# Governance, Risk & Compliance Manager

**Company:** [Northwood Space](https://hotfix.jobs/companies/northwood-space)
**Location:** Los Angeles, CA, California
**Role:** Security Engineering
**Experience:** 5+ years
**Skills:** Cmmc, FedRAMP, SOC 2, Itar, Nist 800-171, Nist 800-53, Ssp, Poa&M, C3Pao, 3Pao, Dfars, Cui, Risk Assessment, Risk Register, Grc Platforms
**Posted:** 2026-06-19

> Own and manage Northwood's enterprise compliance program across CMMC, FedRAMP, SOC 2, and ITAR. Build policies, risk frameworks, and audit readiness while partnering directly with security engineering and infrastructure teams.

## Job Description

## Responsibilities

### Compliance Program Ownership
- Own Northwood's compliance program across CMMC Level 2, FedRAMP, SOC 2 Type II, and ITAR, including control mapping, gap assessment, remediation tracking, and audit preparation.
- Maintain Northwood's System Security Plan (SSP), Plan of Action and Milestones (POA&M), and associated compliance documentation in alignment with NIST 800-171 and applicable frameworks.
- Coordinate and manage third-party assessments, including C3PAO engagements for CMMC, FedRAMP 3PAO assessments, and SOC 2 audits, serving as the primary assessor liaison.
- Monitor the regulatory environment for changes to CMMC, FedRAMP, DFARS, and ITAR requirements and assess impact on Northwood's compliance posture.

### Risk Management
- Build and maintain Northwood's enterprise risk management program, including risk register development, risk scoring methodology, and executive-level risk reporting.
- Conduct and facilitate periodic risk assessments across security domains, incorporating input from security engineering, network, product, and operations teams.
- Identify, track, and drive remediation of compliance gaps and security control deficiencies, working directly with technical teams to ensure timely closure.
- Develop and maintain risk acceptance processes, exception management workflows, and compensating control documentation.

### Policy & Control Framework
- Develop, maintain, and enforce Northwood's security policy library, including acceptable use, access control, incident response, data classification, and CUI handling policies.
- Map Northwood's control environment across overlapping frameworks — NIST 800-171, NIST 800-53, SOC 2 Trust Services Criteria, and FedRAMP — to reduce duplicative compliance effort and maximize control reuse.
- Define and maintain the control evidence collection program, ensuring audit artifacts are continuously gathered, organized, and accessible for assessment cycles.
- Partner with the Security Engineering Lead, Security Operations Lead, and Product Security Lead to validate that technical controls are implemented in alignment with documented policies and compliance requirements.

### ITAR & CUI Program Management
- Own Northwood's CUI program, including data classification guidance, CUI handling procedures, marking standards, and employee training.
- Maintain ITAR compliance program documentation, including technology control plans, export authorization tracking, and coordination with Northwood's legal counsel on regulatory obligations.
- Ensure network segmentation, access controls, and data handling practices across Northwood's infrastructure appropriately enforce CUI and ITAR boundaries in coordination with security and network engineering teams.

### Audit Readiness & Stakeholder Engagement
- Serve as the primary compliance point of contact for government customers, prime contractors, and subcontractors, including responding to security questionnaires, flow-down requirement reviews, and customer audit requests.
- Build and maintain audit readiness posture year-round, ensuring evidence collection, control testing, and documentation currency do not become point-in-time exercises.
- Brief executive leadership and the Head of Security on compliance status, upcoming assessment milestones, and material risk items requiring business-level decisions.
- Develop and deliver security awareness and compliance training programs for Northwood employees, with targeted content for personnel handling CUI or operating in ITAR-controlled environments.

## Requirements
- 5+ years in a governance, risk, and compliance role with demonstrated ownership of enterprise compliance programs in a regulated environment.
- Deep working knowledge of CMMC Level 2 and NIST SP 800-171, including SSP development, POA&M management, and C3PAO assessment preparation.
- Experience managing FedRAMP authorization processes, including boundary definition, control implementation documentation, and 3PAO coordination.
- Hands-on experience with SOC 2 Type II audits, including control mapping, evidence collection, and auditor engagement.
- Familiarity with ITAR compliance requirements, including technology control plans, export authorization processes, and CUI program management.
- Demonstrated ability to translate technical security controls into compliance documentation and audit evidence across multiple overlapping frameworks.
- Experience conducting risk assessments and maintaining enterprise risk registers with executive-level reporting.
- Strong technical fluency — this role works directly with security engineering and infrastructure teams and requires the ability to evaluate technical control implementations against compliance requirements.
- Ability to obtain and maintain a TS/SCI clearance.
- U.S. citizenship or status as a lawful permanent resident required to conform with ITAR export regulations.

## Nice-to-Haves
- Active TS clearance or higher.
- Experience working within the Defense Industrial Base, including prime or subcontractor compliance environments with DFARS flow-down obligations.
- Familiarity with eMASS or similar government assessment and authorization management tools.
- Experience with GRC platforms for control tracking, evidence management, and audit workflow automation.
- Knowledge of Northwood's core infrastructure environment, including AWS GovCloud, Microsoft GCC, and on-premises security tooling, and how these map to FedRAMP and CMMC control boundaries.
- Experience developing and delivering security awareness and CUI handling training programs.
- Familiarity with DFARS 252.204-7012 incident reporting obligations and coordination with DIBCAC or DCSA.
- Professional certifications such as CISSP, CISM, CISA, CCSK, or equivalent GRC credentials.
- CMMC Registered Practitioner (RP) or Certified Professional (CP) designation.

## Similar roles

- [Security Program Manager](https://hotfix.jobs/jobs/e7f7fcaf-1979-4194-9131-83689809fe47) - Forus - New York, NY
- [Safeguards Enforcement Analyst, Account Takeover & Credential Abuse](https://hotfix.jobs/jobs/31f5d0ec-9b31-4419-a4b1-2e826ec7a358) - Anthropic - San Francisco, CA - $245k – $285k/yr
- [Application Security Engineer](https://hotfix.jobs/jobs/d240253e-6098-4419-8f04-aaf793f42c03) - Zocdoc - Remote - $100k – $140k/yr
- [Detection & Mitigation Engineer](https://hotfix.jobs/jobs/61def9c4-f4a5-41a5-99c6-579a61033a73) - Cloudflare
- [Security & Compliance Operations Manager](https://hotfix.jobs/jobs/90ac6643-526f-4aeb-bb4f-d71bc1af1fcd) - Mintlify - San Francisco, CA - $120k – $180k/yr

**Apply:** https://hotfix.jobs/jobs/42e4d4fa-53e9-4ada-b646-7a470159d061
**Canonical:** https://hotfix.jobs/jobs/42e4d4fa-53e9-4ada-b646-7a470159d061