Governance, Risk & Compliance; GRC Manager

About Northwood

Northwood is a modern space infrastructure company focused on connecting space and Earth. The world runs on space. Space will run on Northwood. Our global ground network ensures that missions ranging from national security, to global connectivity, to disaster response can unlock their full potential and operate every day without fail.

As Governance, Risk & Compliance (GRC) Lead, you will own Northwood's compliance program across CMMC, FedRAMP, SOC 2, and ITAR — building the policies, processes, and evidence frameworks that enable the company to operate as a trusted dual-use space communications provider. This is a senior individual contributor role for a practitioner who combines deep regulatory knowledge with the technical fluency to work directly with security engineering, network, and product teams to translate compliance requirements into operational reality.

You will serve as the primary point of contact for government customers, third-party assessors, and internal stakeholders on all matters related to compliance posture, risk management, and audit readiness. You will work across Northwood's full security stack — spanning on-premises infrastructure, AWS Gov Cloud, GCC, and corporate systems — to ensure controls are implemented, documented, and defensible. This role reports to the Head of Security.

• Own Northwood's compliance program across CMMC Level 2, FedRAMP, SOC 2 Type II, and ITAR, including control mapping, gap assessment, remediation tracking, and audit preparation.
• Maintain Northwood's System Security Plan (SSP), Plan of Action and Milestones (POA&M), and associated compliance documentation in alignment with NIST 800-171 and applicable frameworks.
• Coordinate and manage third-party assessments, including C3
  
  PAO engagements for CMMC, FedRAMP 3
  
  PAO assessments, and SOC 2 audits, serving as the primary assessor liaison.
• Monitor the regulatory environment for changes to CMMC, FedRAMP, DFARS, and ITAR requirements and assess impact on Northwood's compliance posture.

• Build and maintain Northwood's enterprise risk management program, including risk register development, risk scoring methodology, and executive-level risk reporting.
• Conduct and facilitate periodic risk assessments across security domains, incorporating input from security engineering, network, product, and operations teams.
• Identify, track, and drive remediation of compliance gaps and security control deficiencies, working directly with technical teams to ensure timely closure.
• Develop and maintain risk acceptance processes, exception management workflows, and compensating control documentation.

• Develop, maintain, and enforce Northwood's security policy library, including acceptable use, access control, incident response, data classification, and CUI handling policies.
• Map Northwood's control environment across overlapping frameworks — NIST 800-171, NIST 800-53, SOC 2 Trust Services Criteria, and FedRAMP — to reduce duplicative compliance effort and maximize control reuse.
• Define and maintain the control evidence collection program, ensuring audit artifacts are continuously gathered, organized, and accessible for assessment cycles.
• Partner with the Security Engineering Lead, Security Operations Lead, and Product Security Lead to validate that technical controls are implemented in alignment with documented policies and compliance requirements.

• Own Northwood's CUI program, including data classification guidance, CUI handling procedures, marking standards, and employee training.
• Maintain ITAR compliance program documentation, including technology control plans, export authorization tracking, and coordination with Northwood's legal counsel on regulatory obligations.
• Ensure network segmentation, access controls, and data handling practices across Northwood's infrastructure appropriately enforce CUI and ITAR boundaries in coordination with security and network engineering teams.

• Serve as the primary compliance point of contact for government customers, prime…