Senior GRC Analyst

Workato is seeking a detail-oriented, driven, and technically experienced Senior GRC Analyst to strengthen and advance its security governance, risk, and compliance (GRC) program — with a primary focus on FedRAMP authorization and ongoing federal compliance operations.

This role will lead FedRAMP readiness, authorization, and continuous monitoring activities in alignment with NIST 800-53 requirements, while also supporting broader compliance frameworks including ISO 27001, NIST 800-171, PCI-DSS, and IRAP. The ideal candidate will bring deep federal compliance expertise combined with strong analytical, communication, and problem-solving skills to evaluate controls, identify gaps, and drive improvements across security domains.

In this role, you will also be responsible for:

• Leading FedRAMP authorization efforts — including System Security Plan (SSP) development, Security Assessment Report (SAR) review, Plan of Action & Milestones (POA&M) management, and preparation for Third Party Assessment Organization (3PAO) engagements

• Owning continuous monitoring (ConMon) activities in accordance with FedRAMP requirements, including monthly vulnerability scanning, incident reporting, and annual assessments

• Maintain and update FedRAMP authorization documentation, including SSP, CIS, CRM, and associated artifacts

• Lead internal and external audits for frameworks including FedRAMP (NIST 800-53), ISO 27001/27701, PCI-DSS, NIST 800-171, and IRAP

• Coordinate with process owners, control owners, 3PAOs, and federal agency stakeholders to ensure findings are tracked and remediated

• Conduct risk assessments, security audits, and third-party/vendor risk reviews with a focus on FedRAMP boundary and supply chain risk

• Review contracts to ensure security and compliance requirements — including FedRAMP flow-down clauses — are met

• Identify control gaps and recommend improvements to enhance the organization's federal security posture

• Communicate FedRAMP requirements, risks, and compliance status clearly to both technical and non-technical stakeholders, including federal agency customers

• Perform regular user access reviews aligned to least-privilege and FedRAMP AC control requirements

• Develop and track remediation plans for identified risks and POA&M items

• Maintain and update the risk register with federal risk considerations

• Oversee vendor and subservice provider security assurance processes relevant to the FedRAMP authorization boundary

• Collaborate with engineering, infrastructure, and product teams to design and implement controls aligned with NIST 800-53 baselines

• Support federal-facing sales and customer success discussions with compliance expertise

• Explore and leverage AI/automation tools to enhance, streamline, or scale GRC and ConMon workflows

• Build strong working relationships across departments and with federal agency AOs (Authorizing Officials)

• Take on additional responsibilities as needed

• 8+ years of experience in cybersecurity, audits, risk management, compliance, or remediation

• Hands-on FedRAMP experience required — including direct involvement in FedRAMP authorization (Moderate or High baseline preferred), SSP authoring, POA&M management, or 3PAO coordination

• Deep familiarity with NIST 800-53 Rev 5 control families and FedRAMP-specific overlays, guidance, and templates

• Experience working with cloud platforms such as AWS GovCloud, Azure Government, or Google Cloud (government regions)

• Proven ability to negotiate and prioritize risk remediation with internal and federal stakeholders

• Bachelor's degree in Information Systems, Computer Science, Information Security, or a related field

• Strong understanding of security controls in cloud environments, including boundary definition, encryption, access control, and vulnerability management

• Familiarity with NIST 800-171 and CMMC as complementary federal frameworks

• Experience auditing frameworks such as PCI-DSS, SOC 2, and ISO 27001/27701

• Relevant certifications strongly preferred: CISSP, CISA, FedRAMP-specific training (e.g., FedRAMP PMO courses), or similar

• Ability to manage multiple priorities independently with minimal supervision

• Strong communication skills with the ability to translate federal compliance requirements into technical actions and executive-level summaries

• High energy and adaptability in a fast-paced, high-stakes compliance environment

• Strong collaboration and knowledge-sharing mindset across engineering, legal, and customer-facing teams

• Excellent time management and organizational skills — particularly for managing concurrent ConMon and audit cycles

• High attention to detail, integrity, and ethical standards consistent with handling federal data and programs

• Willingness to learn and take on new challenges as Workato's federal footprint grows

• This position requires overlap with U.S. Pacific Time (PST) working hours. 

• Strong hands-on experience with FedRAMP, NIST 800-53, ISO 27001, NIST 800-171, PCI-DSS, SOC 2, and potentially IRAP is required.

• May involve some international travel.

• Must be eligible to work on U.S. federal government-related programs; ability to obtain or support federal security clearance processes is a plus.

The pay for this role may range from $120,000 to $145,000, plus variable compensation, benefits, perks, and equity.

(REQ ID: 2761)

#LI-NJ1