ForgeApply · Job listing
Governance, Risk & Compliance (GRC) Manager
Northwoodspace
Apply in about a minute — without sacrificing quality.
ForgeApply autofills this application and tailors your resume to this exact posting. You review everything before it's sent. Free trial, no card required.
About this role
Northwood is a modern space infrastructure company bringing the benefits of space to the masses through advanced communications technology. We are building a global network of phased array ground stations that enable real-time, reliable communication for satellite missions such as national security, global connectivity, and disaster response. With a vertically integrated approach, Northwood designs, builds, and rapidly deploys scalable systems that power the next generation of space missions. If you like solving complex challenges and seeing your work deployed around the world with real impact, Northwood is the place to do it.
Role Overview
As Governance, Risk & Compliance (GRC) Lead, you will own Northwood's compliance program across CMMC, FedRAMP, SOC 2, and ITAR — building the policies, processes, and evidence frameworks that enable the company to operate as a trusted dual-use space communications provider. This is a senior individual contributor role for a practitioner who combines deep regulatory knowledge with the technical fluency to work directly with security engineering, network, and product teams to translate compliance requirements into operational reality.
You will serve as the primary point of contact for government customers, third-party assessors, and internal stakeholders on all matters related to compliance posture, risk management, and audit readiness. You will work across Northwood's full security stack — spanning on-premises infrastructure, AWS GovCloud, GCC, and corporate systems — to ensure controls are implemented, documented, and defensible. This role reports to the Head of Security.
Responsibilities
Compliance Program Ownership
- Own Northwood's compliance program across CMMC Level 2, FedRAMP, SOC 2 Type II, and ITAR, including control mapping, gap assessment, remediation tracking, and audit preparation.
- Maintain Northwood's System Security Plan (SSP), Plan of Action and Milestones (POA&M), and associated compliance documentation in alignment with NIST 800-171 and applicable frameworks.
- Coordinate and manage third-party assessments, including C3PAO engagements for CMMC, FedRAMP 3PAO assessments, and SOC 2 audits, serving as the primary assessor liaison.
- Monitor the regulatory environment for changes to CMMC, FedRAMP, DFARS, and ITAR requirements and assess impact on Northwood's compliance posture.
Risk Management
- Build and maintain Northwood's enterprise risk management program, including risk register development, risk scoring methodology, and executive-level risk reporting.
- Conduct and facilitate periodic risk assessments across security domains, incorporating input from security engineering, network, product, and operations teams.
- Identify, track, and drive remediation of compliance gaps and security control deficiencies, working directly with technical teams to ensure timely closure.
- Develop and maintain risk acceptance processes, exception management workflows, and compensating control documentation.
Policy & Control Framework
- Develop, maintain, and enforce Northwood's security policy library, including acceptable use, access control, incident response, data classification, and CUI handling policies.
- Map Northwood's control environment across overlapping frameworks — NIST 800-171, NIST 800-53, SOC 2 Trust Services Criteria, and FedRAMP — to reduce duplicative compliance effort and maximize control reuse.
- Define and maintain the control evidence collection program, ensuring audit artifacts are continuously gathered, organized, and accessible for assessment cycles.
- Partner with the Security Engineering Lead, Security Operations Lead, and Product Security Lead to validate that technical controls are implemented in alignment with documented policies and compliance requirements.
ITAR & CUI Program Management
- Own Northwood's CUI program, including data classification guidance, CUI handling procedures, marking standards, and employee training.
- Maintain ITAR compliance program documentation, including technology control plans, export authorization tracking, and coordination with Northwood's legal counsel on regulatory obligations.
- Ensure network segmentation, access controls, and data handling practices across Northwood's infrastructure appropriately enforce CUI and ITAR boundaries in coordination with security and network engineering teams.
Audit Readiness & Stakeholder Engagement
- Serve as the primary compliance point of contact for government customers, prime contractors, and subcontractors, including responding to security questionnaires, flow-down requirement reviews, and customer audit requests.
- Build and maintain audit readiness posture year-round, ensuring evidence collection, control testing, and documentation currency do not become point-in-time exercises.
- Brief executive leadership and the Head of Security on compliance status, upcoming assessment milestones, and material risk items requiring business-level decisions.
- Develop and deliver security awareness and compliance training programs for Northwood employees, with targeted content for personnel handling CUI or operating in ITAR-controlled environments.
Basic Qualifications
- 5+ years in a governance, risk, and compliance role with demonstrated ownership of enterprise compliance programs in a regulated environment.
- Deep working knowledge of CMMC Level 2 and NIST SP 800-171, including SSP development, POA&M management, and C3PAO assessment preparation.
- Experience managing FedRAMP authorization processes, including boundary definition, control implementation documentation, and 3PAO coordination.
- Hands-on experience with SOC 2 Type II audits, including control mapping, evidence collection, and auditor engagement.
- Familiarity with ITAR compliance requirements, including technology control plans, export authorization processes, and CUI program management.
- Demonstrated ability to translate technica
Ready to apply to Northwoodspace?
Apply in about a minuteSimilar jobs
- Governance, Risk & Compliance (GRC) Manager — Sigmacomputing · New York City, NY
- Governance, Risk & Compliance (GRC) Manager — Sigmacomputing · San francisco, CA
- Governance Risk Compliance (GRC) Manager — Antithesis · Vienna, VA, USA
- Sr Manager, InfoSec Governance Risk and Compliance (GRC) — Ivalua · New York City, New York, US
- Sr Manager, InfoSec Governance Risk and Compliance (GRC) — Ivalua · San Francisco Bay Area, California, United States
- Sr Manager, InfoSec Governance Risk and Compliance (GRC) — Ivalua · Pittsburgh, Pennsylvania, United States
- Governance, Risk, and Compliance Manager — Decagon · San Francisco
- Director, Governance, Risk, and Compliance (GRC) — Cloverhealth · Remote