Archer is an aerospace company based in San Jose, California building an all-electric vertical takeoff and landing aircraft with a mission to advance the benefits of sustainable air mobility. We are designing, manufacturing, and operating an all-electric aircraft that can carry four passengers while producing minimal noise.
Our sights are set high and our problems are hard, and we believe that diversity in the workplace is what makes us smarter, drives better insights, and will ultimately lift us all to success. We are dedicated to cultivating an equitable and inclusive environment that embraces our differences, and supports and celebrates all of our team members.
Archer is an aerospace company based in San Jose, California building an all-electric vertical takeoff and landing aircraft with a mission to advance the benefits of sustainable air mobility. We are designing, manufacturing, and operating an all-electric aircraft that can carry four passengers while producing minimal noise. Our sights are set high and our problems are hard, and we believe that diversity in the workplace is what makes us smarter, drives better insights, and will ultimately lift us all to success. We are dedicated to cultivating an equitable and inclusive environment that embraces our differences, and supports and celebrates all of our team members.
Job Overview
Archer is building the future of urban air mobility. Our supply chain spans hundreds of vendors — from avionics hardware suppliers to cloud infrastructure providers — and a compromise anywhere in that ecosystem could impact aircraft certification, delay FAA approvals, or expose sensitive information. You are key to effective enforcement of our extended enterprise third-party risk posture. Archer is seeking a Senior Third Party Risk Management (TPRM) Engineer to execute our vendor cyber risk function across all tiers of our supplier ecosystem. In this high-visibility role, you will use platforms like BitSight to continuously monitor, investigate, triage, and action security risks introduced by third-party partners and their downstream (4th-party) suppliers. You will serve as the connective tissue between Security, Sourcing, Legal, and executive leadership — translating third party risk indicators into actionable threat intelligence and coordinated response actions while ensuring strict compliance with NIST SP 800-171, CMMC Level 2, and SOX ITGC requirements. This role requires both hands-on technical depth and program-building acumen. You will support and execute Archer's TPRM function from the ground up, develop risk-tiered due diligence processes, and ensure vendor security posture remains aligned with our CMMC Level 2, NIST SP 800-161, and DFARS obligations as we grow our defense programs.
Key Responsibilities
● Operate BitSight and complementary EASM/continuous monitoring platforms as the primary lens into Archer's third-party attack surface. Maintain a tiered vendor inventory, configure portfolio monitoring, tune alert thresholds, and ensure new vendors are onboarded into the program at contract execution.
● Conduct deep-dive investigations into vendor risk signals — including unpatched CVEs, exposed services, credential leaks, certificate anomalies, business deterioration, and dark web indicators. Correlate external ratings data with internal telemetry to assess true business exposure and eliminate false positives before escalation.
● Extend visibility beyond direct vendors to identify and monitor critical 4th-party sub-processor dependencies. Map supply chain concentration risks, single points of failure, and foreign ownership or influence (FOCI) concerns for vendors supporting defense programs or handling CUI.
● Drive risk closure by issuing formal findings, coordinating with internal vendor relationship owners, and tracking remediation commitments through resolution. Engage procurement and legal channels when vendors are non-responsive or remediation timelines are unacceptable.
● Produce crisp, executive-quality risk briefings, board-level metrics, and ad-hoc deep-dives for the CISO, General Counsel, and program security leads. Escalate critical or rapidly-deteriorating vendor risk findings in near-real-time with clear business impact statements and recommended courses of action.
● Design and administer risk-tiered security questionnaires for new and renewing vendors. Evaluate responses, validate claims against external signals, execute integrated due diligence checkpoints in Archer's procurement workflow.
● Influence, develop and maintain TPRM policies, standards, and procedures aligned to NIST SP 800-161 (C-SCRM), CMMC Level 2 SR practices, and ISO 27036. Provide transparency to external audits and government assessments by maintaining organized evidence of vendor risk controls and remediation activity.
● Serve as the TPRM lead during vendor-related security incidents — coordinating with Archer's internal IR team, managing vendor communications under legal hold protocols, and driving root cause analysis and contractual remedies following a third-party breach.
Required Qualifications
● 7+ years in cybersecurity with at least 3 years of dedicated third-party or supply chain risk management experience
● Demonstrated hands-on proficiency with BitSight or an equivalent continuous monitoring platform — including alert tuning, portfolio management, vendor engagement workflows, and peer benchmarking
● Deep working knowledge of NIST SP 800-161 (C-SCRM), NIST CSF, CMMC Level 2 SR and CA practices, and ISO 27036 as they apply to vendor security governance
● Experience conducting structured vendor security due diligence across SaaS, cloud infrastructure, hardware manufacturers, and professional services suppliers
● Proven ability to investigate and triage cyber risk findings at scale — correlating external signals with business context to produce prioritized, actionable intelligence for both technical and non-technical stakeholders
● Familiarity with 4th-party risk mapping, sub-processor disclosure reviews, and supply chain concentration risk analysis
● Excellent written and verbal communication skills — able to translate complex vendor risk findings into executive-ready briefings, board-level dashboards, and actionable
● Eligibility to obtain a DoD Secret security clearance
Preferred Qualifications
● Certifications: CTPRP (Prevalent), CRISC, CISSP, CISM, or equivalent risk management credentials
● Active DoD Secret or Top Secret/SCI clearance
● Familiarity with ITAR/EAR data sharing constraints and their implications for vendor contracting and CUI handling
● Exposure to FOCI (Foreign Ownership, Control, or Influence) assessments
● Experience integrating TPRM tooling with GRC platforms or building risk workflow automation (e.g., auto-routing findings, SLA tracking, contract clause triggers)
● Prior startup or high-growth company experience — comfort operating with limited bureaucracy and building programs that scale with business growth
Please note that this job description is intended to provide a general overview of the position and does not include an exhaustive list of responsibilities and qualifications
At Archer we aim to attract, retain, and motivate talent that possess the skills and leadership necessary to grow our business. We drive a pay-for-performance culture and reward performance that supports the Company’s business strategy. For this position we are targeting a base pay between $207,400 - $259,200. Actual compensation offered will be determined by factors such as job-related knowledge, skills, and experience.
Archer is proud to be an Equal Opportunity employer committed to diversity and inclusivity in the workplace. All aspects of employment are decided on the basis of merit, qualifications, and business needs. We do not discriminate based upon race, color, religion, sex, sexual orientation, age, national origin, disability status, protected veteran status, gender identity or any other characteristic protected by federal, state or local laws.Archer is committed to working with and providing reasonable accommodations to job applicants with physical or mental disabilities, and those with sincerely held religious beliefs. Applicants who may require reasonable accommodation for any part of the application or hiring process should provide their name and contact information to Archer’s People Team at [email protected]. Reasonable accommodations will be determined on a case-by-case basis.Skills Required
- 7+ years in cybersecurity with at least 3 years of dedicated third-party or supply chain risk management experience
- Hands-on proficiency with BitSight or an equivalent continuous monitoring platform (alert tuning, portfolio management, vendor engagement)
- Deep working knowledge of NIST SP 800-161 (C-SCRM), NIST CSF, CMMC Level 2 SR and CA practices, and ISO 27036
- Experience conducting structured vendor security due diligence across SaaS, cloud infrastructure, hardware manufacturers, and professional services suppliers
- Proven ability to investigate and triage cyber risk findings at scale, correlating external signals with business context
- Familiarity with 4th-party risk mapping, sub-processor disclosure reviews, and supply chain concentration risk analysis
- Excellent written and verbal communication skills; ability to produce executive-ready briefings and dashboards
- Eligibility to obtain a DoD Secret security clearance
- Certifications such as CTPRP (Prevalent), CRISC, CISSP, or CISM
- Active DoD Secret or Top Secret/SCI clearance
- Familiarity with ITAR/EAR data sharing constraints and CUI handling implications
- Exposure to FOCI assessments
- Experience integrating TPRM tooling with GRC platforms or building risk workflow automation
- Prior startup or high-growth company experience
Archer Aviation Compensation & Benefits Highlights
The following summarizes recurring compensation and benefits themes identified from responses generated by popular LLMs to common candidate questions about Archer Aviation and has not been reviewed or approved by Archer Aviation.
-
Healthcare Strength — Health coverage includes medical, dental, and vision, alongside HSA/FSA options and an Employee Assistance Program, forming a comprehensive base. Wellness activities and company-sponsored outings are additionally referenced.
-
Leave & Time Off Breadth — Time off includes generous PTO, paid sick days, and paid holidays, with unlimited PTO noted for exempt employees. This breadth provides above-average flexibility for a hardware-focused environment.
-
Equity Value & Accessibility — Ownership opportunities include company equity, performance bonuses, and an Employee Stock Purchase Plan with a purchase discount. Equity is used to keep packages competitive in high-demand roles, creating meaningful upside potential.
Archer Aviation Insights
What We Do
Archer is an aerospace company building an all-electric vertical takeoff and landing aircraft focused on improving mobility in cities. The company's mission is to advance the benefits of sustainable air mobility. Archer is designing, manufacturing, and operating a fully electric aircraft that can carry four passengers for 60 miles at speeds of up to 150mph while producing minimal noise. Archer's team is based in the San Francisco Bay Area.
