Governance, Risk, and Compliance (GRC) Specialist - Contingent

About the position Public Trust Eligibility Required This is a contingent position, meaning employment is dependent upon the successful award of the associated contract to Aretum and completion of any required background investigation or security clearance verification. About Aretum Aretum is a mission-driven organization committed to delivering innovative, technology-enabled solutions to our customers across defense, civilian, and homeland security sectors. Our teams work at the intersection of strategy, technology, and transformation, helping agencies solve their most critical challenges. We believe in investing in our people and creating a culture where collaboration, inclusion, and professional growth are at the forefront. Job Summary The GRC Specialist supports federal cybersecurity governance, risk management, and compliance activities by helping the organization implement and maintain an effective risk program aligned to FISMA and the NIST Risk Management Framework (RMF). The role focuses on security control implementation oversight, compliance documentation, audit readiness, and continuous monitoring—working closely with system owners, engineering teams, and assessment staff to identify risk, track remediation, and improve security posture. Due to the nature of our work as a federal consulting organization, employees may be expected to handle Controlled Unclassified Information (CUI) and must adhere to applicable safeguarding and compliance requirements.

Responsibilities

• Support governance and compliance activities aligned to FISMA and agency cybersecurity requirements, including maintaining documentation and reporting support where applicable
• Execute RMF-aligned risk activities across the system lifecycle, including control selection support, implementation validation, and ongoing continuous monitoring
• Maintain and update authorization/compliance artifacts (as required by the environment), such as security plans and supporting evidence, ensuring documentation is accurate and audit-ready
• Assist with security control assessment coordination by preparing artifacts, mapping evidence to controls, tracking assessment activities, and supporting remediation planning (Assessment methods and procedures are commonly aligned to NIST 800-53A practices)
• Develop, manage, and track POA&Ms and remediation actions; collect and validate closure evidence and support risk acceptance processes as needed
• Demonstrate and apply working knowledge of network design concepts and partner with technical teams to validate secure configurations and identify weaknesses
• Support vulnerability management and security testing coordination for government systems to identify and document vulnerabilities, validate severity/impact, and track mitigation to completion
• Support project management activities including work planning, task tracking, stakeholder coordination, meeting facilitation, and status reporting for GRC deliverables
• Contribute to policy/standard development and continuous improvement initiatives for governance and risk processes using NIST-aligned control frameworks

Requirements

• Minimum 5 years of experience in cybersecurity governance, risk, or compliance (GRC), preferably supporting federal or regulated environments
• Demonstrated experience in project management, network design concepts, and testing the security of government systems to identify vulnerabilities
• Working knowledge of the NIST RMF and how it is used to manage security and privacy risk across categorization, control selection/implementation, assessment, authorization, and continuous monitoring
• Familiarity with the purpose and structure of NIST 800-53 security and privacy controls and how controls map to evidence and system security practices
• Familiarity with security control assessment concepts and the use of assessment procedures (e.g., NIST 800-53A-style approaches)
• Strong technical writing skills and ability to produce clear, defensible documentation for auditors and leadership
• Experience supporting federal authorization packages and security assessment deliverables (e.g., SAP/SAR, evidence collection, audit response)
• Familiarity with FedRAMP concepts for cloud environments (if the client environment includes cloud services)
• Experience briefing technical and non-technical stakeholders and translating control requirements into practical implementation guidance

Nice-to-haves

• Bachelor's degree in information systems, Computer Science, or related field
• Preferred Certifications: GIAC Web Application Penetration Tester (GWAPT) Certified Ethical Hacker (CEH) GIAC Systems and Network Auditor (GSNA) Certified Penetration Tester (CPT) Certified Expert Penetration Tester (CEPT) GIAC Certified Web Application Defender (GWEB) Offensive Security Certified Professional (OSCP) CREST Penetration Testing Certifications

Benefits

• Health Care Plan (Medical, Dental & Vision)
• Retirement Plan (401k)
• Life Insurance (Basic, Voluntary & AD&D)
• Paid Time Off
• Family Leave (Maternity, Paternity)
• Short Term & Long-Term Disability
• Training & Development

Apply tot his job Apply To this Job