RK&K is seeking a GRC Program Lead to establish, operationalize, and scale the firm’s IT governance, risk, and compliance functions. This role provides centralized ownership of compliance efforts—including CMMC Level 2, SOC 2, and FedRAMP while ensuring alignment with business objectives, client requirements, and contractual obligations.
This position serves as a critical coordination layer between IT, Legal, HR, and business leadership to ensure risks are effectively managed, controls are implemented, and compliance requirements are consistently met as the organization grows.
Essential Functions
- Compliance & Framework Leadership
- Lead CMMC Level 2 implementation
- Lead SOC 2 Type II program development
- Support FedRAMP readiness and alignment
- Risk Management
- Assess security risks across systems, services, projects, vendors, and control gaps
- Develop and maintain enterprise risk register
- Track risks across security, operations, vendor exposure, and AI/data usage
- Governance & Policy Management
- Develop and enforce policies (data security, privacy, acceptable use/AI, access, vendors)
- Align policies to SOC 2, CMMC/NIST, and FedRAMP requirements
- Manage exceptions and risk acceptance processes
- AI Governance & Emerging Risk
- Define governance for enterprise AI usage
- Partner with IT to enforce policies and monitor misuse/data leakage
- Vendor Risk & Contract Compliance
- Conduct vendor security and compliance reviews
- Partner with Legal on contract risk and compliance
- Track contractual compliance obligations
- Security Governance Oversight
- Oversee vulnerability management and endpoint/device compliance
- Define and track security baselines
- Validate control effectiveness through evidence-based assessments
- Audit & Assessment Management
- Coordinate CMMC, SOC 2, client audits, and FedRAMP readiness reviews
- Manage evidence collection, audit responses, remediation, and closure
- Incident Governance & Response
- Establish governance for incident response processes
- Ensure proper documentation, classification, root cause analysis, and improvements
- Track trends and report risks to leadership
- Cross-Functional Leadership & Metrics
- Act as GRC liaison across IT, Legal, HR, and Operations
- Oversee business continuity and disaster recovery planning/testing
- Define and track KPIs, KRIs, and control effectiveness
- GRC Platform Ownership
- Own and manage the Vanta platform
Required Skills and Experience
- Bachelor’s degree in a related field OR equivalent practical experience
- 7+ years of experience in GRC, cybersecurity, or compliance
- Experience with:
- Owning and operating enterprise compliance programs
- CMMC / NIST SP 800-171
- SOC 2 (implementation and audit support)
- NIST frameworks
- Cross-functional coordination
Preferred Skills and Experience
- Experience with FedRAMP readiness or audits
- Professional certifications such as CISA, CISSP, CISM, CRISC, CCSP, or ISO 27001 Lead Implementer/Auditor
- Experience in federal contracting or regulated/public sector environments
- Experience with Vanta Trust Management Platform
Other Duties
This job description indicates the general nature and level of work, knowledge, skills, abilities, and other essential functions (as covered under ADA). It is not designed to cover or contain a comprehensive listing of all activities and duties required. Other duties may be assigned as required.
What We Offer
RK&K offers excellent potential for career advancement and professional growth. We also offer attractive compensation packages commensurate with experience and a comprehensive benefits package including:
- Paid time off
- Matching 401(k) plan
- Student Loan Retirement Match Program
- Paid holidays
- Tuition reimbursement
- Health, dental, vision, life, and disability insurance
- Paid parental leave
- Wellness programs and employee resource groups
- Career development opportunities
- Much, much more!
Why RK&K?
As a full-service engineering and construction management firm, RK&K gives you the opportunity to directly impact the communities in which we live and work. What sets RK&K apart is an award-winning culture that has fostered collaboration and trust for over 100 years. The firm delivers innovative solutions designed for success and has earned a reputation as a trusted partner, responsive employer, and community steward.
Design your career at RK&K - Apply Today!
Salary Range: $93,397 - $131,389
Skills Required
- Bachelor's degree in a related field or equivalent practical experience
- 7+ years of experience in GRC, cybersecurity, or compliance
- Experience with enterprise compliance programs
- Experience with CMMC / NIST SP 800-171
- Experience with SOC 2
- Experience with NIST frameworks
- Experience with cross-functional coordination
What We Do
RK&K is a full-service planning, engineering, environmental, and construction management/inspection firm.
