GRC Analyst (FedRAMP) - CGC - Remote Position

Merlin International Inc•Mclean, VA

11h•Remote

About The Position

Merlin Group operates at the intersection of cyber innovation, national security, and technology-driven transformation. With a mission to accelerate the adoption of high-impact technologies across the U.S. public sector and regulated commercial markets, Merlin is uniquely structured around three core tenets – Invest, Enable, and Scale – each designed to address a specific stage of the technology lifecycle. Together, our affiliates – Merlin Ventures, CGC, and Merlin Cyber – form a flywheel that builds enduring capability for customers, partners, and the broader cyber ecosystem, operationalizing technological advancement into mission-ready, enterprise-grade solutions. At Merlin, we believe our strength lies in our people. Team members are encouraged to be creative, collaborative, and nimble, pursuing paths to deliver the cutting-edge cybersecurity solutions that our customers rely on. From next-generation cyber defense to secure cloud and AI, we are united by one purpose – transforming innovation into mission impact. CGC is seeking a mid-career GRC Analyst with hands-on FedRAMP experience to support SaaS/ISV customers through onboarding, authorization, continuous monitoring, and assessment cycles. This role focuses on gathering and maintaining evidence, assisting with customer onboarding, contributing to FedRAMP documentation development, and supporting change control, audits, and Significant Change assessments. This is a remote position.

Requirements

3–7 years of experience in GRC, cybersecurity, cloud security, or FedRAMP program support.
Working knowledge of FedRAMP Moderate/High requirements and NIST 800-53 Rev 5 controls.
Experience gathering and organizing audit-ready evidence for framework-based assessments.
Strong technical writing and documentation skills.
Working familiarity with AWS, Azure, or GCP architectures.

Responsibilities

Coordinate, collect, and validate evidence for annual and Significant Change assessments.
Prepare supporting materials such as updated boundary diagrams, impact analyses, control deltas, and architectural descriptions.
Work directly with engineering, security, and operations teams to ensure evidence accurately reflects current system state.
Respond to 3PAO requests and clarifications, and help manage timelines, deliverables, and assessment readiness.
Assist with post-assessment activities, including findings responses, POA&M updates, and remediation tracking.
Guide new SaaS/ISV customers through CGC’s structured onboarding process.
Assist with initial requirements gathering, access provisioning, evidence intake, and orientation to FedRAMP documentation expectations.
Help customers understand boundary scope, control responsibilities, and ongoing evidence obligations.
Draft, update, and maintain FedRAMP artifacts including: System Security Plans (SSPs) Configuration Management, Incident Response, and Contingency Plans Control implementation narratives Boundary diagrams and inventories
Ensure documents remain accurate and aligned with FedRAMP Rev 5 and related 20x guidance.
Review customer change requests for compliance impact and identify changes that may require assessment.
Support continuous monitoring activities such as: Vulnerability scan review POA&M updates Asset inventory maintenance Monthly/quarterly reporting
Maintain evidence repositories to support repeatable, audit-ready workflows.

Benefits

Our wellness package provides access to an on-site gym and includes medical, dental, and vision insurance along with options for FSA and EAP.
We offer 401(k) with employer match, unlimited PTO, and a culture respectful of the reality that not everything in one’s personal life is guaranteed to happen only after hours.

Stand Out From the Crowd

Upload your resume and get instant feedback on how well it matches this job.

Upload and Match Resume