Information Security GRC Analyst

Overview

We are seeking a GRC Analyst with CMMC experience to support CMMC 2.0 Level 2 readiness, certification, and ongoing compliance efforts. This role is ideal for a cybersecurity or compliance professional with hands-on exposure to CMMC or NIST SP 800-171, who is ready to deepen their expertise while working alongside senior assessors and advisors.

You will contribute to CMMC readiness and assessment activities for Government Contractors and commercial organizations, while gaining exposure to broader cybersecurity risk and compliance engagements such as cyber risk assessments, compliance program development, and Information Security support.

This role emphasizes execution, documentation quality, and learning, with increasing responsibility for Waters broader GRC information security program over time.

Responsibilities

CMMC & Compliance Execution

• Support CMMC 2.0 Level 2 readiness and assessment activities under the guidance of Information Security and Business Leadership.
• Assist with interpreting NIST SP 800-171 and CMMC requirements and mapping them to client or internal controls.
• Help develop, update, and maintain: Next
• System Security Plans (SSPs)
• Plans of Action & Milestones (POA&Ms)
• Policies, procedures, and evidence artifacts
• Participate in gap assessments and risk reviews; help track remediation activities and evidence collection
• Support mock assessments, internal audits, and formal C3PAO assessments by preparing documentation and responding to evidence requests
• Assist with CUI scoping, boundary definitions, and DFARS 252.204‑7012 documentation activities

• Contribute to cybersecurity and risk engagements such as:
• CMMC readiness and assessments
• Cyber risk and controls assessments
• Compliance program implementation
• Information security program support
• Prepare workpapers, evidence mappings, and draft assessment documentation in accordance with firm methodology
• Translate technical and compliance requirements into clear, well-organized documentation.
• Maintain a strong service mindset while operating in a complex business environment.

• Participate in Waters risk management program, including vendor assessments, reviews, remediation follow-up, and monitoring.
• Participate in reporting security risk to IT senior leadership and other key organizational stakeholders.
• Maintain and improve the organization's risk register and compliance documentation.
• Conduct risk assessments and control gap analyses; develop mitigation strategies and track remediation efforts.

• Prepare and support internal and external audits, including evidence collection and response coordination.
• Support responding to security questionnaires and demonstrating IT compliance with security frameworks.
• Draft and maintain clear, consistent, and audit-ready documentation, including policies, control responses, program updates and reports.

• Work closely with senior analysts, managers, and assessors to learn assessment techniques and best practices
• Participate in internal training on CMMC, NIST, ISO, SOC, and emerging cyber standards
• Contribute to improving templates, checklists, and documentation standards
• Share lessons learned and ask questions-this role is designed to grow technical and professional maturity

• High-quality SSPs, POA&Ms, and evidence artifacts that stand up to assessment scrutiny
• Consistent progress toward CMMC Level 2 readiness and certification
• Increasing independence in handling assigned controls, domains, and documentation tasks
• Strong feedback from senior team members and clients on reliability, accuracy, and professionalism

• Associate's degree, or higher in Information Security, Information Systems, Cybersecurity, Computer Science, or a related field
• 2-4 years of experience in one or more of the following:
• Cybersecurity, GRC, or IT risk roles
• Compliance or audit support
• SSP development or security documentation
• Internal controls or implementation of policy
• Foundational knowledge of CMMC 2.0 and NIST SP 800-171‑171
• Experience supporting compliance documentation (SSPs, POA&Ms, policies, procedures, evidence)
• Strong written communication skills with attention to detail
• Ability to follow structured methodologies and accept feedback

• CMMC Certified Professional (CCP) or progress toward CCA
• Familiarity with frameworks such as NIST SP 800-53, NIST CSF 2.0, ISO 27001, SOC 2, or FedRAMP‑53
• Exposure to DoD contractors / DIB environments
• Experience with GRC or evidence management tools (e.g., Vanta, ServiceNow GRC, Archer, OneTrust, ZenGRC)
• Security certifications in progress or completed (e.g., Security+, CGRC, CISSP Associate)

• Interest in growing as a CMMC and GRC specialist
• Comfortable working in a structured, assessment-driven environment
• Organized, dependable, and detail-oriented
• Willingness to learn new standards and take on increasing responsibility
• Professional, collaborative, and receptive to coaching