About the Role:

The GRC Analyst, Federal & Customer Programs is responsible for the hands-on analysis, documentation, and operational execution of the company's security governance, risk, and compliance obligations. This role sits at the intersection of customer contracts, regulatory frameworks, and the company's security control environment — translating external requirements into clear, traceable internal commitments and evaluating how well current capabilities satisfy them. The GRC Analyst reviews incoming contractual security language, maps obligations to applicable frameworks and existing controls, produces compliance matrices and gap analyses, owns the operational risk assessment process, contributes to governance and policy lifecycle activities, and supports audit, assessment, and customer inquiry activities.

A meaningful portion of this role is dedicated to ongoing contract and requirements analysis as new programs are awarded and existing programs evolve. The GRC Analyst serves as the security function's primary reviewer of incoming contractual cybersecurity language and works directly with legal and sourcing on flow-down negotiation and redlines. Candidates who enjoy careful reading of contractual and regulatory text — and who want this to be a substantial part of their day-to-day work — will find this role a strong fit.

This is a detail-oriented, writing-intensive role requiring strong analytical judgment, fluency across multiple compliance frameworks, and the ability to work effectively with legal, sourcing, program management, engineering, and security operations stakeholders.

Key Responsibilities:

Contract & Requirements Analysis

• Review customer contracts, statements of work, security annexes, CDRLs, data protection addenda, and flow-down clauses to identify cybersecurity, privacy, and information handling obligations applicable to the company.
• Extract and catalog specific security requirements from contractual language, and translate them into structured, testable statements suitable for traceability and control mapping.
• Compare identified requirements against the company's current product scope, control environment, and certification posture to determine where compliance is already met, partially met, or requires new implementation work.
• Produce gap analyses, compliance matrices, and Requirements Traceability Matrix (RTM) artifacts that clearly communicate the state of compliance for a given contract, program, or system.
• Serve as the security function's primary point of contact for legal and sourcing during contract review, redline cycles, and flow-down negotiation, including review of subcontractor and supplier flow-down language.

Framework Mapping & Interpretation

• Maintain working proficiency across the frameworks relevant to the company's regulatory and contractual posture, including NIST SP 800-171, NIST SP 800-53, NIST CSF, CMMC, ISO 27001, FedRAMP, and applicable European frameworks such as NIS2 and GDPR.
• Map controls across frameworks to minimize duplicated work and enable consistent responses to overlapping requirements; contribute to a shared control inventory used by compliance, security, and program teams.
• Interpret framework language and authoritative guidance (NIST publications, DoD guidance, regulator FAQs) in the context of specific company systems and business scenarios and escalate ambiguity for formal risk decisions when appropriate.

Governance, Policy & ISMS Support

• Contribute to the maintenance of the company's Information Security Management System (ISMS) documentation set, including keeping control descriptions, evidence references, and scope statements accurate and current.
• Support the policy and standard lifecycle, including periodic review cycles, version control, exception governance, and clarification of control owner accountability.
• Produce compliance posture reporting and audit readiness metrics for governance forums and leadership review, including framework coverage, finding aging, and remediation progress.

Deliverable Writing & Artifact Contribution

• Draft and revise compliance deliverables including System Security Plans (SSP), Plans of Action & Milestones (POA&M), policy and standard content, control narratives, customer security questionnaire responses, and audit artifacts.
• Author clear, concise written responses to customer, auditor, and regulator inquiries, calibrated to the technical level of the audience and consistent with approved company positioning.

Risk Assessment & Treatment

• Own the operational risk assessment process and the supporting risk register, including conducting periodic and event-driven risk assessments, documenting current state, identifying deficiencies, and developing risk treatment recommendations.
• Route risk acceptance and exception decisions to the appropriate decision authority with the underlying analysis and documentation prepared for review; track decisions and ensure follow-through on conditions or expirations.
• Track open compliance findings and remediation activities, prepare status updates, and flag aging or high-severity items for escalation.

Third-Party & Supply Chain Risk

• Contribute to vendor and supplier security review activities, including evaluating vendor security questionnaires, reviewing supplier control attestations, and assessing residual risk for inclusion in procurement and program decisions.
• Support assessment of subcontractor and supplier flow-down compliance, including coordinating with sourcing and program management on supplier security obligations and remediation.

Audit & Assessment Support

• Support internal and external audit, assessment, and certification activities, including C3PAO engagements, ISO 27001 surveillance audits, customer assessments, and regulator inquiries.
• Coordinate evidence collection with system owners and control operators; validate that evidence is accurate, complete, and appropriately scoped before submission.
• Participate in assessor and auditor interviews as a subject matter contributor on specific controls and artifacts.

Cross-Functional Collaboration

• Partner with legal and sourcing on contract review, redlines, and flow-down language; with security program management on milestones, schedules, and audit coordination; and with security engineering and IT on evidence, control implementation detail, and remediation planning.
• Serve as a knowledgeable point of contact for internal teams seeking to understand what a given regulatory or contractual requirement means in practice.

What Success Looks Like in Year One

• Established a repeatable contract review intake process with legal and sourcing, including a maintained library of standard cybersecurity flow-down clauses and review turnaround expectations.
• Produced an end-to-end Requirements Traceability Matrix for at least one active federal program, traceable from contract clauses through framework controls to evidence sources.
• Stood up the operational risk register and routine risk reporting cadence, with at least one full assessment cycle completed and risk treatment decisions documented.
• Maintained the ISMS documentation set in audit-ready condition through at least one external assessment or surveillance cycle.

Required Qualifications:

• Five or more years of progressive experience in cybersecurity governance, risk, and compliance; IT audit; or a closely related discipline, with substantial hands-on exposure to framework interpretation and contract requirement analysis.
• Demonstrated working knowledge of NIST SP 800-171 and NIST SP 800-53, including control families, assessment procedures, and common implementation patterns.
• Experience contributing to SSP and POA&M artifacts, compliance matrices, or Requirements Traceability Matrices in a regulated environment.
• Practical experience supporting at least one formal audit, certification, or assessment cycle (for example CMMC, ISO 27001, SOC 2, FedRAMP, or comparable).
• Strong technical writing skills, including the ability to produce accurate, concise, and audience-appropriate compliance documentation. Writing samples may be requested as part of the interview process.
• Demonstrated comfort and interest in reading contractual and regulatory language carefully and translating it into specific, actionable internal requirements. This is a core part of the role, not an occasional task.
• Comfort working across multiple stakeholder groups — legal, sourcing, engineering, IT, security operations, and program management — and adjusting communication style accordingly.
• Bachelor's degree in Information Security, Information Systems, Business, a related field, or equivalent practical experience.

Preferred Qualifications:

• Direct experience with CMMC 2.0 assessment preparation, including familiarity with DFARS 252.204-7012 and 48 CFR Part 204.
• Familiarity with ISO 27001, FedRAMP, SOC 2, NIS2, GDPR data security obligations, or EU dual-use export control regimes.
• Experience handling Controlled Unclassified Information (CUI) in accordance with NARA and DoD requirements.
• Exposure to aerospace, defense, space, or other regulated technology environments.
• Experience reviewing or negotiating cybersecurity flow-down language in customer or supplier contracts.
• Working familiarity with Governance, Risk, and Compliance (GRC) tooling such as ServiceNow GRC, Archer, Hyperproof, Drata, Vanta, or equivalent.
• Industry certifications such as CISA, CRISC, CISSP, CGRC (formerly CAP), ISO 27001 Lead Implementer / Lead Auditor, CMMC Registered Practitioner (RP), or CMMC Certified Professional / Certified Assessor (CCP / CCA).
• Active US security clearance, or eligibility to obtain one.

Spire operates a hybrid work model, and this position will require you to work a minimum of three days per week in the office.

Access to US export-controlled software and/or technology may be required for this role. If needed, Spire will arrange the necessary licenses—this is not something candidates need to have before applying. #LI-DC1

Enterprise Account Executive: Colorado

We are seeking a high-performing Enterprise Account Executive to lead enterprise sales efforts within the Colorado/Rocky Mountain Region(Idaho, Colorado, Utah and Wyoming), targeting large enterprise organizations above 2,000 employees. This is a pivotal role requiring a strong work ethic, relentless drive, and purposeful daily activity to build and maintain a robust pipeline and exceed revenue targets.

The ideal candidate thrives in a fast-paced, high-output environment, demonstrates ownership of their territory, and executes with precision and urgency. This individual will collaborate closely with senior sales leadership, channel partners, and cross-functional teams to drive value-based sales engagements that solve complex IT and security challenges for major customers.

Key Responsibilities

• Develop and execute a comprehensive regional strategy designed to deliver a 4x pipeline relative to quota.
• Operate with a bias for action and a focus on measurable outcomes, holding yourself accountable to activity goals and performance benchmarks.
• Build and nurture strong channel and security/IT vendor partnerships, leveraging their reach and influence to accelerate growth.
• Qualify and advance opportunities using value-based selling methodologies and frameworks such as MEDDPIC, ensuring clear business value alignment with customer needs.
• Maintain high-quality hygiene in Salesforce and Clari, including:
• Consistent and insightful Chatter posts
• Clear, strategic next steps for all active opportunities
• Up-to-date MEDDPIC criteria
• Accurate and timely forecasting with realistic close dates

Minimum Qualifications

• 7+ years of success in a closing role selling to Enterprise accounts, with a proven hunter mentality and consistent quota attainment.
• Experience managing and closing complex, multi-stakeholder sales cycles within large organizations.
• Demonstrated ability to build and execute a regional go-to-market strategy, coordinating effectively with channel partners, tech alliances, BDRs, SEs, Marketing, and Product.
• Strong working knowledge of enterprise IT and security environments, including solutions like endpoint protection, vulnerability management, SIEM, CMDB, Active Directory, firewalls, cloud platforms, and SaaS offerings.

Preferred Qualifications

• Strong negotiation skills with a history of driving value-based deals and minimizing discounting.
• Highly self-motivated and proactive, with the ability to work independently and efficiently in a remote, field-based environment.
• A disciplined operator who understands the importance of CRM hygiene, structured deal execution, and precision in forecasting.
• Demonstrates a strong work ethic, integrity, and a commitment to excellence in every customer interaction.
• Competitive spirit and a deep drive to win, not just against quota, but in delivering transformational outcomes for customers.
• Strategic thinker with resourcefulness and the ability to adapt and thrive in dynamic, fast-evolving conditions.

This is more than a sales job, this is a high-impact role for someone ready to own their business, execute at a high level, and be a key contributor to the company’s growth in a top-tier market.

#LI-SK1 #LI-REMOTE

Dark Wolf is looking for summer interns to join us at our offices in Herndon, VA, Colorado Springs, CO, Omaha, NE or Tampa, FL. Outside of the office, you’ll join a community of interns with access to local networking events, professional development workshops, and the vibrant culture of Dark Wolf, spanning multiple areas. Software Development, Google Cloud Delivery, Data&AI, Cybersecurity and Mission Enablement.

Duration: June 2026 – August 2026

Type: Full-Time Internship (Paid)

Software Delivery and Cloud Internship: 

As an intern in our NoVA technology hub, you will work at the intersection of modern software delivery and emerging intelligence. This role is designed for students who are passionate about building scalable applications, leveraging cloud infrastructure, and implementing data-driven AI solutions. You won't just be shadowing; you will be an active member of an Agile squad contributing to production-level code.

Key Responsibilities

• Software Development: Design, develop, and test features using languages such as Python, Java, or Node.js

• Cloud & Delivery: Assist in deploying applications to cloud environments (AWS, Azure, or GCP) and managing CI/CD pipelines to automate software delivery.

• Data Engineering: Build and optimize data pipelines to ensure high-quality data is available for analysis and model training.

• AI & Machine Learning: Support the integration of Generative AI and LLMs into existing workflows, performing prompt engineering and model fine-tuning.

• Agile Collaboration: Participate in daily stand-ups, sprint planning, and retrospectives to experience the full Software Development Life Cycle (SDLC).

Required Skills & Qualifications

• Current Enrollment: Pursuing a Bachelor’s or Master’s degree in Computer Science, Data Science, Computer Engineering, or a related technical field at the University of Florida.

• Technical Proficiency: Foundational knowledge in at least one major programming language (Python preferred for AI/Data tracks).

• Problem Solving: Strong analytical skills and a "Go Gator" attitude toward tackling complex technical challenges.

• Communication: Ability to clearly communicate technical concepts to both technical and non-technical team members.

Preferred Experience

• Familiarity with containerization tools like Docker or Kubernetes.

• Knowledge of SQL and NoSQL databases.

• Exposure to AI frameworks such as PyTorch, TensorFlow, or LangChain.

• Previous project work involving cloud-native architecture.

Cybersecurity Academy Internship: 

Are you ready to go beyond the textbook ?

The Dark Wolf Cyber Academy (DWCA) internship is an immersive program designed to turn aspiring students into cybersecurity professionals. Unlike standard internships, we challenge you to navigate the complexities of cybersecurity through three critical lenses: Risk Management, Penetration Testing, and Cyber Engineering. This internship is built for people who want to grow fast.

The DWCA Internship is designed to be cyber intensive where you won’t just talk about security—you’ll build it. This program is structured into dedicated 2-3 week blocks where you work alongside professionals and are exposed to real-world tools and frameworks. From breaking into systems to building resilient cloud architectures, you will gain hands-on experience that bridges the gap between theory and implementation. This internship is designed to help you figure out your path—and give you experience to back it up.

Professional Sprints:

• Pentesting & Offensive Security: Adopt an adversarial perspective to identify and exploit critical vulnerabilities.
• Cyber Engineering: Move beyond policy to practical application by learning to architect and secure cloud environments.
• Risk Management & Compliance: Familiarize yourself with the components of authorization packages through hands-on development activities.
• AI Education & Emerging Tech: Explore the cutting edge of security by analyzing the impact of emerging technologies on modern cyber engineering.

Why DWCA?

• Real-World Impact: Work on a simulation that mirrors industry challenges
• Mentorship: Learn directly from professionals who serve as your dedicated day-to-day coaches
• Career Launchpad: Gain the practical, employable skills that prepare you to stand out in a competitive market

Desired Majors

• Cybersecurity
• Information Security
• Computer Science
• Information Technology
• Information Systems

Desired Skillsets

• Willingness to learn and apply knowledge
• Comfortable communicating and collaborating with teammates and leadership
• Strong problem-solving and analytical skills with attention to detail
• Basic understanding of how cybersecurity protects systems and data (threats, risks, and why security matters)

Google Cloud Delivery Internship: 

Help us build and extend our Secure Cloud Landing Zone (SCLZ) codebase which automates the entire process of fielding an authorized cloud solution from cloud org -> app. Our SCLZ allows DoD & National Security customers to scale their missions securely and efficiently using our IL5 and FedRAMP High P-ATO’d landing zone architecture which provides IAM Best Practices, Tenant Isolation, Shared Services, and monitoring through Infrastructure-as-Code (IAC). In this internship you will work across the core SCLZ codebase and build cloud-native solutions running on top of the SCLZ within Google Cloud in support of Defense and National Security mission use cases.

Skillsets: 

Computer Science, Computer Engineering Majors

• Application Development
• Cloud Infrastructure Engineering
• Developing Zero Trust Cloud Native Apps/Solutions on Google Cloud

Cybersecurity

• Cloud GRC
• Cloud Native Policy as Code
• SecOps

We are proud to be an EEO/AA employer Minorities/Women/Veterans/Disabled and other protected categories.

In compliance with federal law, all persons hired will be required to verify identity and eligibility to work in the United States and to complete the required employment eligibility verification form upon hire.

About the Role 

You'll focus on hands-on design and implementation of security related software, to shift security left in our development processes. This includes embedding automated controls such as SBOMs and vulnerability scanning into CI/CD pipelines; maintaining and updating our internal shared libraries and infrastructure for authentication, authorization, and logging; and assisting with monitoring tools for operational services. Where needed, you'll help align systems with NIST 800-171/CMMC requirements, collaborating closely with the Principal Security Engineer, AWS infra team, dev tooling team, chief software engineer, and cybersecurity/GRC group.

You'll work in a lean, impact-focused environment—prioritizing deliverables like secure code and architecture with bureaucracy handled by the TPM/GRC org as much as possible. Occasional engagement in security discussions with government entities may be involved, under the principal security engineer's guidance.

~80-90% hands-on work, with the remainder on collaboration and learning.

Key Responsibilities:

• Implement Security Controls in SDLC: Assist in integrating security automation into pipelines (e.g., GitHub Actions/ArgoCD for SAST/DAST/SCA, SBOM generation, and vulnerability scanning).
• Support Shared Libraries and Infra: Contribute to evolving standard libraries/infra for authn/authz, logging, and other runtime security features, including testing and updates.
• Contribute to CMMC Compliance: Hands-on support for implementing controls (e.g., encryption, secure configurations, monitoring) to meet/exceed CMMC Level 2 requirements in AC, IA, SC, and SI families, building on our ISO 27001 foundation.
• Assist with Reviews and Models: Participate in security architecture reviews, code audits, and threat modeling; help identify and remediate issues like API vulnerabilities or supply chain risks.
• Team Collaboration: Engage in code reviews, pair programming sessions, and tooling development to advance secure practices; provide peer support within the security engineering team.

Required Qualifications:

• Experience: 5+ years in software or security engineering, with at least 3+ years in security-focused roles. Experience with secure cloud systems (AWS), CI/CD security, and compliance efforts (e.g., NIST, CMMC, or FedRAMP).
• Technical Expertise: Proficiency in container security (Docker/Kubernetes), security tools (e.g., Trivy, Snyk, Falco, OPA), and programming languages for tooling (Python, Rust). Understanding of modern attacks and defenses.
• Security Acumen: Knowledge of common threats (e.g., injection, lateral movement), controls (NIST 800-53 mappings), DevSecOps practices, SBOMs, zero-trust principles, and SIEM-integrated logging.
• Interpersonal Skills: Ability to collaborate constructively with internal teams and contribute to external security discussions as needed.

Preferred Skills:

• Familiarity with AWS security services (e.g., GuardDuty, Security Hub, Config) and IaC tools (Terraform).
• Experience with embedded or satellite security (e.g., secure boot, over-the-air updates).
• Contributions to open-source security projects.
• Relevant certifications (e.g., CSSLP, OSCP, GIAC) demonstrating practical expertise.
• Proven ability to work in small, agile teams and learn from senior mentors.

Bonus

• Other: Experience in regulated industries (defense/aerospace); clearance for sensitive data handling.

Spire operates a hybrid work model, and this position will require you to work a minimum of three days per week in the office.

Access to US export-controlled software and/or technology may be required for this role. If needed, Spire will arrange the necessary licenses—this is not something candidates need to have before applying. #LI-DC1

About the Role 

You'll focus on hands-on design and implementation of security related software, to shift security left in our development processes. This includes embedding automated controls such as SBOMs and vulnerability scanning into CI/CD pipelines; maintaining and updating our internal shared libraries and infrastructure for authentication, authorization, and logging; and assisting with monitoring tools for operational services. Where needed, you'll help align systems with NIST 800-171/CMMC requirements, collaborating closely with the Principal Security Engineer, AWS infra team, dev tooling team, chief software engineer, and cybersecurity/GRC group.

You'll work in a lean, impact-focused environment—prioritizing deliverables like secure code and architecture with bureaucracy handled by the TPM/GRC org as much as possible. Occasional engagement in security discussions with government entities may be involved, under the principal security engineer's guidance.

~80-90% hands-on work, with the remainder on collaboration and learning.

Key Responsibilities:

• Implement Security Controls in SDLC: Assist in integrating security automation into pipelines (e.g., GitHub Actions/ArgoCD for SAST/DAST/SCA, SBOM generation, and vulnerability scanning).
• Support Shared Libraries and Infra: Contribute to evolving standard libraries/infra for authn/authz, logging, and other runtime security features, including testing and updates.
• Contribute to CMMC Compliance: Hands-on support for implementing controls (e.g., encryption, secure configurations, monitoring) to meet/exceed CMMC Level 2 requirements in AC, IA, SC, and SI families, building on our ISO 27001 foundation.
• Assist with Reviews and Models: Participate in security architecture reviews, code audits, and threat modeling; help identify and remediate issues like API vulnerabilities or supply chain risks.
• Team Collaboration: Engage in code reviews, pair programming sessions, and tooling development to advance secure practices; provide peer support within the security engineering team.

Required Qualifications:

• Experience: 5+ years in software or security engineering, with at least 3+ years in security-focused roles. Experience with secure cloud systems (AWS), CI/CD security, and compliance efforts (e.g., NIST, CMMC, or FedRAMP).
• Technical Expertise: Proficiency in container security (Docker/Kubernetes), security tools (e.g., Trivy, Snyk, Falco, OPA), and programming languages for tooling (Python, Rust). Understanding of modern attacks and defenses.
• Security Acumen: Knowledge of common threats (e.g., injection, lateral movement), controls (NIST 800-53 mappings), DevSecOps practices, SBOMs, zero-trust principles, and SIEM-integrated logging.
• Interpersonal Skills: Ability to collaborate constructively with internal teams and contribute to external security discussions as needed.

Preferred Skills:

• Familiarity with AWS security services (e.g., GuardDuty, Security Hub, Config) and IaC tools (Terraform).
• Experience with embedded or satellite security (e.g., secure boot, over-the-air updates).
• Contributions to open-source security projects.
• Relevant certifications (e.g., CSSLP, OSCP, GIAC) demonstrating practical expertise.
• Proven ability to work in small, agile teams and learn from senior mentors.

Bonus

• Other: Experience in regulated industries (defense/aerospace); clearance for sensitive data handling.

Spire operates a hybrid work model, and this position will require you to work a minimum of three days per week in the office.

Access to US export-controlled software and/or technology may be required for this role. If needed, Spire will arrange the necessary licenses—this is not something candidates need to have before applying. #LI-DC1