DataLock Consulting Group · 12 hours ago
Senior GRC Engineer
United States
Full-time
Remote
Senior Level
7+ years expDataLock Consulting Group is a trusted cybersecurity and risk management firm supporting federal and public sector clients with high-impact security engineering, assessment, and compliance services. The Senior GRC Engineer is responsible for maintaining and advancing the cybersecurity posture of federal programs and guiding teams in secure solution design and implementation.
ComplianceConsultingCyber SecurityInformation TechnologySecurityTraining
No H1B
U.S. Citizen Only
Responsibilities
Maintain and strengthen the cybersecurity posture of assigned federal programs, systems, or enclaves
Guide system owners, ISSOs, and engineering teams in applying GRC engineering principles throughout the system lifecycle
Lead and support Risk Management Framework activities, including system categorization, control selection, implementation, assessment, authorization, and continuous monitoring
Produce high-quality security and privacy artifacts that are technically sound, actionable, and aligned with engineering realities
Support achievement and maintenance of Authorities to Operate (ATOs) and manage associated Plans of Action and Milestones (POA&Ms)
Brief senior leadership on risk posture, authorization status, and remediation strategies
Apply DevSecOps principles to integrate security into CI/CD pipelines and modern development workflows
Support Zero Trust architecture implementation, supply chain risk management, and modernization initiatives
Apply continuous integration, continuous delivery, and continuous security principles across environments
Support implementation and analysis of SAST, DAST, Software Composition Analysis, secrets management, and GitHub-based workflows
Apply Infrastructure as Code, virtualization, and containerization concepts to security engineering and assessment activities
Utilize endpoint protection, integrity monitoring, and SIEM tooling to support security operations and monitoring
Implement and assess authentication, authorization, and identity federation mechanisms including SAML, OAuth, and OIDC
Apply PKI, encryption technologies, and FIPS implementation requirements
Analyze network architectures, topologies, and protection mechanisms to assess confidentiality, integrity, and availability risks
Leverage OSCAL for machine-readable control catalogs, baselines, System Security Plans, and assessment documentation
Analyze and interpret software vulnerabilities using CVE, CWE, and CVSS scoring methodologies
Evaluate supplier and product trustworthiness as part of supply chain risk management efforts
Develop and maintain cybersecurity and privacy policies aligned with organizational objectives
Apply cybersecurity and privacy principles related to confidentiality, integrity, availability, authentication, and non-repudiation
Assess security and privacy controls using frameworks such as NIST SP 800-53, the NIST Cybersecurity Framework, and CIS Critical Security Controls
Determine how security systems should function, including resilience and dependability, and assess how environmental or operational changes affect system risk
Communicate technical findings clearly and effectively through written documentation and stakeholder engagement
Introduce automation, engineering practices, and innovation into GRC programs to improve efficiency and continuous monitoring maturity
Qualification
Required
Bachelor's degree in Computer Science, Information Systems, or a related field, or an additional three years of relevant experience
Seven or more years of relevant cybersecurity experience
Three or more years of experience serving as an ISSO for a Federal agency
Prior experience serving as an ISSO for a portfolio of Federal systems
Experience achieving ATOs, managing POA&Ms, and briefing senior leadership
Deep functional and technical knowledge of NIST RMF and NIST CSF processes and documentation
Expertise in FedRAMP standards and processes
Strong understanding of IaaS, PaaS, and SaaS cloud service models, including Azure, Microsoft 365, Salesforce, ServiceNow, Appian, and MuleSoft
Strong foundational and operational knowledge of DevSecOps, CI/CD pipelines, Zero Trust, supply chain risk management, artificial intelligence, and operational technology
Familiarity with SAST, DAST, Software Composition Analysis, secrets management, and GitHub
Operational knowledge of Infrastructure as Code, virtualization, and containerization
Proficiency with endpoint protection, integrity monitoring, and SIEM tools
Expertise in authentication, authorization, and identity federation technologies
Familiarity with PKI, encryption technologies, and FIPS requirements
Foundational understanding of network architectures and security mechanisms
Familiarity with OSCAL and machine-readable security documentation
Ability to analyze software vulnerabilities using CVE, CWE, and CVSS
Experience in technical writing and producing clear, well-organized security documentation
Experience evaluating supplier and product trustworthiness
Preferred
One or more certifications such as CASP, GPEN, GMON, GISP, GSEC, GSLC, CISM, CISA, CAP, CCSP, SSCP, CISSP, or CISSP-ISSMP
Experience implementing policy as code to automate control enforcement, compliance validation, and evidence collection
Demonstrated ability to introduce automation and engineering practices into GRC programs to enhance efficiency and continuous monitoring
Benefits
Competitive compensation
A comprehensive benefits package
Strong commitment to work-life balance
Company
DataLock Consulting Group
DataLock Consulting Group is a cybersecurity consulting firm that offers cloud security, program management, and training solutions.
11-50 employees
Funding
Current Stage
Early StageLeadership Team
Zyad Nabbus
Chief Executive Officer
Company data provided by crunchbase