a non-technical business leader. AI fluency is a core expectation at Sword Health. Every candidate is assessed against our three-level framework — be ready to share real examples of how AI is already part of how you work. Explorer (Level 1) – Uses AI daily to boost personal productivity. Builder (Level 2) – Creates workflows and tools that elevate the whole team. Integrator (Level 3) – Embeds AI into products and processes at scale. Every hire must demonstrate at least Level 1. The expected level will vary depending on the seniority of the role.

Requirements

  • 5+ years of hands-on experience in GRC, compliance, or security, with at least 3 of those years focused on federal compliance frameworks such as CMMC or FedRAMP
  • Demonstrated experience owning deliverables and driving remediation through a CMMC, FedRAMP, or equivalent federal compliance effort
  • Strong working knowledge of CMMC Level 2 practices, scoping methodology, and CUI handling requirements
  • Ability to produce compliance documentation – SSPs, POA&Ms, gap analyses, control narratives – without heavy supervision
  • Proven ability to communicate technical compliance requirements to non-technical stakeholders across engineering, operations, and business teams
  • Experience engaging directly with external auditors and assessors, including evidence packaging and real-time response during assessments
  • US citizenship required
  • Ability to obtain a federal Public Trust designation if required by a sponsoring agency

Nice To Haves

  • CMMC Certified Professional (CCP) credential, or active pursuit of it
  • CMMC Certified Assessor (CCA) credential
  • Hands-on experience with FedRAMP authorization packages, continuous monitoring, and agency ATO processes
  • Background in defense contracting or regulated health tech environments
  • Experience working across multiple compliance frameworks simultaneously (HITRUST, SOC 2, ISO 27001)
  • Familiarity with GRC platforms such as Hyperproof, Drata, or Vanta

Responsibilities

  • Serve as a member of Sword's GRC team, contributing to security compliance across all products and services, with primary ownership of federal programs
  • Define and maintain the CMMC assessment boundary, working across infrastructure, engineering, and business teams to ensure the scope is accurate and defensible
  • Map NIST SP 800-171 practices to Sword's current environment and produce a clear, evidence-based gap analysis
  • Translate identified gaps into prioritized remediation tasks with clear ownership, for audiences ranging from DevOps engineers to clinical operations managers
  • Build and maintain the System Security Plan (SSP), Plan of Action and Milestones (POA&M), and all artifacts required for assessment
  • Serve as Sword's primary interface with the C3PAO and assessment team during formal CMMC assessments
  • Drive FedRAMP readiness in parallel, including control documentation, evidence collection, and continuous monitoring
  • Contribute to audits and compliance activities across other active frameworks, including SOC 2 and HITRUST, as part of Sword's broader GRC program

Benefits

  • Comprehensive health, dental and vision insurance
  • Life and AD&D Insurance
  • Financial advisory services
  • Supplemental Insurance Benefits (Accident, Hospital and Critical Illness)
  • Health Savings Account
  • Equity shares
  • Discretionary PTO plan
  • Parental leave
  • 401(k)
  • Flexible working hours
  • Remote-first company
  • Paid company holidays
  • Free digital therapist for you and your family

Stand Out From the Crowd

Upload your resume and get instant feedback on how well it matches this job.

Upload and Match Resume

What This Job Offers

Job Type

Full-time

Career Level

Senior

Education Level

No Education Listed

Job Search Resources

Similar GRC Analyst, Federal Programs job opportunities

GRC Analyst
Benevity
Benevity • Toronto, ON10d • Hybrid
GRC Analyst
Benevity
Benevity • Calgary, AB10d • Hybrid
GRC Analyst
Benevity
Benevity10d • Hybrid
GRC Analyst
Benevity
Benevity • Vancouver, BC10d • Hybrid
GRC Analyst
Spire
Spire • Boulder, CO12d • Hybrid
GRC Analyst
Spire
Spire • Boulder, CO13d • Hybrid

Tools

Templates & Examples

Resources

Comparisons

Company

Over 4 Million Users
Free AI tools and resources to help you land your next job, faster
© 2026 Teal Labs, Inc
Privacy PolicyTerms of Service