Security GRC Lead

Department: Compliance Location: Remote Reports to: Executive Director Direct Reports: None (hands-on program lead) Summary The GRC Lead will lead ARRO’s effort to achieve and maintain authorization and compliance across federal and industry frameworks—including NIST 800-53, CMMC, and SOC 2. This role owns the ATO readiness roadmap: partnering with consultants, coordinating remediation work, operationalizing controls, and ensuring that security and compliance practices are fully implemented and sustained across the organization. The ideal candidate is both strategic and hands-on—comfortable leading cross-functional efforts while also doing the work required to build a strong, repeatable compliance program. This is not a technical engineering role. The GRC Lead defines compliance and control requirements and works with Technology teams to ensure activities such as continuous monitoring, control implementation, and penetration testing are planned, executed, and evidenced in alignment with compliance needs. Key Responsibilities ATO Readiness & Compliance Leadership • Lead ARRO’s effort to achieve and sustain compliance with NIST 800-53, CMMC, and SOC 2, with a primary focus on ATO readiness and control implementation. • Own the ATO readiness plan, milestones, and progress tracking, ensuring remediation work moves forward across teams. • Coordinate closely with external consultants, assessors, and audit partners, translating guidance into actionable steps for the organization. • Provide clear, executive-level updates on risks, readiness progress, blockers, and timelines. Governance, Policy, & Control Implementation • Develop, refine, and operationalize security and compliance policies, standards, and procedures. • Ensure controls are implemented, documented, and evidenced across infrastructure, cloud, and application environments. • Work with Technology, Product, and Operations leaders to embed compliance requirements into day-to-day workflows and decision-making. • Establish repeatable processes for evidence collection, control ownership, and ongoing accountability. Risk Management & Continuous Monitoring • Conduct internal readiness reviews and validate control effectiveness across systems and processes. • Maintain remediation plans / POA&M and drive timely closure of identified gaps. • Support ongoing risk assessments, vendor security reviews, and corrective action activities. • Help lay the foundation for continuous monitoring and recurring audit preparedness. Cross-Functional Collaboration & Stakeholder Alignment • Lead cross-functional working sessions to guide teams through what needs to be done, why it matters, and how to implement it effectively. • Serve as a trusted partner and advisor to Engineering, Infrastructure, and Operations teams on compliance impacts. • Communicate expectations, responsibilities, and deadlines clearly, ensuring alignment across all stakeholders. Program Maturity & Process Improvement • Identify opportunities to strengthen and scale ARRO’s governance, risk, and compliance practices. • Build sustainable, documented processes that reduce reliance on one-off effort or ad-hoc interpretation. • Support internal security awareness initiatives and help cultivate a culture of accountability and compliance excellence. Qualifications • 4–7 years experience in GRC, security compliance, or related roles • Hands-on experience with NIST 800-53 (required) • Exposure to CMMC, SOC 2, or NIST 800-171 environments • Demonstrated experience implementing (not just documenting) controls • Strong project leadership skills with ability to coordinate across functions • Excellent written communication and executive reporting ability • U.S. citizenship; ability to support federal compliance requirements Who you are • A Program Owner — you take accountability and drive outcomes • A Builder — you design processes that work in real-world environments • A Partner — you collaborate across teams and influence without authority • A Translator — you turn framework language into practical action • A Problem Solver — you see compliance as a system to improve, not paperwork to maintain Why ARRO ARRO empowers mission leaders and first responders with trusted, unified tools that simplify complex missions and build confidence before crises. As a GRC Lead, you’ll play a critical role in ensuring our technology and operations meet the highest standards of security and compliance—so our customers can act with clarity and confidence when it matters most. The GRC Lead at ARRO is responsible for leading the company's efforts in achieving and maintaining compliance across federal and industry frameworks such as NIST 800-53, CMMC, and SOC 2. This role involves owning the ATO readiness roadmap, coordinating remediation work, operationalizing controls, and ensuring security and compliance practices are fully implemented and sustained across the organization. The ideal candidate will be both strategic and hands-on, capable of leading cross-functional efforts and executing the work required to build a strong compliance program. Key responsibilities include ATO readiness and compliance leadership, governance, policy, and control implementation, risk management and continuous monitoring, cross-functional collaboration, and program maturity and process improvement. The role requires 4–7 years of experience in GRC, security compliance, or related roles, hands-on experience with NIST 800-53, and exposure to CMMC, SOC 2, or NIST 800-171 environments. Strong project leadership, communication, and executive reporting skills are essential, along with U.S. citizenship to support federal compliance requirements. The ideal candidate will be a program owner, builder, partner, translator, and problem solver. Apply tot his job