Senior GRC Engineer

Job Title: Senior GRC Engineer

Location: Remote (U.S.)

Job Summary

STAFFXPERT LLC is seeking a Senior GRC Engineer on behalf of our client in a fully remote U.S.-based opportunity. The selected candidate will play a critical role in strengthening the cybersecurity posture of federal systems by ensuring security and privacy controls are effectively implemented, continuously monitored, and aligned with federal standards.

This role is ideal for a seasoned cybersecurity professional who can operate at the intersection of governance, risk, compliance, and engineering. The Senior GRC Engineer will act as a trusted advisor to system owners and stakeholders, driving modernization initiatives that move beyond traditional compliance toward an engineering-driven, automation-first security model.

The ideal candidate will bring deep expertise in federal security frameworks, cloud and hybrid environments, and modern security practices such as DevSecOps, Zero Trust, continuous monitoring, and automated control validation.

Key Responsibilities

• Serve as a subject matter expert and advisor on GRC practices, security controls, and risk management across federal systems.
• Define system boundaries, support system categorization, and document security requirements in alignment with federal guidelines.
• Conduct ongoing risk assessments and maintain awareness of evolving threats to stakeholder assets.
• Develop and implement continuous monitoring strategies with automated data collection, dashboards, and real-time risk visibility.
• Support the selection, implementation, and documentation of security and privacy controls aligned with established frameworks (e.g., NIST RMF).
• Maintain and update key security artifacts including System Security Plans (SSPs), Security Assessment Reports (SARs), and POA&Ms.
• Support Authorization to Operate (ATO) activities and lifecycle security management for federal systems.
• Drive adoption of DevSecOps practices including CI/CD security integration, automated testing, and secure development pipelines.
• Promote automation through policy-as-code, automated evidence collection, and integrated risk scoring.
• Collaborate with engineering teams and stakeholders to implement Zero Trust principles and modern security architectures.
• Support cloud and hybrid environments across IaaS, PaaS, and SaaS platforms.
• Provide guidance on identity and access management, encryption, and secure authentication protocols.
• Communicate risk posture, findings, and remediation status to stakeholders and leadership.

Required Qualifications

• Bachelor’s degree in Computer Science, Information Systems, or related field (or equivalent experience).
• 7+ years of cybersecurity experience.
• 3+ years of experience as an Information System Security Officer (ISSO) or in a federal security role.
• Strong knowledge of federal cybersecurity frameworks such as NIST RMF and NIST 800-53.
• Experience supporting system Authorization to Operate (ATO) processes.
• Strong understanding of DevSecOps principles and secure software development lifecycle (SDLC).
• Experience with security tools and methodologies including SAST, DAST, and SCA.
• Familiarity with cloud security concepts across IaaS, PaaS, and SaaS environments.
• Knowledge of identity and access management protocols (SAML, OAuth, OpenID Connect).
• Experience with vulnerability management concepts (CVE, CWE, CVSS).
• Strong technical writing skills with experience producing security documentation and reports.

Preferred Qualifications

• Professional certifications such as CISSP, CISM, CISA, CCSP, CAP, CASP+, or equivalent.
• Experience with FedRAMP environments and federal cloud authorization processes.
• Familiarity with Policy-as-Code (PaC) and security automation frameworks.
• Experience with Zero Trust architecture and Supply Chain Risk Management (SCRM).
• Knowledge of OSCAL or machine-readable compliance documentation formats.
• Experience working with enterprise platforms such as Azure, Microsoft 365, ServiceNow, Salesforce, or similar.
• Exposure to AI/ML-driven security analytics and modern risk detection approaches.