Security GRC Engineer

About The Position

Requirements

• 5+ years of experience in GRC, security compliance, or a directly relevant information security role.
• Demonstrated track record of strong written and verbal communication skills, adaptable to multi-disciplinary teams and seniorities.
• Hands-on CMMC or NIST SP 800-171 experience - you have done the work, not just consulted on it.
• Strong understanding of CUI handling, boundary scoping, and evidence collection in a defense contractor environment.
• Experience automating compliance workflows using GRC platforms (e.g., Drata, Vanta, IntelliGRC) and/or scripting.
• Demonstrated ability to work without a compliance team around you (yet): self-directed, organized, and clear with stakeholders.
• Familiarity with commercial compliance frameworks like ISO27001 and SOC 2 Type 2 and how CMMC can be used to jump start those processes.

Nice To Haves

• Strong experience with Microsoft cloud environments and tooling
• Prior leadership of a compliance team or ownership of a compliance program
• Prior scripting/coding experience to aid in automation
• CCP/CCA training or certification
• Current clearance (Secret or Top Secret) is nice but not required
• Startup experience is a plus

Responsibilities

• Define and build a GRC function alongside the Head of Security. This is primarily an IC role with significant latitude to define the program's direction and scope.
• Own and drive CMMC Level 2 certification end-to-end with support from leadership. This work is underway, you won’t be starting from zero.
• Identify and close gaps across the 110 NIST SP 800-171 practices; coordinate remediation with engineering, IT, and operations teams.
• Take ownership over and maintain necessary compliance evidence, to include a System Security Plan and related policies and procedures
• Manage relationships with C3PAOs, external auditors, and DoD program offices
• Alongside the greater security team, partner with engineering and program teams to embed compliance requirements early in development and procurement cycles.
• Keep leadership informed with clear, honest reporting on compliance posture and timeline risk.
• Automate evidence collection, control monitoring, and audit readiness workflows across cloud and SaaS environments
• Stand up the compliance program infrastructure (policies, procedures, control mappings) for SOC 2 Type 2 and ISO 27001 in the future, using efficiencies from CMMC efforts to kick start the process.

Benefits

• Platinum Healthcare Benefits: Atropos offers comprehensive medical, dental, and vision plans with 100% employer-paid premiums and little to no cost to you
• Basic Life/AD&D and long-term disability insurance 100% covered by Atropos, plus the option to purchase additional life insurance for you and your dependents
• Unlimited PTO, with minimum of 15 days enforced
• 20 weeks of paid Caregiver & Wellness Leave to care for a family member, bond with your baby, or tend to your own medical condition
• Family Planning & Parenting Support: Fertility (eg, IVF, preservation), adoption, and gestational carrier coverage with additional benefits and resources to provide support from planning to parenting
• Mental Health Resources: We provide free mental health resources 24/7 including therapy, life coaching, and more. Additional work-life services, such as free legal and financial support, available to you as well
• Tuition and professional development reimbursement for STEM, MBA, and licenses
• In-Office Daily Lunch catered
• Company-funded child care stipend
• Company-funded commuter benefits available based on your region.
• Relocation assistance (depending on role eligibility).
• 401(k) retirement savings plan - both a traditional and Roth 401(k). 6% employer matching contribution