Corporate Governance, Risk, and Compliance Analyst
Onebrief · NAMER · 1 wk ago
RemoteRemoteLegalFull-time
Core responsibilities
- Own RMF authorizations across Department of War components and FedRAMP High, alongside CMMC 2.0 and SOC 2 compliance for corporate systems
- Maintain authorization and audit evidence, including SSPs, SARs, POA&Ms, STIGs, and control mappings
- Partner with Engineering, Product, and Security to embed compliance requirements into system design and CI/CD workflows, not bolt them on afterward
- Coverage internal assessments and external audit readiness across all applicable frameworks
- Track regulatory and contractual changes and advise leadership on what they mean for Onebrief
- Run risk assessments and vendor/supply chain risk reviews across both federal and corporate environments
Minimum Qualifications
- U.S. Citizen
- Bachelor's degree in Computer Science, Cybersecurity, Information Technology, or related field
- 8+ years in cybersecurity compliance
- Hands-on expertise with RMF and at least one of CMMC 2.0 or SOC 2
- One or more of the following certifications: CISSP, CISM, CISSO, CPTE, CySA+, FITSP-A, GCSA, CISA, ISSEP, GSLC, or GSNA
- Experience with GRC platforms, including automated evidence collection and testing (eMASS experience a plus)
Preferred Qualifications
- Experience in DoD environments and compliance frameworks (RMF, ICD 503)
- Familiarity with agency-specific overlays (DoD, DHS, or civilian agencies)
- Experience working with 3PAOs, Security Control Assessors, federal customers, or SOC 2 auditors
- Familiarity with cloud security standards (FedRAMP, ISO 27001, NIST 800-171, DoD Cloud Computing SRG)
Indicators of Success
- Keep authorization packages current across every framework instead of reconstructing them under deadline pressure
- Reduce manual audit prep by automating control testing and evidence collection
- Close open POA&M and corrective action items on a predictable cadence
- Become the go-to person engineers check with before shipping changes that touch compliance boundaries, federal or corporate