Jobs · Business Development · Washington

GRC Analyst

Tyler Technologies · Seattle, WA · 3 mo ago
Business DevelopmentFull-time

Responsibilities

  • Own FedRAMP Moderate authorization sustainment and audit readiness.
  • Managing continuous monitoring (ConMon), POA&Ms, annual assessments, evidence quality, and overall ATO health.
  • Lead readiness for evolving FedRAMP standards, including FedRAMP 20x.
  • Tracking program changes, identifying compliance gaps, and coordinating documentation and process updates.
  • Serving as the primary compliance program coordinator for the D&I Security team.
  • Partnering across Security, Engineering, Infrastructure & Release (TIRE), Legal, Corporate Security and Privacy, and external assessors to deliver consistent, audit-ready outcomes.
  • Managing Security Impact Analyses (SIAs), Significant Change Requests and Notifications (SCRs/SCNs), authorization boundary documentation, and federal / Authorizing Official (AO) communications.
  • Supporting risk-based decision-making. Documentation of control exceptions, risk acceptances, and compensating controls in alignment with FedRAMP and organizational governance.
  • Carefully coordinating external assurance activities, including SOC 2 Type II assessments. Managing auditor engagement, evidence collection, findings tracking, and alignment with existing FedRAMP/NIST controls.
  • Maintaining the system-of-record for compliance documentation and artifacts.
  • Owning the System Security Plan (SSP), ConMon plan, control narratives, diagrams, and appendices to ensure accuracy, traceability, and defensibility.
  • Driving multi-framework compliance alignment across regulated environments. Supporting FedRAMP, CJIS, HIPAA, and GDPR through gap identification, baseline documentation, and evidence reuse.
  • Planning and executing internal compliance assessments. Managing annual OWASP SAMM re-assessments, periodic Cloud Security Assessments (AWS Well-Architected), and internal CJIS audits to measure maturity and prevent compliance drift.
  • Supporting D&I’s cloud security and Tyler’s security maturity initiatives. Managing applicable assessments and re-assessments, and aligning outcomes with broader security and compliance goals.
  • Continuously improving compliance processes and maturity. Reducing manual effort, improving evidence quality, and preparing the organization for increased automation and reporting expectations.

Qualifications

  • Strong organization and prioritization skills.
  • Ability to manage continuous monitoring, POA&Ms, evidence collection, change tracking, and audit deliverables across overlapping timelines without losing accuracy.
  • Clear, accurate written and verbal communication.
  • Ability to document controls and evidence clearly and explain compliance requirements, risks, and decisions to engineers, auditors, customers, and non-technical stakeholders.
  • Collaborative, cross-functional working style.
  • Comfort partnering with Security, Engineering, Infrastructure, Legal, Privacy, and external assessors to drive consistent, audit-ready outcomes.
  • Detail-oriented with a systems-level perspective.
  • Ability to track control requirements, dependencies, and boundary impacts while understanding how individual updates affect overall authorization health.
  • Reliability and accountability.
  • Comfort working within structured frameworks and deadlines.
  • Ability to operate effectively within FedRAMP, NIST, SOC 2, and similar frameworks, including audits, assessments, and recurring reporting cycles.
  • Practical problem-solving mindset.
  • Able to identify gaps, inconsistencies, or risks in documentation or processes and work with others to resolve them pragmatically.
  • Proactive learning and openness to feedback.
  • Willingness to build expertise in FedRAMP, NIST, CJIS, HIPAA, GDPR, and regulatory requirements over time and incorporate feedback into work.
  • Adaptability and resilience.
  • Ability to adjust to changing regulatory guidance, audit findings, and shifting priorities while maintaining quality and professionalism.
  • Stakeholder- and trust-focused mindset.
  • Appreciation for how strong compliance practices support customer trust, audit confidence, and long-term platform credibility.
  • Tools and Technologies: FedRAMP Moderate compliance and authorization tooling, including System Security Plans (SSPs), control narratives, continuous monitoring (ConMon) deliverables, POA&Ms, SARs, and other annual assessment artifacts. Experience working within FedRAMP repositories and maintaining audit-ready system-of-record documentation. NIST-based security frameworks, particularly NIST SP 800-53 Rev. 5, with the ability to map controls to technical and procedural implementations, evaluate control inheritance, and support baseline tailoring across regulated environments. Experience supporting regulated compliance programs, including FedRAMP Moderate, CJIS, SOC 2 Type II, HIPAA, and GDPR, with an emphasis on overlap analysis, evidence reuse, and consistency across frameworks. AWS cloud environments (working knowledge), including IAM, CloudTrail, AWS Config, Security Hub, GuardDuty, and VPC networking concepts, sufficient to assess compliance impact, authorization boundary changes, and shared responsibility considerations (not hands-on infrastructure ownership). Identity and access management concepts, including familiarity with NIST SP 800-63, 800-63A, 800-63B, and 800-63C; identity proofing, authentication assurance levels (IAL/AAL/FAL); federated identity models (SAML, OIDC, OAuth 2.0); and privileged access management fundamentals. Security monitoring and audit evidence sources, including SIEM and centralized logging platforms (e.g., Sumo Logic or equivalent), with experience evaluating alerting, log retention, and evidence quality for continuous monitoring and audit support. Vulnerability management workflows, including familiarity with scanning tools (e.g., Nessus, AquaSec, Invicti, Qualys, or equivalent), risk rating methodologies, remediation tracking, and POA&M lifecycle management in compliance-driven environments. Change management and security impact analysis processes, including Security Impact Analyses (SIAs), Significant Change Requests (SCRs/SCNs), authorization boundary documentation, and coordination of approval workflows with internal and external stakeholders. Secure development lifecycle (SDLC) and configuration management concepts, aligned with NIST SA, CM, and SI control families, with sufficient understanding to evaluate engineering practices, CI/CD security signals, and control effectiveness without acting as a primary implementer. Collaboration and documentation platforms, including Confluence and Jira for compliance tracking, evidence coordination, and audit workflows, and GitHub (or equivalent) for policy versioning, evidence references, and change traceability. Basic automation and reporting skills, including the use of spreadsheets, lightweight scripting, or GRC platform automation to improve evidence accuracy, reporting consistency, and delivery timelines.

Similar jobs

GRC Analyst

Hayward Holdings, Inc.Clemmons, NC· 2 wk ago
Business Developmentapply on hayward.wd1.myworkdayjobs.com

GRC Analyst

MomentumDallas, TX· 3 wk ago
Business Development$5/hrapply on job-boards.greenhouse.io

GRC Analyst

Ease.ioIrvine, CA· 3 wk ago
Education$110k–$135k/yrapply on app.jazz.co

GRC Analyst

RogoNew York, NY· 1 wk ago
Business Developmentapply on jobs.ashbyhq.com

GRC Analyst

Stage 2 CapitalSan Francisco, CA· 4 days ago
Business Developmentapply on careers.stage2.capital

GRC Analyst

SpireDenver, CO· 6 days ago
Business Developmentapply on grnh.se