US Public Sector Continuous Monitoring Analyst

About the Role
Are you interested in helping strengthen how cybersecurity risk is managed across the US public sector while building hands-on experience in Trust, Risk, and Compliance (TRC)? This role offers the opportunity to grow your career while contributing directly to Rapid7's mission of making the digital world safer.
As a Trust, Risk, and Compliance Analyst - Continuous Monitoring & POA&M, you will support Rapid7's expanding US Public Sector compliance programs, including FedRAMP, GovRAMP, TX-RAMP, and COV-RAMP, with a strong focus on continuous monitoring, POA&M management, and technical risk tracking. As part of the Trust, Risk, and Compliance team within the broader Information Security organization, you will help ensure security risks are identified, tracked, and remediated in a way that scales with Rapid7's cloud-based products and services.
This role is based in Boston and/or Arlington and is part of a team that values collaboration, curiosity, balance, and continuous learning.
About the Team
Rapid7's Trust, Risk & Compliance team sits within Information Security and plays a critical role in building customer trust. We design and operate governance programs, manage security risk, and help teams across Rapid7 understand and meet regulatory and security expectations. Our work spans Engineering, Product, Platform, Legal, Procurement, Sales, and Customer Success - and we do it with a mindset that security should enable the business, not slow it down.
In This Role, You Will

• Support continuous monitoring (ConMon) activities for Rapid7's US Public Sector compliance programs, with a primary focus on FedRAMP and GovRAMP
• Assist in managing Plans of Action & Milestones (POA&Ms), including tracking remediation progress, timelines, and risk ownership
• Help analyze security findings, vulnerability results, and control deficiencies in partnership with Engineering and Security teams
• Support technical evidence collection aligned to NIST 800-53 rev. 5 and NIST 800-171
• Use ATO-focused GRC platforms such as Paramify, ServiceNow GRC, Onspring, RegScale, and DefectDojo to track findings, risks, and compliance status
• Participate in discussions with engineers to understand control implementations, technical risks, and remediation approaches
• Assist with preparation of ConMon deliverables (POA&M, deviation requests, inventory workbook)
• Help improve POA&M and ConMon processes through standardization, automation, and improved data quality
• Gain hands-on exposure to evolving requirements such as CMMC, new Executive Orders, and other US public sector cybersecurity initiatives

The Skills You'll Bring

• 2-5 years of experience (or equivalent academic/internship experience) in cybersecurity, cloud security, compliance, or risk management
• Foundational knowledge of NIST 800-53 and/or NIST 800-171
• Interest in vulnerability management, risk remediation, and continuous monitoring
• Experience or familiarity with ATO-focused GRC platforms such as Paramify, ServiceNow GRC, Onspring, or RegScale
• Ability to understand and document technical security issues and risks
• Strong analytical skills and attention to detail
• Clear written and verbal communication skills
• A curious, collaborative mindset and eagerness to learn

Nice to Have

• Exposure to AWS or cloud-based environments
• Familiarity with vulnerability management tools or security scanning concepts
• Experience or interest in POA&M workflows, risk tracking, or control remediation
• Interest in compliance automation, OSCAL, or data-driven compliance approaches
• Early-career certifications or coursework in cybersecurity, cloud security, or information assurance

We Know That...
The best ideas and solutions come from multi-dimensional teams. That's because these teams reflect a variety of backgrounds and professional experiences. If you're excited about this role and feel your experience can make an impact, we encourage you to apply.
LI-WP1
About Rapid7
At Rapid7, our vision is to create a secure digital world for our customers, our industry, and our communities. We do this by harnessing our collective expertise and passion to challenge what's possible and drive extraordinary impact. We're building a dynamic and collaborative workplace where new ideas are welcome.
Protecting 11,000+ customers against bad actors and threats means we're continuing to push the envelope just like we' ve been doing for the past 20 years. If you 're ready to solve some of the toughest challenges in cybersecurity, we're ready to help you take command of your career. Join us.
Rapid7, Inc. is committed to fair and equitable compensation practices. A candidate's salary is determined by various factors including, but not limited to, relevant work experience, skills, and certifications. We evaluate compensation decisions on a case-by-case basis, and it is not typical for an individual to be hired at the very top of the salary range.
The salary range for this role in the US is:
$86,700.00 - 117,300.00 USD Annual
Salary ranges may vary based on geographical location. This range does not include variable/incentive compensation, equity and benefits (where applicable/eligible).
All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, age, national origin, disability, protected veteran status or any other status protected by applicable national, federal, state or local law.