Senior GRC Analyst
Workato · Palo Alto, CA · 1 wk ago
Business DevelopmentFull-time
Responsibilities
- Lead FedRAMP readiness, authorization, and continuous monitoring activities in alignment with NIST 800-53 requirements.
- Support broader compliance frameworks including ISO 27001, NIST 800-171, PCI-DSS, and IRAP.
- Own continuous monitoring (ConMon) activities in accordance with FedRAMP requirements, including monthly vulnerability scanning, incident reporting, and annual assessments.
- Maintain and update FedRAMP authorization documentation, including SSP, CIS, CRM, and associated artifacts.
- Coordinate with process owners, control owners, 3PAOs, and federal agency stakeholders to ensure findings are tracked and remediated.
- Conduct risk assessments, security audits, and third-party/vendor risk reviews with a focus on FedRAMP boundary and supply chain risk.
- Review contracts to ensure security and compliance requirements — including FedRAMP flow-down clauses — are met.
- Identify control gaps and recommend improvements to enhance the organization's federal security posture.
- Communicate FedRAMP requirements, risks, and compliance status clearly to both technical and non-technical stakeholders, including federal agency customers.
- Develop and track remediation plans for identified risks and POA&M items.
- Maintain and update the risk register with federal risk considerations.
- Oversee vendor and subservice provider security assurance processes relevant to the FedRAMP authorization boundary.
- Collaborate with engineering, infrastructure, and product teams to design and implement controls aligned with NIST 800-53 baselines.
- Support federal-facing sales and customer success discussions with compliance expertise.
- Explore and leverage AI/automation tools to enhance, streamline, or scale GRC and ConMon workflows.
- Build strong working relationships across departments and with federal agency AOs (Authorizing Officials).
Requirements
- 8+ years of experience in cybersecurity, audits, risk management, compliance, or remediation.
- Hands-on FedRAMP experience required — including direct involvement in FedRAMP authorization (Moderate or High baseline preferred), SSP authoring, POA&M management, or 3PAO coordination.
- Deep familiarity with NIST 800-53 Rev 5 control families and FedRAMP-specific overlays, guidance, and templates.
- Experience working with cloud platforms such as AWS GovCloud, Azure Government, or Google Cloud (government regions).
- Proven ability to negotiate and prioritize risk remediation with internal and federal stakeholders.
- Bachelor's degree in Information Systems, Computer Science, Information Security, or a related field.
- Strong understanding of security controls in cloud environments, including boundary definition, encryption, access control, and vulnerability management.
- Familiarity with NIST 800-171 and CMMC as complementary federal frameworks.
- Relevant certifications strongly preferred: CISSP, CISA, FedRAMP-specific training (e.g., FedRAMP PMO courses), or similar.
- Strong communication skills with the ability to translate federal compliance requirements into technical actions and executive-level summaries.
- High energy and adaptability in a fast-paced, high-stakes compliance environment.
- Strong collaboration and knowledge-sharing mindset across engineering, legal, and customer-facing teams.
- Excellent time management and organizational skills — particularly for managing concurrent ConMon and audit cycles.
- High attention to detail, integrity, and ethical standards consistent with handling federal data and programs.
- Willingness to learn and take on new challenges as Workato's federal footprint grows.