More jobs:
GRC Analyst; Federal & Customer Programs
Job in
Boulder, Boulder County, Colorado, 80301, USA
Listed on 2026-06-26
Listing for:
Spire Global
Full Time
position Listed on 2026-06-26
Job specializations:
-
IT/Tech
Cybersecurity, Information Security
Job Description & How to Apply Below
- The GRC Analyst, Federal & Customer Programs is responsible for the hands‑on analysis, documentation, and operational execution of the company’s security governance, risk, and compliance obligations
- This role sits at the intersection of customer contracts, regulatory frameworks, and the company’s security control environment — translating external requirements into clear, traceable internal commitments and evaluating how well current capabilities satisfy them
- The GRC Analyst reviews incoming contractual security language, maps obligations to applicable frameworks and existing controls, produces compliance matrices and gap analyses, owns the operational risk assessment process, contributes to governance and policy lifecycle activities, and supports audit, assessment, and customer inquiry activities
- A meaningful portion of this role is dedicated to ongoing contract and requirements analysis as new programs are awarded and existing programs evolve
- The GRC Analyst serves as the security function’s primary reviewer of incoming contractual cybersecurity language and works directly with legal and sourcing on flow‑down negotiation and redlines
- Review customer contracts, statements of work, security annexes, CDRLs, data protection addenda, and flow‑down clauses to identify cybersecurity, privacy, and information handling obligations applicable to the company
- Extract and catalog specific security requirements from contractual language, and translate them into structured, testable statements suitable for traceability and control mapping
- Compare identified requirements against the company’s current product scope, control environment, and certification posture to determine where compliance is already met, partially met, or requires new implementation work
- Produce gap analyses, compliance matrices, and Requirements Traceability Matrix (RTM) artifacts that clearly communicate the state of compliance for a given contract, program, or system
- Serve as the security function’s primary point of contact for legal and sourcing during contract review, redline cycles, and flow‑down negotiation, including review of subcontractor and supplier flow‑down language
- Maintain working proficiency across the frameworks relevant to the company’s regulatory and contractual posture, including NIST SP 800‑171, NIST SP 800‑53, NIST CSF, CMMC, ISO 27001, FedRAMP, and applicable European frameworks such as NIS2 and GDPR
- Map controls across frameworks to minimize duplicated work and enable consistent responses to overlapping requirements; contribute to a shared control inventory used by compliance, security, and program teams
- Interpret framework language and authoritative guidance (NIST publications, DoD guidance, regulator FAQs) in the context of specific company systems and business scenarios and elevate ambiguity for formal risk decisions when appropriate
- Contribute to the maintenance of the company’s Information Security Management System (ISMS) documentation set, including keeping control descriptions, evidence references, and scope statements accurate and current
- Support the policy and standard lifecycle, including periodic review cycles, version control, exception governance, and clarification of control owner accountability
- Produce compliance posture reporting and audit readiness metrics for governance forums and leadership review, including framework coverage, finding aging, and remediation progress
- Draft and revise compliance deliverables including System Security Plans (SSP), Plans of Action & Milestones (POA&M), policy and standard content, control narratives, customer security questionnaire responses, and audit artifacts
- Author clear, concise written responses to customer, auditor, and regulator inquiries, calibrated to the technical level of the audience and consistent with approved company positioning
- Own the operational risk assessment process and the supporting risk register, including conducting periodic and event‑driven risk assessments, documenting current state, identifying deficiencies, and developing risk treatment recommendations
- Route risk acceptance and exception decisions to the appropriate decision authority with the…
To View & Apply for jobs on this site that accept applications from your location or country, tap the button below to make a Search.
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).
Search for further Jobs Here:
×