Governance, Risk, and Compliance Officer/CUI Manager

The Governance, Risk, and Compliance (GRC) Officer / CUI Manager ensures the organization’s compliance with DFARS 252.204-7012, NIST SP 800-171, and CMMC (Cybersecurity Maturity Model Certification) requirements. This position is responsible for the protection, management, and oversight of Controlled Unclassified Information (CUI) within the company’s environment. The GRC Officer / CUI Manager develops and enforces governance policies, conducts risk assessments, manages the organization’s System Security Plan (SSP) and Plan of Action and Milestones (POA&M), and leads efforts to achieve and maintain CMMC certification. This role is critical in safeguarding the company’s systems and data supporting DoD and DLA contracts.

Governance, Risk & Compliance

• Lead company-wide compliance initiatives related to DFARS 252.204-7012, NIST SP 800-171, and CMMC Level 2 and/or Level 3, as required by contract.
• Develop, implement, and maintain cybersecurity policies, standards, and procedures aligned with federal defense contracting requirements.
• Maintain and update the System Security Plan (SSP), POA&M, and other compliance documentation.
• Conduct internal gap analyses and readiness assessments for CMMC certification.
• Coordinate with third-party assessors, auditors, and government representatives for audits and reviews.
• Monitor regulatory updates and ensure continuous alignment with DoD cybersecurity and CUI protection requirements.

Risk Management

• Conduct and maintain organizational risk assessments and maintain a current risk register.
• Collaborate with IT and Operations to identify, evaluate, and mitigate risks related to the confidentiality, integrity, and availability of CUI.
• Support incident response planning and reporting, ensuring compliance with DFARS 252.204-7012 incident reporting timelines and procedures.
• Assist with vendor risk management, ensuring subcontractors meet equivalent cybersecurity requirements.

CUI Program Management

• Serve as the organization’s CUI Manager, responsible for the identification, marking, handling, storage, transmission, and destruction of CUI in accordance with DoD 5200.48 and NARA guidance.
• Establish and maintain a CUI Protection Program including procedures, training, and enforcement mechanisms.
• Ensure CUI is properly labeled and protected throughout its lifecycle, including in digital and physical formats.
• Conduct CUI awareness and training programs for employees and contractors.
• Maintain an inventory of CUI repositories and oversee access control measures to ensure only authorized personnel handle CUI.
• Coordinate with IT and Security teams to ensure technical controls (e.g., encryption, access management, audit logging) adequately protect CUI.

Continuous Monitoring & Improvement

• Implement a continuous monitoring strategy for cybersecurity controls and compliance posture.
• Manage vulnerability assessments, control testing, and remediation activities.
• Track metrics for compliance, risk reduction, and CUI incidents, reporting results to senior leadership.
• Lead tabletop exercises and training programs to ensure readiness for cyber incidents and audits.

Collaboration & Communication

• Act as the primary liaison between internal departments, external partners, and government representatives for all compliance and CUI-related matters.
• Provide guidance and support to business units handling DoD contracts to ensure contractual cybersecurity clauses are properly implemented.
• Educate and train personnel on compliance responsibilities, cybersecurity awareness, and CUI handling procedures.

Requirements:

Required:

· Bachelor’s degree in Cybersecurity, Information Assurance, Computer Science, or related field or 7-10 years of experience in leu of degree.

· Minimum 5–7 years of experience in governance, risk, and compliance roles within a defense contracting or DoD-regulated environment.

· Strong working knowledge of:

o DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting);

o NIST SP 800-171, 32 CFR Part 170, 48 CFR Part 204 Subpart 204.75 CMMC Rule; and

o DoD Instruction 5200.48 (CUI Policy).

· Proven experience managing or maintaining System Security Plans (SSPs), POA&Ms, and audit documentation.

· Experience leading or supporting CMMC or NIST 800-171 self-assessments.

· Strong communication, policy development, and audit preparation skills.

· Active DoD Secret Clearance or eligibility to obtain one.

Preferred:

· Certifications such as CISM, CISSP, CCP (CMMC Certified Professional), or CCA (CMMC Certified Assessor).

o Candidates with CISSP-ISSEP/ISSAP or CMMC CCP/CCA certifications are strongly preferred.

· Familiarity with FedRAMP, RMF (Risk Management Framework), NIST SP 800-53, and/or 32 CFR Part 117 National Industrial Security Program (NISP).

· Experience implementing or managing GRC tools and compliance automation systems.

Job Type: Full-time

Pay: $100,000.00 - $130,000.00 per year

Benefits:

• 401(k)
• 401(k) matching
• Dental insurance
• Employee assistance program
• Employee discount
• Health insurance
• Health savings account
• Life insurance
• Paid time off
• Parental leave
• Professional development assistance
• Referral program
• Retirement plan
• Tuition reimbursement
• Vision insurance

Work Location: In person