GRC Engineer (CMMC/FedRAMP)

The Opportunity

We are seeking a GRC Engineer who is highly motivated, detail-oriented, and has foundational knowledge of FedRAMP Moderate and High baseline requirements, with complementary experience supporting CMMC and NIST SP 800-171-based programs. The ideal candidate brings strong client-facing communication skills and the ability to contribute to multiple compliance initiatives simultaneously.

This role is focused on guiding clients through federal compliance frameworks, supporting both SaaS providers and federal contractors through the FedRAMP authorization lifecycle—including readiness assessment, authorization support, and continuous monitoring—as well as advising defense contractors on CMMC Level 1 and Level 2 compliance and related NIST 800-171 requirements. The successful candidate will play a critical role in helping clients achieve and sustain federal and DoD compliance while leading high-quality delivery across all engagements.

What You'll Do

Interpret and Apply FedRAMP Requirements:
Analyze and apply NIST SP 800-53 controls, FedRAMP baselines, and agency-specific requirements to ensure client compliance.
Develop and Maintain FedRAMP Documentation:
Develop and maintain System Security Plans (SSPs), control implementation narratives, POA&Ms, SAPs, SARs, and continuous monitoring artifacts.
Conduct FedRAMP Readiness Assessments:
Perform gap analyses and readiness reviews to prepare organizations for JAB or Agency ATO pathways.
Support Authorization and Assessment Activities:
Coordinate with Third-Party Assessment Organizations (3PAOs), cloud service providers, and government stakeholders throughout the FedRAMP lifecycle.
Boundary Definition & Scoping:
Perform CMMC/FedRAMP authorization boundary definition and system scoping activities, including identification of in-scope components, interconnections, data flows, and shared responsibility models to ensure alignment with FedRAMP PMO and agency expectations.
Support Continuous Monitoring Programs:
Conduct monthly, quarterly, and annual FedRAMP continuous monitoring requirements, including vulnerability management, incident response reporting, and change control.
Support FedRAMP Engagements:
Assist on multiple concurrent client projects, ensuring milestones, deliverables, and quality standards are consistently met or exceeded.
Support CMMC and NIST 800-171 Compliance Efforts:
Assist defense contractors with interpreting CMMC 2.0 and NIST SP 800-171 controls and implementing compliant security programs.
Develop CMMC Documentation:
Contribute to SSPs, POA&Ms, and supporting artifacts required for CMMC Level 1 and Level 2 readiness.

Who You Are

Strong organizational and project management skills with the ability to manage multiple engagements concurrently
2+ years of experience in GRC, with exposure to FedRAMP, NIST SP 800-53, and federal compliance programs
Working knowledge of CMMC 2.0 and NIST SP 800-171 requirements
Experience authoring and reviewing SSPs, POA&Ms, and assessment artifacts
Familiarity with federal cloud environments (AWS GovCloud, Azure Government, GCC High)
Experience working with SaaS providers, federal contractors, or regulated technology organizations
Ability to thrive in a fast-paced, consulting, or startup environment

Nice to Have

FedRAMP-specific experience supporting JAB or Agency ATOs
CMMC Registered Practitioner (RP), CCP, or CCA certification
CISSP, CISM, or Security+ certification
Experience with DFARS clauses and CUI handling requirements
Familiarity with SPRS reporting and DoD assessment workflows
Prior experience working directly with 3PAOs or C3PAOs

Work Environment Requirements

Reliable high-speed internet connection.
Quiet, professional home office setup.
Must be amenable to work US Eastern Time zone hours.
Fluency in written and verbal English communication skills.

Workstreet Is An Equal Opportunity Employer