Hiring.fm
True anomaly inc

Sr. Compliance Engineer

Denver, CO or Long Beach, CA or Washington, DC Full Time

A new space race has begun. True Anomaly seeks those with the talent and ambition to build innovative technology that solves the next generation of engineering, manufacturing, and operational challenges for space security and sustainability.

OUR MISSION

The peaceful use of space is essential for continued prosperity on Earth—from communications and finance to navigation and logistics. True Anomaly builds innovative technology at the intersection of spacecraft, software, and AI to enhance the capabilities of the U.S., its allies, and commercial partners. We safeguard global security by ensuring space access and sustainability for all.

OUR VALUES

  • Be the offset. We create asymmetric advantages with creativity and ingenuity
  • What would it take? We challenge assumptions to deliver ambitious results
  • It’s the people. Our team is our competitive advantage and we are better together

Your Mission 

We are seeking an experienced Sr. Compliance Engineer to join our Governance, Risk, and Compliance (GRC) team. This is an enterprise-focused role responsible for building, implementing, and sustaining the organizational compliance posture across key regulatory and security frameworks - with a primary emphasis on RMF (NIST 800-53 Rev. 5 + Classified Overlays), CMMC Level 3, NIST 800-171 Rev. 3 and ODPs readiness and ongoing compliance operations. Additionally, this role will focus on Export Administration Regulations (EAR), International Traffic in Arms Regulations (ITAR), and cyber regulations.  

Unlike a product-centric security engineering role, this position is squarely focused on the people, processes, and controls that define how True Anomaly operates as a compliant organization. You will work across business units to assess control implementation, close compliance gaps, develop and mature policies, and ensure the organization is continuously audit-ready. The ideal candidate brings deep GRC knowledge, strong technical fluency, and the ability to engage credibly with both compliance assessors and internal engineering teams. 

 

Responsibilities: 

Compliance Program Execution 

  • Lead and support compliance assessment readiness across key organizational frameworks including NIST SP 800-171 Rev. 2 and 3, CMMC Level 3, NIST SP 800-53 Rev. 5, and the NIST Cybersecurity Framework (CSF). 
  • Provide direction on cybersecurity readiness to address EAR and ITAR-related controls and requirements 
  • Drive CMMC readiness activities across the organization, including scoping, gap analysis, control implementation validation, evidence collection, and pre-assessment preparation. 
  • Review, maintain, and mature System Security Plans (SSPs) to accurately reflect organizational control implementations, system boundaries, and operational practices. 
  • Manage Plans of Actions and Milestones (POA&Ms), tracking open findings to resolution, communicating status to GRC leadership, and coordinating remediation efforts across responsible teams. 
  • Conduct internal compliance audits and control effectiveness reviews to ensure ongoing adherence to applicable frameworks and to surface emerging gaps before external assessments. 
  • Maintain audit-ready evidence repositories and documentation packages, ensuring traceability between controls, evidence, and framework requirements. 

Policy & Standards Development 

  • Develop, update, and operationalize information security and compliance policies, standards, and procedures aligned to CMMC, NIST, and organizational risk tolerance. 
  • Translate regulatory and framework requirements into clear, enforceable internal policies and control specifications that business units can understand and implement. 
  • Drive policy adoption across the organization through communication, training coordination, and ongoing compliance monitoring activities. 
  • Establish and maintain a policy review and exception management lifecycle, ensuring policies remain current as requirements and organizational practices evolve. 
  • Develop policies as they may pertain to EAR and/or the ITAR. 

Cross-Functional Compliance Enablement 

  • Serve as a primary GRC team resource for compliance questions, control guidance, and framework interpretation across engineering, IT, operations, legal, and security teams. 
  • Partner with IT and security operations teams to verify that technical controls — including access management, logging, configuration baselines, and incident response procedures — meet CMMC and NIST requirements at an organizational level. 
  • Collaborate with the Enterprise Risk Manager and broader GRC leadership to ensure compliance findings are reflected in the enterprise risk register and remediation priorities. 
  • Support the development of compliance training and awareness materials to build organizational understanding of CMMC obligations and security responsibilities. 
  • Coordinate with external assessors, third-party auditors, and government partners during assessment engagements, serving as a knowledgeable point of contact for evidence walkthroughs and control discussions. 

Continuous Monitoring & Improvement 

  • Establish and maintain continuous monitoring processes to track control health, policy adherence, and emerging compliance obligations across the organization. 
  • Develop and maintain compliance metrics, dashboards, and status reports for GRC leadership and executive audiences using tools such as Jira, Confluence, enterprise GRC platforms, and MS Project. 
  • Proactively track changes to CMMC, NIST SP 800-171, and related frameworks and assess organizational impact, initiating remediation or enhancement efforts as needed. 
  • Contribute to the maturation of GRC team workflows, documentation standards, and repeatable compliance processes. 

 

Qualifications 

  • 7+ years of experience in IT security compliance, GRC, or a closely related discipline, with direct ownership of compliance program activities. 
  • Demonstrated expertise in NIST SP 800-171, CMMC (Level 2 or 3), and NIST SP 800-53, with hands-on experience conducting gap assessments, implementing controls, and preparing organizations for external audits. 
  • Strong understanding of SSP development and maintenance, POA&M management, and audit evidence lifecycle practices in an organizational (non-product) compliance context. 
  • Proven experience developing and operationalizing information security policies, standards, and procedures across a multi-disciplinary organization. 
  • Familiarity with technical control domains including access control, configuration management, audit and accountability, incident response, and system and communications protection — evaluated at the enterprise level. 
  • Strong communication skills with the ability to explain compliance requirements clearly to both technical practitioners and non-technical business stakeholders. 
  • Highly organized, with demonstrated ability to manage multiple concurrent compliance workstreams and deadlines in a fast-paced environment. 
  • Active or ability to obtain SECRETTS/SCI security clearance. 
  • Must be a U.S. citizen, lawful permanent resident, or protected individual per ITAR requirements (8 U.S.C. 1324b(a)(3)). 

 

Preferred Qualifications 

  • Strong EAR/ITAR background as it pertains to cybersecurity and policy development. 
  • J.D. focusing on technology law, export compliance (EAR and the ITAR), cyber law 
  • Industry certifications such as: