Senior GRC Analyst – NIST, GovRAMP, FedRAMP

Role Overview

• Maintain and continuously improve the System Security Plan (SSP), policies, procedures, and standards aligned to NIST 800-53 and SOC 2.
• Own the Plan of Action and Milestones (POA&M) lifecycle: tracking, aging, remediation evidence, and monthly continuous monitoring deliverables.
• Manage the control evidence catalog—what evidence exists, where it lives, when it was last refreshed, and what's coming up for renewal.
• Coordinate with the U.S. security team and 3PAOs to support GovRAMP, FedRAMP, and state-level (TX-RAMP, ) authorization and continuous monitoring activities.
• Run our third-party risk management program end-to-end: security questionnaires, due diligence, contract review, recurring reassessments.
• Maintain the enterprise risk register, facilitate risk acceptance decisions, and translate technical risk into business language for executives.
• Administer subcontractor flow-down obligations and PII safeguarding certifications across all relevant agreements.
• Track contractual security obligations across state customer contracts and ensure we meet every commitment on schedule.
• Maintain and version-control our policy library—written in plain English, not boilerplate.
• Run our security awareness training program, phishing simulations, and Rules of Behavior administration.
• Author tabletop exercise scenarios, facilitate exercises, and produce after-action reports with concrete remediation owners.
• Partner with HR and IT on onboarding and offboarding security checklists, access reviews, and acceptable use enforcement.

Requirements

• Located in the Philippines with night shift work hours (to overlap with U.S. team).
• 7+ years of hands-on GRC experience, with at least 3 years dedicated to FedRAMP, GovRAMP, StateRAMP, TX-RAMP, or CMMC programs at a SaaS company.
• Demonstrated track record authoring SSPs, POA&Ms, and continuous monitoring deliverables for a successful authorization—not just contributing to someone else's work.
• Deep working knowledge of NIST 800-53, NIST 800-171, FIPS 199/200, SOC 2 (Type II), and the practical realities of audit evidence collection.
• Self-starter who can walk into an existing program, identify what needs to mature, and deliver without daily direction. You'll know you're a fit if "figure it out and make it better" sounds like a feature, not a bug.
• Exceptional written English—your documents will be read by state auditors, executives, and 3PAOs.
• Experience running a third-party risk management program and managing vendor security reviews at volume.
• Bachelor's degree in Cybersecurity, Information Systems, or a related field; relevant certifications (CISSP, CISA, CRISC, CGRC/CAP, ISO 27001 Lead Implementer) are a strong plus.
• Bonus: experience with GRC tooling (Drata, Vanta, Hyperproof, ServiceNow GRC) and prior work with U.S. state government customers.

Tech Stack

• Cyber Security
• ServiceNow

Benefits

• A senior individual contributor with real ownership over a defined portion of our GRC program.
• Maturing the documentation backbone (SSPs, policies, POA&Ms, risk register, vendor program) that powers our GovRAMP, FedRAMP, and state authorization efforts.
• Working on a product that directly helps thousands of individuals access workforce and educational services.
• Partnering directly with security leadership, engineering, and executive stakeholders—no layers, no hand-holding.
• Driving continuous improvement of policies, controls, and evidence collection across the organization.
• Enjoy a fully remote work environment.