Governance, Risk & Compliance (GRC) Lead

About Northwood:

Northwood is a modern space infrastructure company focused on connecting space and Earth. The world runs on space. Space will run on Northwood. Our global ground network ensures that missions ranging from national security, to global connectivity, to disaster response can unlock their full potential and operate every day without fail.

Role Overview

As Governance, Risk & Compliance (GRC) Lead, you will own Northwood's compliance program across CMMC, FedRAMP, SOC 2, and ITAR — building the policies, processes, and evidence frameworks that enable the company to operate as a trusted dual-use space communications provider. This is a senior individual contributor role for a practitioner who combines deep regulatory knowledge with the technical fluency to work directly with security engineering, network, and product teams to translate compliance requirements into operational reality.

You will serve as the primary point of contact for government customers, third-party assessors, and internal stakeholders on all matters related to compliance posture, risk management, and audit readiness. You will work across Northwood's full security stack — spanning on-premises infrastructure, AWS GovCloud, GCC, and corporate systems — to ensure controls are implemented, documented, and defensible. This role reports to the Head of Security.

Responsibilities

Compliance Program Ownership

• Own Northwood's compliance program across CMMC Level 2, FedRAMP, SOC 2 Type II, and ITAR, including control mapping, gap assessment, remediation tracking, and audit preparation.

• Maintain Northwood's System Security Plan (SSP), Plan of Action and Milestones (POA&M), and associated compliance documentation in alignment with NIST 800-171 and applicable frameworks.

• Coordinate and manage third-party assessments, including C3PAO engagements for CMMC, FedRAMP 3PAO assessments, and SOC 2 audits, serving as the primary assessor liaison.

• Monitor the regulatory environment for changes to CMMC, FedRAMP, DFARS, and ITAR requirements and assess impact on Northwood's compliance posture.

Risk Management

• Build and maintain Northwood's enterprise risk management program, including risk register development, risk scoring methodology, and executive-level risk reporting.

• Conduct and facilitate periodic risk assessments across security domains, incorporating input from security engineering, network, product, and operations teams.

• Identify, track, and drive remediation of compliance gaps and security control deficiencies, working directly with technical teams to ensure timely closure.

• Develop and maintain risk acceptance processes, exception management workflows, and compensating control documentation.

Policy & Control Framework

• Develop, maintain, and enforce Northwood's security policy library, including acceptable use, access control, incident response, data classification, and CUI handling policies.

• Map Northwood's control environment across overlapping frameworks — NIST 800-171, NIST 800-53, SOC 2 Trust Services Criteria, and FedRAMP — to reduce duplicative compliance effort and maximize control reuse.

• Define and maintain the control evidence collection program, ensuring audit artifacts are continuously gathered, organized, and accessible for assessment cycles.

• Partner with the Security Engineering Lead, Security Operations Lead, and Product Security Lead to validate that technical controls are implemented in alignment with documented policies and compliance requirements.

ITAR & CUI Program Management

• Own Northwood's CUI program, including data classification guidance, CUI handling procedures, marking standards, and employee training.

• Maintain ITAR compliance program documentation, including technology control plans, export authorization tracking, and coordination with Northwood's legal counsel on regulatory obligations.

• Ensure network segmentation, access controls, and data handling practices across Northwood's infrastructure appropriately enforce CUI and ITAR boundaries in coordination with security and network engineering teams.

Audit Readiness & Stakeholder Engagement

• Serve as the primary compliance point of contact for government customers, prime contractors, and subcontractors, including responding to security questionnaires, flow-down requirement reviews, and customer audit requests.

• Build and maintain audit readiness posture year-round, ensuring evidence collection, control testing, and documentation currency do not become point-in-time exercises.

• Brief executive leadership and the Head of Security on compliance status, upcoming assessment milestones, and material risk items requiring business-level decisions.

• Develop and deliver security awareness and compliance training programs for Northwood employees, with targeted content for personnel handling CUI or operating in ITAR-controlled environments.

Basic Qualifications

• 5+ years in a governance, risk, and compliance role with demonstrated ownership of enterprise compliance programs in a regulated environment.

• Deep working knowledge of CMMC Level 2 and NIST SP 800-171, including SSP development, POA&M management, and C3PAO assessment preparation.

• Experience managing FedRAMP authorization processes, including boundary definition, control implementation documentation, and 3PAO coordination.

• Hands-on experience with SOC 2 Type II audits, including control mapping, evidence collection, and auditor engagement.

• Familiarity with ITAR compliance requirements, including technology control plans, export authorization processes, and CUI program management.

• Demonstrated ability to translate technical security controls into compliance documentation and audit evidence across multiple overlapping frameworks.

• Experience conducting risk assessments and maintaining enterprise risk registers with executive-level reporting.

• Strong technical fluency — this role works directly with security engineering and infrastructure teams and requires the ability to evaluate technical control implementations against compliance requirements.

• Ability to obtain and maintain a TS/SCI clearance.

• U.S. citizenship or status as a lawful permanent resident required to conform with ITAR export regulations.

Preferred Qualifications

• Active TS clearance or higher.

• Experience working within the Defense Industrial Base, including prime or subcontractor compliance environments with DFARS flow-down obligations.

• Familiarity with eMASS or similar government assessment and authorization management tools.

• Experience with GRC platforms for control tracking, evidence management, and audit workflow automation.

• Knowledge of Northwood's core infrastructure environment, including AWS GovCloud, Microsoft GCC, and on-premises security tooling, and how these map to FedRAMP and CMMC control boundaries.

• Experience developing and delivering security awareness and CUI handling training programs.

• Familiarity with DFARS 252.204-7012 incident reporting obligations and coordination with DIBCAC or DCSA.

• Professional certifications such as CISSP, CISM, CISA, CCSK, or equivalent GRC credentials.

• CMMC Registered Practitioner (RP) or Certified Professional (CP) designation.

Additional Information:

To conform to U.S. Government space technology export regulations, including the International Traffic in Arms Regulations (ITAR) you must be a U.S. citizen, lawful permanent resident of the U.S., protected individual as defined by 8 U.S.C. 1324b(a)(3), or eligible to obtain the required authorizations from the U.S. Department of State.

Northwood is an Equal Opportunity Employer; employment with Northwood is governed on the basis of merit, competence and qualifications and will not be influenced in any manner by race, color, religion, gender, national origin/ethnicity, veteran status, disability status, age, sexual orientation, gender identity, marital status, mental or physical disability or any other legally protected status.