Governance, Risk, and Compliance (GRC) Specialist - Contingent at ARETUM Holdings LLC – Bethesda, Maryland

Public Trust Eligibility Required

This is a contingent position, meaning employment is dependent upon the successful award of the associated contract to Aretum and completion of any required background investigation or security clearance verification.

About Aretum

Aretum is a mission-driven organization committed to delivering innovative, technology-enabled solutions to our customers across defense, civilian, and homeland security sectors. Our teams work at the intersection of strategy, technology, and transformation, helping agencies solve their most critical challenges. We believe in investing in our people and creating a culture where collaboration, inclusion, and professional growth are at the forefront.

Job Summary

The GRC Specialist supports federal cybersecurity governance, risk management, and compliance activities by helping the organization implement and maintain an effective risk program aligned to FISMA and the NIST Risk Management Framework (RMF). The role focuses on security control implementation oversight, compliance documentation, audit readiness, and continuous monitoring—working closely with system owners, engineering teams, and assessment staff to identify risk, track remediation, and improve security posture.

Due to the nature of our work as a federal consulting organization, employees may be expected to handle Controlled Unclassified Information (CUI) and must adhere to applicable safeguarding and compliance requirements.

Responsibilities

• Support governance and compliance activities aligned to FISMA and agency cybersecurity requirements, including maintaining documentation and reporting support where applicable
• Execute RMF-aligned risk activities across the system lifecycle, including control selection support, implementation validation, and ongoing continuous monitoring
• Maintain and update authorization/compliance artifacts (as required by the environment), such as security plans and supporting evidence, ensuring documentation is accurate and audit-ready
• Assist with security control assessment coordination by preparing artifacts, mapping evidence to controls, tracking assessment activities, and supporting remediation planning (Assessment methods and procedures are commonly aligned to NIST 800-53A practices)
• Develop, manage, and track POA&Ms and remediation actions; collect and validate closure evidence and support risk acceptance processes as needed
• Demonstrate and apply working knowledge of network design concepts and partner with technical teams to validate secure configurations and identify weaknesses
• Support vulnerability management and security testing coordination for government systems to identify and document vulnerabilities, validate severity/impact, and track mitigation to completion
• Support project management activities including work planning, task tracking, stakeholder coordination, meeting facilitation, and status reporting for GRC deliverables
• Contribute to policy/standard development and continuous improvement initiatives for governance and risk processes using NIST-aligned control frameworks

• Minimum 5 years of experience in cybersecurity governance, risk, or compliance (GRC), preferably supporting federal or regulated environments
• Demonstrated experience in project management, network design concepts, and testing the security of government systems to identify vulnerabilities
• Working knowledge of the NIST RMF and how it is used to manage security and privacy risk across categorization, control selection/implementation, assessment, authorization, and continuous monitoring
• Familiarity with the purpose and structure of NIST 800-53 security and privacy controls and how controls map to evidence and system security practices
• Familiarity with security control assessment concepts and the use of assessment procedures (e.g., NIST 800-53A-style approaches)
• Strong technical writing skills and ability to produce clear, defensible documentation for auditors and leadership
• Experience supporting federal authorization packages and security assessment deliverables (e.g., SAP/SAR, evidence collection, audit response)
• Familiarity with FedRAMP concepts for cloud environments (if the client environment includes cloud services)
• Experience briefing technical and non-technical stakeholders and translating control requirements into practical implementation guidance

Preferred Qualifications

• Bachelor's degree in information systems, Computer Science, or related field
• Preferred Certifications:
• GIAC Web Application Penetration Tester (GWAPT)
• Certified Ethical Hacker (CEH)
• GIAC Systems and Network Auditor (GSNA)
• Certified Penetration Tester (CPT)
• Certified Expert Penetration Tester (CEPT)
• GIAC Certified Web Application Defender (GWEB)
• Offensive Security Certified Professional (OSCP)
• CREST Penetration Testing Certifications

Travel Requirements

This is a hybrid position, with work performed both remotely and at designated client or corporate locations, as needed. Travel requirements may vary depending on project assignments, client meetings, or internal collaboration and will be communicated in advance whenever possible.

EEO Statement

Aretum is committed to fostering a workplace rooted in excellence, integrity, and equal opportunity for all. We adhere to merit-based hiring practices, ensuring that all employment decisions are made based on qualifications, skills, and ability to perform the job, without preference or consideration of factors unrelated to job performance.

As an Equal Opportunity Employer, Aretum complies with all applicable federal, state, and local employment laws.

We are proud to support our nation’s veterans and military families, providing career opportunities that honor their service and experience.

If you require reasonable accommodation during the hiring process due to a disability, please contact hr@aretum.com for assistance.

Equal Opportunity Employer/Veterans/Disabled

U.S. Work Authorization

Due to federal contract requirements, only U.S. citizens are eligible for this position. This position supports a federal government contract and requires the ability to obtain and maintain a Public Trust or Suitability Determination, depending on the agency’s background investigation requirements.

• Health Care Plan (Medical, Dental & Vision)
• Retirement Plan (401k)
• Life Insurance (Basic, Voluntary & AD&D)
• Paid Time Off
• Family Leave (Maternity, Paternity)
• Short Term & Long-Term Disability
• Training & Development

ARETUM utilizes e-Verify to check employment authorization.

EEO/AA/F/M/Vet/Disabled.