This is a remote position.
The Senior GRC Engineer is a seasoned cybersecurity professional responsible for maintaining and advancing the cybersecurity posture of a federal program, system, or enclave. This role operates at the intersection of cybersecurity, engineering, and risk management and is designed for an experienced practitioner who applies engineering rigor to develop high-quality, technically sound, and actionable security artifacts.
This position goes beyond static compliance and documentation. The Senior GRC Engineer guides system and engineering teams in designing, developing, implementing, and maintaining secure solutions aligned with evolving mission needs and threat environments. While the role produces documentation in support of the NIST Risk Management Framework, the emphasis is on meaningful security engineering outcomes rather than technical writing alone.
The Senior GRC Engineer champions the organization’s transition to a modern GRC Engineering model by promoting continuous assurance, automated evidence collection, integrated risk scoring, and scalable control inheritance. The role supports modernization initiatives, including DevSecOps, Zero Trust architectures, supply chain risk management, artificial intelligence and machine learning enabled security, responsible citizen development, and cybersecurity across both IT and operational technology environments.
Through leadership and technical expertise, this role strengthens system resilience, improves risk-based decision making, and accelerates secure mission delivery across federal environments.
Responsibilities
• Maintain and strengthen the cybersecurity posture of assigned federal programs, systems, or enclaves.
• Guide system owners, ISSOs, and engineering teams in applying GRC engineering principles throughout the system lifecycle.
• Lead and support Risk Management Framework activities, including system categorization, control selection, implementation, assessment, authorization, and continuous monitoring.
• Produce high-quality security and privacy artifacts that are technically sound, actionable, and aligned with engineering realities.
• Support achievement and maintenance of Authorities to Operate (ATOs) and manage associated Plans of Action and Milestones (POA&Ms).
• Brief senior leadership on risk posture, authorization status, and remediation strategies.
• Apply DevSecOps principles to integrate security into CI/CD pipelines and modern development workflows.
• Support Zero Trust architecture implementation, supply chain risk management, and modernization initiatives.
• Apply continuous integration, continuous delivery, and continuous security principles across environments.
• Support implementation and analysis of SAST, DAST, Software Composition Analysis, secrets management, and GitHub-based workflows.
• Apply Infrastructure as Code, virtualization, and containerization concepts to security engineering and assessment activities.
• Utilize endpoint protection, integrity monitoring, and SIEM tooling to support security operations and monitoring.
• Implement and assess authentication, authorization, and identity federation mechanisms including SAML, OAuth, and OIDC.
• Apply PKI, encryption technologies, and FIPS implementation requirements.
• Analyze network architectures, topologies, and protection mechanisms to assess confidentiality, integrity, and availability risks.
• Leverage OSCAL for machine-readable control catalogs, baselines, System Security Plans, and assessment documentation.
• Analyze and interpret software vulnerabilities using CVE, CWE, and CVSS scoring methodologies.
• Evaluate supplier and product trustworthiness as part of supply chain risk management efforts.
• Develop and maintain cybersecurity and privacy policies aligned with organizational objectives.
• Apply cybersecurity and privacy principles related to confidentiality, integrity, availability, authentication, and non-repudiation.
• Assess security and privacy controls using frameworks such as NIST SP 800-53, the NIST Cybersecurity Framework, and CIS Critical Security Controls.
• Determine how security systems should function, including resilience and dependability, and assess how environmental or operational changes affect system risk.
• Communicate technical findings clearly and effectively through written documentation and stakeholder engagement.
• Introduce automation, engineering practices, and innovation into GRC programs to improve efficiency and continuous monitoring maturity.
Requirements
Required Qualifications
• Bachelor’s degree in Computer Science, Information Systems, or a related field, or an additional three years of relevant experience.
• Seven or more years of relevant cybersecurity experience.
• Three or more years of experience serving as an ISSO for a Federal agency.
• Prior experience serving as an ISSO for a portfolio of Federal systems.
• Experience achieving ATOs, managing POA&Ms, and briefing senior leadership.
• Deep functional and technical knowledge of NIST RMF and NIST CSF processes and documentation.
• Expertise in FedRAMP standards and processes.
• Strong understanding of IaaS, PaaS, and SaaS cloud service models, including Azure, Microsoft 365, Salesforce, ServiceNow, Appian, and MuleSoft.
• Strong foundational and operational knowledge of DevSecOps, CI/CD pipelines, Zero Trust, supply chain risk management, artificial intelligence, and operational technology.
• Familiarity with SAST, DAST, Software Composition Analysis, secrets management, and GitHub.
• Operational knowledge of Infrastructure as Code, virtualization, and containerization.
• Proficiency with endpoint protection, integrity monitoring, and SIEM tools.
• Expertise in authentication, authorization, and identity federation technologies.
• Familiarity with PKI, encryption technologies, and FIPS requirements.
• Foundational understanding of network architectures and security mechanisms.
• Familiarity with OSCAL and machine-readable security documentation.
• Ability to analyze software vulnerabilities using CVE, CWE, and CVSS.
• Experience in technical writing and producing clear, well-organized security documentation.
• Experience evaluating supplier and product trustworthiness.
Preferred Qualifications
• One or more certifications such as CASP, GPEN, GMON, GISP, GSEC, GSLC, CISM, CISA, CAP, CCSP, SSCP, CISSP, or CISSP-ISSMP.
• Experience implementing policy as code to automate control enforcement, compliance validation, and evidence collection.
• Demonstrated ability to introduce automation and engineering practices into GRC programs to enhance efficiency and continuous monitoring.
Clearance
• Ability to obtain a Public Trust clearance is required.
Benefits
Working at DataLock Consulting Group
DataLock Consulting Group is a trusted cybersecurity and risk management firm supporting federal and public sector clients with high-impact security engineering, assessment, and compliance services. We offer competitive compensation, a comprehensive benefits package, and a strong commitment to work-life balance. Our team operates in a collaborative, remote-first environment that values technical excellence, professional growth, and delivering meaningful security outcomes for mission-critical systems
