Sr. Compliance Engineer

Your Mission

We are seeking an experienced Sr. Compliance Engineer to join our Governance, Risk, and Compliance (GRC) team. This is an enterprise-focused role responsible for building, implementing, and sustaining the organizational compliance posture across key regulatory and security frameworks - with a primary emphasis on RMF (NIST 800-53 Rev. 5 + Classified Overlays), CMMC Level 3, NIST 800-171 Rev. 3 and ODPs readiness and ongoing compliance operations. Additionally, this role will focus on Export Administration Regulations (EAR), International Traffic in Arms Regulations (ITAR), and cyber regulations.

Unlike a product-centric security engineering role, this position is squarely focused on the people, processes, and controls that define how True Anomaly operates as a compliant organization. You will work across business units to assess control implementation, close compliance gaps, develop and mature policies, and ensure the organization is continuously audit-ready. The ideal candidate brings deep GRC knowledge, strong technical fluency, and the ability to engage credibly with both compliance assessors and internal engineering teams.

Responsibilities:

Compliance Program Execution

• Lead and support compliance assessment readiness across key organizational frameworks including NIST SP 800-171 Rev. 2 and 3, CMMC Level 3, NIST SP 800-53 Rev. 5, and the NIST Cybersecurity Framework (CSF).

• Provide direction on cybersecurity readiness to address EAR and ITAR-related controls and requirements

• Drive CMMC readiness activities across the organization, including scoping, gap analysis, control implementation validation, evidence collection, and pre-assessment preparation.

• Review, maintain, and mature System Security Plans (SSPs) to accurately reflect organizational control implementations, system boundaries, and operational practices.

• Manage Plans of Actions and Milestones (POA&Ms), tracking open findings to resolution, communicating status to GRC leadership, and coordinating remediation efforts across responsible teams.

• Conduct internal compliance audits and control effectiveness reviews to ensure ongoing adherence to applicable frameworks and to surface emerging gaps before external assessments.

• Maintain audit-ready evidence repositories and documentation packages, ensuring traceability between controls, evidence, and framework requirements.

Policy & Standards Development

• Develop, update, and operationalize information security and compliance policies, standards, and procedures aligned to CMMC, NIST, and organizational risk tolerance.

• Translate regulatory and framework requirements into clear, enforceable internal policies and control specifications that business units can understand and implement.

• Drive policy adoption across the organization through communication, training coordination, and ongoing compliance monitoring activities.

• Establish and maintain a policy review and exception management lifecycle, ensuring policies remain current as requirements and organizational practices evolve.

• Develop policies as they may pertain to EAR and/or the ITAR.

Cross-Functional Compliance Enablement

• Serve as a primary GRC team resource for compliance questions, control guidance, and framework interpretation across engineering, IT, operations, legal, and security teams.

• Partner with IT and security operations teams to verify that technical controls — including access management, logging, configuration baselines, and incident response procedures — meet CMMC and NIST requirements at an organizational level.

• Collaborate with the Enterprise Risk Manager and broader GRC leadership to ensure compliance findings are reflected in the enterprise risk register and remediation priorities.

• Support the development of compliance training and awareness materials to build organizational understanding of CMMC obligations and security responsibilities.

• Coordinate with external assessors, third-party auditors, and government partners during assessment engagements, serving as a knowledgeable point of contact for evidence walkthroughs and control discussions.

Continuous Monitoring & Improvement

• Establish and maintain continuous monitoring processes to track control health, policy adherence, and emerging compliance obligations across the organization.

• Develop and maintain compliance metrics, dashboards, and status reports for GRC leadership and executive audiences using tools such as Jira, Confluence, enterprise GRC platforms, and MS Project.

• Proactively track changes to CMMC, NIST SP 800-171, and related frameworks and assess organizational impact, initiating remediation or enhancement efforts as needed.

• Contribute to the maturation of GRC team workflows, documentation standards, and repeatable compliance processes.

Qualifications

• 7+ years of experience in IT security compliance, GRC, or a closely related discipline, with direct ownership of compliance program activities.

• Demonstrated expertise in NIST SP 800-171, CMMC (Level 2 or 3), and NIST SP 800-53, with hands-on experience conducting gap assessments, implementing controls, and preparing organizations for external audits.

• Strong understanding of SSP development and maintenance, POA&M management, and audit evidence lifecycle practices in an organizational (non-product) compliance context.

• Proven experience developing and operationalizing information security policies, standards, and procedures across a multi-disciplinary organization.

• Familiarity with technical control domains including access control, configuration management, audit and accountability, incident response, and system and communications protection — evaluated at the enterprise level.

• Strong communication skills with the ability to explain compliance requirements clearly to both technical practitioners and non-technical business stakeholders.

• Highly organized, with demonstrated ability to manage multiple concurrent compliance workstreams and deadlines in a fast-paced environment.

• Active or ability to obtain SECRET, TS/SCI security clearance.

• Must be a U.S. citizen, lawful permanent resident, or protected individual per ITAR requirements (8 U.S.C. 1324b(a)(3)).

Preferred Qualifications

• Strong EAR/ITAR background as it pertains to cybersecurity and policy development.

• J.D. focusing on technology law, export compliance (EAR and the ITAR), cyber law

• Industry certifications such as:

• Certified Information Systems Auditor (CISA)

• Certified in Risk and Information Systems Control (CRISC)

• Certified Information Systems Security Professional (CISSP)

• CMMC Registered Practitioner (RP) or Certified Professional (CP)

• CompTIA Security+ or equivalent

• Background in startup, aerospace, defense technology, or SaaS environments operating under DoD compliance obligations.

• Familiarity with cloud environments — particularly Azure Government or AWS GovCloud — as they relate to organizational control implementation and boundary scoping.

• Experience coordinating with C/3PAOs or supporting CMMC assessments.

• Working knowledge of DFARS 252.204-7012, ITAR, and supply chain compliance obligations.

• Familiarity with Agile/Scrum environments and hybrid project delivery models.

Compensation

• Base Salary: Denver - $145,000 to $195,000, Long Beach - $150,000 to $205,000, Washington, DC - $150,000 to $205,000

• Equity + Benefits including Health, Dental, Vision, HRA/HSA options, PTO and paid holidays, 401K, Parental Leave

Your actual level and base salary will be determined on a case-by-case basis and may vary based on the following considerations: job-related knowledge and skills, education, location, and experience.

Additional Requirements

• Work Location: Successful candidates will be located near Denver, CO, Long Beach, CA, or Washington D.C. While we observe a hybrid work environment, some work must be done on site. #LI-Onsite

• Work Environment: Standard office setting, working at a desk or in a production factory environment.

• Physical Demands: May include frequent standing, sitting, walking, bending, and lifting or carrying items up to 20 lbs.

This position will be open until it is successfully filled.

To conform to U.S. Government space technology export regulations, including the International Traffic in Arms Regulations (ITAR), you must be a U.S. citizen, lawful permanent resident of the U.S., protected individual as defined by 8 U.S.C. 1324b(a)(3), or eligible to obtain the required authorizations from the U.S. Department of State.

We value diversity of experience, knowledge, backgrounds, and perspectives and harness these qualities to create extraordinary impact. True Anomaly is committed to equal employment opportunity regardless of sex, race, religion or belief, ethnic or national origin, disability, age, citizenship, marital, domestic or civil partnership status, sexual orientation, gender identity, pregnancy, maternity or related condition (including breastfeeding) or any other basis as protected by applicable law. If you have a disability or additional need that requires accommodation, please do not hesitate to let us know.