C2 Labs is hiring a Senior FedRAMP Consultant (GRC Analyst III equivalent) to act as a lead technical writer for FedRAMP authorization packages and ongoing ConMon operations. If you can translate real-world cloud security implementations into crisp FedRAMP documentation—and you care about making ConMon sustainable—this is a strong fit.
What you’ll do
- Lead drafting of FedRAMP artifacts (20X KSI summaries and/or legacy SSP/policies/plans) and drive iterations to completion.
- Maintain control/KSI-to-evidence traceability in RegScale and keep the evidence library audit-ready.
- Partner with cloud architecture/security engineering resources to ensure technical accuracy.
- Support assessor/sponsor readiness: walkthroughs, responses, and updates.
Role summary
Lead author and coordinator for FedRAMP documentation and evidence traceability. This role functions as a technical writer with security and cloud fluency—able to capture architecture and control/KSI implementations from engineering teams and translate them into FedRAMP artifacts. The Senior Consultant owns the quality of first drafts and mentors junior writers.
Key responsibilities
- Lead customer interviews/workshops to capture system boundary, data flows, shared responsibility model, and control/KSI implementations.
- Draft and iterate FedRAMP artifacts (e.g., 20X KSI implementation summaries and/or legacy SSP sections, policies, and plans).
- Build and maintain traceability between controls/KSIs, evidence, validation methods, and ConMon cadence in RegScale.
- Coordinate evidence collection and organize artifacts into a clean evidence library aligned to the package structure.
- Partner with the Cloud Architect and Security Engineer to ensure technical accuracy of narratives and diagrams.
- Support assessment readiness: conduct package walkthroughs, respond to questions, and update artifacts based on feedback.
- Mentor Junior Consultants on writing standards, template fidelity, and evidence hygiene.
Key deliverables / outputs
- FedRAMP first drafts of major package artifacts (KSI summaries and/or SSP sections).
- Policy and plan artifacts aligned to FedRAMP expectations (e.g., IRP, CP, CMP, ISCM, Rules of Behavior as required).
- Control/KSI-to-evidence traceability in RegScale with validation cadence documented.
- Assessment-ready evidence library with consistent naming/versioning and completeness checks.
Required qualifications
- 5+ years experience in GRC/compliance, security documentation, or audit support roles.
- Security certification (CISSP, CISM, CCSP)
- Demonstrated technical writing capability: can produce clear, consistent narratives for complex systems and controls.
- Working knowledge of NIST 800-53 controls and evidence expectations; familiarity with FedRAMP package structure and templates.
- Comfort collaborating with engineers and architects to accurately describe technical implementations.
- Strong attention to detail (templates, cross-references, tables, and evidence mapping).
Preferred / nice to have
- Bachelors degree in IT, Cybersecurity, or related field
- Prior experience drafting FedRAMP SSPs and/or supporting artifacts (Low/Moderate/High).
- Experience with FedRAMP 20X concepts (KSIs, validation cycles, automation-first evidence).
- Experience working in RegScale or similar GRC tools.
- Audit-related experience.
Tools & environment
- RegScale (controls/KSIs, evidence, workflows, POA&M management)
- Microsoft Word/Excel (FedRAMP templates), Visio/Lucidchart (diagrams) as available
- Ticketing systems for remediation tracking (Jira/Azure DevOps/ServiceNow as customer uses)
Engagement details
- 1099 independent contractor (initial engagement); project-based with potential extension into ConMon operations.
- Remote-first; occasional workshops may be requested (typically minimal travel).
- No clearance required; must be able to pass a standard background check and sign NDA/SOW.
- Hours scale with customer phase (heavy during package drafting; lighter during steady-state ConMon).
EEO Statement
We are an equal opportunity employer. All qualified applicants will be considered without discrimination based on race, color, religion, sex, national origin, age, disability, or protected veteran status. Employment offers will be contingent on passing a pre-employment drug screen.
Practical AI Application
- Applies AI tools to streamline workflows, enhance decision-making, and improve outcomes
- Understands the strengths and limitations of AI systems and exercises sound judgment in their use
- Continuously explores new AI capabilities and integrates them into day-to-day work where appropriate
- Uses AI in alignment with company and customer-specific policies, data privacy standards, and ethical guidelines
- Exercises discretion when using AI with sensitive or proprietary information
- Demonstrates awareness of bias, accuracy, and risk considerations when leveraging AI tools