Senior GRC Analyst

Summit 7 Systems

1d•$110,000•Remote

About The Position

Summit 7 is here to rise above the ordinary. The work we do here goes far beyond day-to-day projects - it further protects the US defense industrial base from cyber threats, fosters thought leadership and creates growth opportunities. Our support staff, sales team and technicians are all coming together to make a difference. We also recognize that you're a person with life beyond work, that's why we invest in meaningful health and welfare benefits such as: We do cool work here, defying expectations by simply being who we are - each of us makes an impact. We are seeking a detail-oriented GRC Analyst to join our compliance and risk management team supporting critical defense industrial base (DIB) requirements. This role is essential to our expanding compliance program portfolio, including CMMC Level 2/3, NIST 800-171 R2/R3, ISO 27001:2022, GDPR, and SOC 2 Type II certifications. As a GRC Analyst, you will be responsible for the operational execution of our compliance programs, ensuring continuous monitoring, evidence management, and risk remediation tracking across multiple frameworks. You will work closely with the VP Cybersecurity Compliance and cross-functional teams to maintain audit readiness and support the implementation of new compliance programs. This position is ideal for a compliance professional who thrives in operational roles, values process discipline, and wants to contribute to protecting national security through robust cybersecurity governance.

Requirements

Bachelor's degree in Information Security, Computer Science, Risk Management, or related field; or equivalent practical experience
2-4 years of experience in GRC, compliance, information security, or IT audit roles
Demonstrated practitioner experience with at least one major compliance framework (NIST 800-171, ISO 27001, SOC 2, CMMC, or similar)
Working knowledge of NIST 800-171 R2/R3, CMMC Levels 1-3, and/or ISO 27001:2022 requirements
Experience with GRC platforms (ServiceNow GRC, Future Feed, or similar)
Proficiency with Microsoft Office 365 and collaboration tools
Understanding of information security concepts, controls, and risk management principles
Exceptional Attention to Detail: Ability to manage complex evidence matrices and ensure accuracy across multiple frameworks
Process Discipline: Strong adherence to established procedures and documentation standards
Organizational Skills: Ability to manage multiple deadlines, priorities, and stakeholder requests simultaneously
Communication: Clear written and verbal communication skills for stakeholder coordination and documentation
Analytical Thinking: Capability to understand control requirements and translate them into operational evidence collection activities

Nice To Haves

Certifications: One or more of the following:
Certified CMMC Professional (CCP) or Certified CMMC Assessor (CCA)
Certified Information Systems Security Professional (CISSP)
Certified Information Security Manager (CISM)
ISO 27001 Lead Implementer or Lead Auditor
CRISC (Certified in Risk and Information Systems Control)
Experience working in defense industrial base (DIB) organizations or cleared environments
Hands-on implementation or assessment familiarity with NIST 800-171 r2/r3, NIST 800-53, NIST 800-172, or FedRAMP requirements
Background in IT operations, systems administration, or cybersecurity engineering

Responsibilities

Continuous Compliance Operations (55%)
Evidence Management: Collect, organize, and maintain compliance evidence on weekly, monthly, quarterly, and semi-annual schedules across all active frameworks
ServiceNow GRC Administration: Update and maintain GRC modules including control implementations, risk registers, POA&Ms, and compliance artifacts
Risk & POA&M Management: Distribute notifications to risk and POA&M owners, track remediation activities, escalate overdue items, and maintain accurate status reporting
Supplier Risk Management: Coordinate supplier risk assessments including onboarding, offboarding, and annual reviews; maintain vendor risk documentation
Cross-Framework Reconciliation: Map and reconcile evidence requirements across multiple standards as new versions are released
Program Implementation Support (30%)
New Program Standup: Assist with implementation of new compliance frameworks including document gathering, gap analysis support, and stakeholder coordination
Control Implementation Tracking: Monitor and document control implementation progress, identify blockers, and support remediation efforts
Assessment Preparation: Prepare evidence packages and coordinate with assessors for C3PAO, ISO certification, and other third-party audits
Documentation Development: Support development and maintenance of System Security Plans (SSPs), policies, procedures, and compliance documentation
Collaboration & Continuous Improvement (15%)
Cross-Functional Coordination: Work with IT, Engineering, HR, Legal, and other departments to gather evidence and implement controls
Process Improvement: Identify opportunities to streamline evidence collection and automate compliance workflows
Training Support: Participate in compliance training initiatives and security awareness programs
Audit Support: Serve as primary liaison for evidence requests during audits and assessments