Information Security GRC Analyst

About The Position

Requirements

• Associate's degree, or higher in Information Security, Information Systems, Cybersecurity, Computer Science, or a related field
• 2–4 years of experience in one or more of the following: Cybersecurity, GRC, or IT risk roles Compliance or audit support SSP development or security documentation Internal controls or implementation of policy
• Foundational knowledge of CMMC 2.0 and NIST SP 800-171‑171
• Experience supporting compliance documentation (SSPs, POA&Ms, policies, procedures, evidence)
• Strong written communication skills with attention to detail
• Ability to follow structured methodologies and accept feedback

Nice To Haves

• CMMC Certified Professional (CCP) or progress toward CCA
• Familiarity with frameworks such as NIST SP 800-53, NIST CSF 2.0, ISO 27001, SOC 2, or FedRAMP‑53
• Exposure to DoD contractors / DIB environments
• Experience with GRC or evidence management tools (e.g., Vanta, ServiceNow GRC, Archer, OneTrust, ZenGRC)
• Security certifications in progress or completed (e.g., Security+, CGRC, CISSP Associate)
• Interest in growing as a CMMC and GRC specialist
• Comfortable working in a structured, assessment-driven environment
• Organized, dependable, and detail-oriented
• Willingness to learn new standards and take on increasing responsibility
• Professional, collaborative, and receptive to coaching

Responsibilities

• Support CMMC 2.0 Level 2 readiness and assessment activities under the guidance of Information Security and Business Leadership.
• Assist with interpreting NIST SP 800-171 and CMMC requirements and mapping them to client or internal controls.
• Help develop, update, and maintain: Next System Security Plans (SSPs) Plans of Action & Milestones (POA&Ms) Policies, procedures, and evidence artifacts
• Participate in gap assessments and risk reviews; help track remediation activities and evidence collection
• Support mock assessments, internal audits, and formal C3PAO assessments by preparing documentation and responding to evidence requests
• Assist with CUI scoping, boundary definitions, and DFARS 252.204‑7012 documentation activities
• Contribute to cybersecurity and risk engagements such as: CMMC readiness and assessments Cyber risk and controls assessments Compliance program implementation Information security program support
• Prepare workpapers, evidence mappings, and draft assessment documentation in accordance with firm methodology
• Translate technical and compliance requirements into clear, well-organized documentation.
• Maintain a strong service mindset while operating in a complex business environment.
• Participate in Waters risk management program, including vendor assessments, reviews, remediation follow-up, and monitoring.
• Participate in reporting security risk to IT senior leadership and other key organizational stakeholders.
• Maintain and improve the organization’s risk register and compliance documentation.
• Conduct risk assessments and control gap analyses; develop mitigation strategies and track remediation efforts.
• Prepare and support internal and external audits, including evidence collection and response coordination.
• Support responding to security questionnaires and demonstrating IT compliance with security frameworks.
• Draft and maintain clear, consistent, and audit-ready documentation, including policies, control responses, program updates and reports.
• Work closely with senior analysts, managers, and assessors to learn assessment techniques and best practices
• Participate in internal training on CMMC, NIST, ISO, SOC, and emerging cyber standards
• Contribute to improving templates, checklists, and documentation standards
• Share lessons learned and ask questions—this role is designed to grow technical and professional maturity