GRC Analyst, Federal Programs

Job Description:

• Serve as a member of Sword's GRC team, contributing to security compliance across all products and services, with primary ownership of federal programs;
• Define and maintain the CMMC assessment boundary, working across infrastructure, engineering, and business teams to ensure the scope is accurate and defensible;
• Map NIST SP 800-171 practices to Sword's current environment and produce a clear, evidence-based gap analysis;
• Translate identified gaps into prioritized remediation tasks with clear ownership, for audiences ranging from DevOps engineers to clinical operations managers;
• Build and maintain the System Security Plan (SSP), Plan of Action and Milestones (POA&M), and all artifacts required for assessment;
• Serve as Sword's primary interface with the C3PAO and assessment team during formal CMMC assessments;
• Drive FedRAMP readiness in parallel, including control documentation, evidence collection, and continuous monitoring;
• Contribute to audits and compliance activities across other active frameworks, including SOC 2 and HITRUST, as part of Sword's broader GRC program.

Requirements:

• 5+ years of hands-on experience in GRC, compliance, or security, with at least 3 of those years focused on federal compliance frameworks such as CMMC or FedRAMP;
• Demonstrated experience owning deliverables and driving remediation through a CMMC, FedRAMP, or equivalent federal compliance effort;
• Strong working knowledge of CMMC Level 2 practices, scoping methodology, and CUI handling requirements;
• Ability to produce compliance documentation — SSPs, POA&Ms, gap analyses, control narratives — without heavy supervision;
• Proven ability to communicate technical compliance requirements to non-technical stakeholders across engineering, operations, and business teams;
• Experience engaging directly with external auditors and assessors, including evidence packaging and real-time response during assessments;
• US citizenship required;
• Ability to obtain a federal Public Trust designation if required by a sponsoring agency.

What we would love to see

• CMMC Certified Professional (CCP) credential, or active pursuit of it;

• CMMC Certified Assessor (CCA) credential;
• Hands-on experience with FedRAMP authorization packages, continuous monitoring, and agency ATO processes;
• Background in defense contracting or regulated health tech environments;
• Experience working across multiple compliance frameworks simultaneously (HITRUST, SOC 2, ISO 27001);
• Familiarity with GRC platforms such as Hyperproof, Drata, or Vanta.

Benefits:

• Comprehensive health, dental and vision insurance*

• Life and AD&D Insurance* • Financial advisory services* • Supplemental Insurance Benefits (Accident, Hospital and Critical Illness)* • Health Savings Account* • Equity shares* • Discretionary PTO plan* • Parental leave* • 401(k)

• Flexible working hours
• Remote-first company
• Paid company holidays
• Free digital therapist for you and your family

Apply tot his job Apply To this Job