US Public Sector Compliance Analyst
Divvy Cloud Corp., Arlington, VA, United States
About the Role
Are you interested in helping shape how cybersecurity works across the US public sector while building a strong foundation in Trust, Risk, and Compliance (TRC)? This role offers the opportunity to grow your career while contributing directly to Rapid7’s mission of making the digital world safer.
As a Trust, Risk, and Compliance Analyst, you will support Rapid7’s expanding US Public Sector compliance programs, including FedRAMP, GovRAMP, TX-RAMP, and COV-RAMP. As part of the Trust, Risk, and Compliance team within the broader Information Security organization, you will help build, operate, and continuously improve scalable compliance and risk management programs that enable our Federal and SLED customers to succeed.
This role is based in Boston and/or Arlington and is part of a team that values collaboration, curiosity, balance, and continuous learning.
About the Team Rapid7’s Trust, Risk & Compliance team sits within Information Security and plays a critical role in building customer trust. We design and operate governance programs, manage security risk, and help teams across Rapid7 understand and meet regulatory and security expectations. Our work spans Engineering, Product, Platform, Legal, Procurement, Sales, and Customer Success — and we do it with a mindset that security should enable the business, not slow it down.
In This Role, You Will
Support day-to-day activities for Rapid7’s US Public Sector compliance programs, with a primary focus on FedRAMP
Assist in maintaining compliance documentation, including policies, procedures, system security plans (SSPs), authorization artifacts, and supporting evidence
Support continuous monitoring (ConMon) activities, including ongoing evidence collection and reporting
Assist in managing Plans of Action & Milestones (POA&Ms), including tracking remediation progress, timelines, and risk ownership
Track and support control implementation aligned to NIST 800-53 rev. 5 and NIST 800-171
Use ATO-focused GRC platforms such as Paramify, ServiceNow GRC, Onspring, or RegScale to manage compliance status, risks, and findings
Partner with Engineering and Security teams to understand technical control implementations, vulnerabilities, and remediation plans
Support audit and assessment readiness activities, including ATO packages and regulatory reporting
Assist with vendor reviews, including Control Implementation Summaries (CIS) and Customer Responsibility Matrices (CRM)
Help identify opportunities to improve GRC, POA&Ms, and ConMon processes through standardization, automation, and improved data quality
Gain hands‑on exposure to evolving requirements such as CMMC, new Executive Orders, and emerging US public sector cybersecurity initiatives
The Skills You’ll Bring
2-5 years of experience (or equivalent academic, internship, or early-career experience) in cybersecurity, risk, compliance, governance, or cloud security (Candidates with slightly more experience are welcome to apply)
Foundational knowledge of NIST 800-53 and or NIST 800-171
Interest in US Government and SLED cybersecurity programs (FedRAMP, GovRAMP, StateRAMP)
Experience or familiarity with ATO-focused GRC platforms such as Paramify, ServiceNow GRC, Onspring, or RegScale
Ability to understand and document both policy-based and technical security controls
Strong analytical skills, attention to detail, and comfort working with structured documentation
Clear written and verbal communication skills
A curious, collaborative mindset and eagerness to learn
Nice to Have
Exposure to AWS or cloud-based environments
Familiarity with vulnerability management, security scanning, or cloud security concepts
Experience or interest in POA&Ms workflows, continuous monitoring, or risk remediation
Familiarity with frameworks such as FISMA, CMMC, StateRAMP, or ISO 27001
Interest in compliance automation, OSCAL, or policy-as-code approaches
Early‑career certifications or coursework in cybersecurity, cloud security, or information assurance
We Know That… The best ideas and solutions come from multi-dimensional teams. That’s because these teams reflect a variety of backgrounds and professional experiences. If you’re excited about this role and feel your experience can make an impact, we encourage you to apply.
#LI-WP1
About Rapid7 At Rapid7, our vision is to create a secure digital world for our customers, our industry, and our communities. We do this by harnessing our collective expertise and passion to challenge what’s possible and drive extraordinary impact. We’re building a dynamic and collaborative workplace where new ideas are welcome.
Protecting 11,000+ customers against bad actors and threats means we’re continuing to push the envelope just like we’ve been doing for the past 20 years. If you’re ready to solve some of the toughest challenges in cybersecurity, we’re ready to help you take command of your career. Join us.
All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, age, national origin, disability, protected veteran status or any other status protected by applicable national, federal, state or local law.
#J-18808-Ljbffr
As a Trust, Risk, and Compliance Analyst, you will support Rapid7’s expanding US Public Sector compliance programs, including FedRAMP, GovRAMP, TX-RAMP, and COV-RAMP. As part of the Trust, Risk, and Compliance team within the broader Information Security organization, you will help build, operate, and continuously improve scalable compliance and risk management programs that enable our Federal and SLED customers to succeed.
This role is based in Boston and/or Arlington and is part of a team that values collaboration, curiosity, balance, and continuous learning.
About the Team Rapid7’s Trust, Risk & Compliance team sits within Information Security and plays a critical role in building customer trust. We design and operate governance programs, manage security risk, and help teams across Rapid7 understand and meet regulatory and security expectations. Our work spans Engineering, Product, Platform, Legal, Procurement, Sales, and Customer Success — and we do it with a mindset that security should enable the business, not slow it down.
In This Role, You Will
Support day-to-day activities for Rapid7’s US Public Sector compliance programs, with a primary focus on FedRAMP
Assist in maintaining compliance documentation, including policies, procedures, system security plans (SSPs), authorization artifacts, and supporting evidence
Support continuous monitoring (ConMon) activities, including ongoing evidence collection and reporting
Assist in managing Plans of Action & Milestones (POA&Ms), including tracking remediation progress, timelines, and risk ownership
Track and support control implementation aligned to NIST 800-53 rev. 5 and NIST 800-171
Use ATO-focused GRC platforms such as Paramify, ServiceNow GRC, Onspring, or RegScale to manage compliance status, risks, and findings
Partner with Engineering and Security teams to understand technical control implementations, vulnerabilities, and remediation plans
Support audit and assessment readiness activities, including ATO packages and regulatory reporting
Assist with vendor reviews, including Control Implementation Summaries (CIS) and Customer Responsibility Matrices (CRM)
Help identify opportunities to improve GRC, POA&Ms, and ConMon processes through standardization, automation, and improved data quality
Gain hands‑on exposure to evolving requirements such as CMMC, new Executive Orders, and emerging US public sector cybersecurity initiatives
The Skills You’ll Bring
2-5 years of experience (or equivalent academic, internship, or early-career experience) in cybersecurity, risk, compliance, governance, or cloud security (Candidates with slightly more experience are welcome to apply)
Foundational knowledge of NIST 800-53 and or NIST 800-171
Interest in US Government and SLED cybersecurity programs (FedRAMP, GovRAMP, StateRAMP)
Experience or familiarity with ATO-focused GRC platforms such as Paramify, ServiceNow GRC, Onspring, or RegScale
Ability to understand and document both policy-based and technical security controls
Strong analytical skills, attention to detail, and comfort working with structured documentation
Clear written and verbal communication skills
A curious, collaborative mindset and eagerness to learn
Nice to Have
Exposure to AWS or cloud-based environments
Familiarity with vulnerability management, security scanning, or cloud security concepts
Experience or interest in POA&Ms workflows, continuous monitoring, or risk remediation
Familiarity with frameworks such as FISMA, CMMC, StateRAMP, or ISO 27001
Interest in compliance automation, OSCAL, or policy-as-code approaches
Early‑career certifications or coursework in cybersecurity, cloud security, or information assurance
We Know That… The best ideas and solutions come from multi-dimensional teams. That’s because these teams reflect a variety of backgrounds and professional experiences. If you’re excited about this role and feel your experience can make an impact, we encourage you to apply.
#LI-WP1
About Rapid7 At Rapid7, our vision is to create a secure digital world for our customers, our industry, and our communities. We do this by harnessing our collective expertise and passion to challenge what’s possible and drive extraordinary impact. We’re building a dynamic and collaborative workplace where new ideas are welcome.
Protecting 11,000+ customers against bad actors and threats means we’re continuing to push the envelope just like we’ve been doing for the past 20 years. If you’re ready to solve some of the toughest challenges in cybersecurity, we’re ready to help you take command of your career. Join us.
All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, age, national origin, disability, protected veteran status or any other status protected by applicable national, federal, state or local law.
#J-18808-Ljbffr