GRC Analyst, Federal Programs

Sword Health

GRC Analyst contributing to security compliance across Sword's AI healthcare products and services. Ensuring federal programs like CMMC and FedRAMP are met effectively.

Posted 5/18/2026full-timeRemote • 🇺🇸 United StatesMid-LevelSenior💰 $101,500 - $159,500 per yearWebsite

About the role

Key responsibilities & impact

Serve as a member of Sword's GRC team, contributing to security compliance across all products and services, with primary ownership of federal programs;
Define and maintain the CMMC assessment boundary, working across infrastructure, engineering, and business teams to ensure the scope is accurate and defensible;
Map NIST SP 800-171 practices to Sword's current environment and produce a clear, evidence-based gap analysis;
Translate identified gaps into prioritized remediation tasks with clear ownership, for audiences ranging from DevOps engineers to clinical operations managers;
Build and maintain the System Security Plan (SSP), Plan of Action and Milestones (POA&M), and all artifacts required for assessment;
Serve as Sword's primary interface with the C3PAO and assessment team during formal CMMC assessments;
Drive FedRAMP readiness in parallel, including control documentation, evidence collection, and continuous monitoring;
Contribute to audits and compliance activities across other active frameworks, including SOC 2 and HITRUST, as part of Sword's broader GRC program.

Requirements

What you’ll need

5+ years of hands-on experience in GRC, compliance, or security, with at least 3 of those years focused on federal compliance frameworks such as CMMC or FedRAMP;
Demonstrated experience owning deliverables and driving remediation through a CMMC, FedRAMP, or equivalent federal compliance effort;
Strong working knowledge of CMMC Level 2 practices, scoping methodology, and CUI handling requirements;
Ability to produce compliance documentation — SSPs, POA&Ms, gap analyses, control narratives — without heavy supervision;
Proven ability to communicate technical compliance requirements to non-technical stakeholders across engineering, operations, and business teams;
Experience engaging directly with external auditors and assessors, including evidence packaging and real-time response during assessments;
US citizenship required;
Ability to obtain a federal Public Trust designation if required by a sponsoring agency.
**What we would love to see**
CMMC Certified Professional (CCP) credential, or active pursuit of it;
CMMC Certified Assessor (CCA) credential;
Hands-on experience with FedRAMP authorization packages, continuous monitoring, and agency ATO processes;
Background in defense contracting or regulated health tech environments;
Experience working across multiple compliance frameworks simultaneously (HITRUST, SOC 2, ISO 27001);
Familiarity with GRC platforms such as Hyperproof, Drata, or Vanta.

Benefits

Comp & perks

Comprehensive health, dental and vision insurance*
Life and AD&D Insurance*
Financial advisory services*
Supplemental Insurance Benefits (Accident, Hospital and Critical Illness)*
Health Savings Account*
Equity shares*
Discretionary PTO plan*
Parental leave*
401(k)
Flexible working hours
Remote-first company
Paid company holidays
Free digital therapist for you and your family

ATS Keywords

✓ Tailor your resume

Applicant Tracking System Keywords

Tip: use these terms in your resume and cover letter to boost ATS matches.

Hard Skills & Tools

GRCcompliancesecurityCMMCFedRAMPNIST SP 800-171SSPPOA&Mgap analysiscontrol documentation

Soft Skills

communicationownershipremediationcollaborationengagementtechnical translationauditingevidence packagingstakeholder managementproblem-solving

Certifications

CMMC Certified Professional (CCP)CMMC Certified Assessor (CCA)