GRC Program Lead

Overview

RK&K is seeking a GRC Program Lead to establish, operationalize, and scale the firm's IT governance, risk, and compliance functions. This role provides centralized ownership of compliance efforts—including CMMC Level 2, SOC 2, and FedRAMP while ensuring alignment with business objectives, client requirements, and contractual obligations.

This position serves as a critical coordination layer between IT, Legal, HR, and business leadership to ensure risks are effectively managed, controls are implemented, and compliance requirements are consistently met as the organization grows.

• Compliance & Framework Leadership
  • Lead CMMC Level 2 implementation
  • Lead SOC 2 Type II program development
  • Support FedRAMP readiness and alignment
• Risk Management
  • Assess security risks across systems, services, projects, vendors, and control gaps
  • Develop and maintain enterprise risk register
  • Track risks across security, operations, vendor exposure, and AI/data usage
• Governance & Policy Management
  • Develop and enforce policies (data security, privacy, acceptable use/AI, access, vendors)
  • Align policies to SOC 2, CMMC/NIST, and FedRAMP requirements
  • Manage exceptions and risk acceptance processes
• AI Governance & Emerging Risk
  • Define governance for enterprise AI usage
  • Partner with IT to enforce policies and monitor misuse/data leakage
• Vendor Risk & Contract Compliance
  • Conduct vendor security and compliance reviews
  • Partner with Legal on contract risk and compliance
  • Track contractual compliance obligations
• Security Governance Oversight
  • Oversee vulnerability management and endpoint/device compliance
  • Define and track security baselines
  • Validate control effectiveness through evidence‑based assessments
• Audit & Assessment Management
  • Coordinate CMMC, SOC 2, client audits, and FedRAMP readiness reviews
  • Manage evidence collection, audit responses, remediation, and closure
• Incident Governance & Response
  • Establish governance for incident response processes
  • Ensure proper documentation, classification, root cause analysis, and improvements
  • Track trends and report risks to leadership
• Cross-Functional Leadership & Metrics
  • Act as GRC liaison across IT, Legal, HR, and Operations
  • Oversee business continuity and disaster recovery planning/testing
  • Define and track KPIs, KRIs, and control effectiveness
• GRC Platform Ownership
  • Own and manage the Vanta platform

• Bachelor's degree in a related field OR equivalent practical experience
• 7+ years of experience in GRC, cybersecurity, or compliance
• Experience with:
  • Owning and operating enterprise compliance programsCMMC / NIST SP 800-171
    
    SOC 2 (implementation and audit support)
    NIST frameworks
    
    Cross-functional coordination
  Preferred Skills and Experience
  • Experience with FedRAMP readiness or audits
  • Professional certifications such as CISA, CISSP, CISM, CRISC, CCSP, or ISO 27001 Lead Implementer/Auditor
  • Experience in federal contracting or regulated/public sector environments
  • Experience with Vanta Trust Management Platform

  This job description indicates the general nature and level of work, knowledge, skills, abilities, and other essential functions (as covered under ADA). It is not designed to cover or contain a comprehensive listing of all activities and duties required. Other duties may be assigned as required.

  What We Offer
  • Paid time off
  • Matching 401(k) plan
  • Student Loan Retirement Match Program
  • Paid holidays
  • Tuition reimbursement
  • Health, dental, vision, life, and disability insurance
  • Paid parental leave
  • Wellness programs and employee resource groups
  • Career development opportunities
  • Much, much more!

  Salary Range: $93,397 - $131,389