US Public Sector Continuous Monitoring Analyst

Rapid7•Arlington, VA

22h

About The Position

Are you interested in helping strengthen how cybersecurity risk is managed across the US public sector while building hands-on experience in Trust, Risk, and Compliance (TRC)? This role offers the opportunity to grow your career while contributing directly to Rapid7’s mission of making the digital world safer. As a Trust, Risk, and Compliance Analyst – Continuous Monitoring & POA&M, you will support Rapid7’s expanding US Public Sector compliance programs, including FedRAMP, GovRAMP, TX-RAMP, and COV-RAMP, with a strong focus on continuous monitoring, POA&M management, and technical risk tracking. As part of the Trust, Risk, and Compliance team within the broader Information Security organization, you will help ensure security risks are identified, tracked, and remediated in a way that scales with Rapid7’s cloud-based products and services. This role is based in Boston and/or Arlington and is part of a team that values collaboration, curiosity, balance, and continuous learning. Rapid7’s Trust, Risk & Compliance team sits within Information Security and plays a critical role in building customer trust. We design and operate governance programs, manage security risk, and help teams across Rapid7 understand and meet regulatory and security expectations. Our work spans Engineering, Product, Platform, Legal, Procurement, Sales, and Customer Success — and we do it with a mindset that security should enable the business, not slow it down.

Requirements

2-5 years of experience (or equivalent academic/internship experience) in cybersecurity, cloud security, compliance, or risk management
Foundational knowledge of NIST 800-53 and/or NIST 800-171
Interest in vulnerability management, risk remediation, and continuous monitoring
Experience or familiarity with ATO-focused GRC platforms such as Paramify, ServiceNow GRC, Onspring, or RegScale
Ability to understand and document technical security issues and risks
Strong analytical skills and attention to detail
Clear written and verbal communication skills
A curious, collaborative mindset and eagerness to learn

Nice To Haves

Exposure to AWS or cloud-based environments
Familiarity with vulnerability management tools or security scanning concepts
Experience or interest in POA&M workflows, risk tracking, or control remediation
Interest in compliance automation, OSCAL, or data-driven compliance approaches
Early-career certifications or coursework in cybersecurity, cloud security, or information assurance

Responsibilities

Support continuous monitoring (ConMon) activities for Rapid7’s US Public Sector compliance programs, with a primary focus on FedRAMP and GovRAMP
Assist in managing Plans of Action & Milestones (POA&Ms), including tracking remediation progress, timelines, and risk ownership
Help analyze security findings, vulnerability results, and control deficiencies in partnership with Engineering and Security teams
Support technical evidence collection aligned to NIST 800-53 rev. 5 and NIST 800-171
Use ATO-focused GRC platforms such as Paramify, ServiceNow GRC, Onspring, RegScale, and DefectDojo to track findings, risks, and compliance status
Participate in discussions with engineers to understand control implementations, technical risks, and remediation approaches
Assist with preparation of ConMon deliverables (POA&M, deviation requests, inventory workbook)
Help improve POA&M and ConMon processes through standardization, automation, and improved data quality
Gain hands-on exposure to evolving requirements such as CMMC, new Executive Orders, and other US public sector cybersecurity initiatives

Stand Out From the Crowd

Upload your resume and get instant feedback on how well it matches this job.

Upload and Match Resume