GRC Security Engineer, Federal & Public Sector
Cursor2 weeks ago
Location
San Francisco
Type
Full Time
Salary
USD 180,000 – 280,000
Level
Senior
Role
Security Engineer
Posted
May 10, 2026
Full TimeSenior
The role
Summary
Cursor seeks a senior GRC Security Engineer to build and lead federal compliance infrastructure for regulated-market expansion. This hands-on role combines compliance-as-code engineering with FedRAMP authorization expertise, requiring direct experience with federal compliance frameworks (FedRAMP, NIST 800-53) and the ability to automate evidence collection and continuous monitoring. You'll partner with security and infrastructure teams to design defensible control implementations and enable Cursor's path to federal government market adoption.
What you'll do
Federal Compliance Strategy Leadership: Evaluate, shape, and execute Cursor's federal and regulated-market compliance strategy, including FedRAMP impact level assessment, international compliance framework alignment, and authorization pathway planning for government sector expansion.
Authorization Technical Execution: Own end-to-end technical delivery for federal authorizations including control implementation architecture, Security System Plan (SSP) authorship, third-party assessment organization (3PAO) engagement coordination, Plan of Action and Milestones (POA&M) management, and continuous compliance monitoring.
Compliance-as-Code Engineering: Design and implement automated compliance infrastructure including machine-readable evidence collection pipelines, OSCAL artifact generation, continuous control monitoring integration with existing security telemetry, and compliance validation frameworks that eliminate manual screenshot-based compliance processes.
NIST Control Narrative Development: Author defensible, technically accurate control narratives across major NIST SP 800-53 Revision 5 control families, demonstrating control intent understanding and organizational implementation practices for federal assessors and 3PAOs.
International Compliance Expansion: Drive and influence Cursor's international compliance strategy as the company expands into regulated markets outside the federal space, evaluating frameworks like SOC 2, ISO 27001, and regional data protection requirements.
Security Team Enablement: Support broader security engineering and infrastructure teams on compliance-related security enhancements, trust enablement initiatives, and federated compliance engineering practices across product and infrastructure teams.
What we look for
Technical
FedRAMP Authorization ExperienceDemonstrated hands-on experience leading or supporting FedRAMP authorizations through completion, either as a Cloud Service Provider (CSP) operator taking services through Authority to Operate (ATO) or as a senior assessor at an accredited 3PAO firm.
NIST SP 800-53 MasteryAdvanced knowledge of NIST SP 800-53 Revision 5 control framework with ability to interpret control intent, map organizational controls to control requirements, and articulate nuanced control implementation approaches for federal compliance contexts.
Programming ProficiencyProduction experience writing code in Go, Python, or comparable systems languages, with demonstrated ability to automate compliance workflows and evidence collection that would otherwise require manual processes.
OSCAL Framework KnowledgeWorking knowledge of OSCAL (Open Security Controls Assessment Language) including understanding of machine-readable compliance artifact generation, consumption of OSCAL formatted compliance data, and rationale for standards-based compliance automation.
Federal Cloud EnvironmentsHands-on experience architecting or operating systems in AWS GovCloud, Azure Government, or Department of Defense Impact Level 4/5 (IL4/5) environments with understanding of government-specific cloud compliance and security controls.
Advanced Compliance FrameworksWorking knowledge of FIPS 140-3 (cryptographic module validation), FedRAMP 20x and Acceptable System Performance Level (KSI) requirements, Cybersecurity Maturity Model Certification (CMMC), and mapping between DoD impact levels and FedRAMP security baselines.
Education
Security CertificationsRelevant security or compliance certifications highly valued, such as CISSP, CCSK, CCSK-IaaS, or equivalent industry-recognized credentials demonstrating compliance and security engineering expertise.
Computer Science or Related FieldBachelor's degree in Computer Science, Cybersecurity, Information Security, or related field, or equivalent practical experience in security engineering and compliance architecture roles.
Experience
Senior GRC Engineering BackgroundMinimum 5-7 years of progressive experience in governance, risk, and compliance (GRC) engineering, security compliance, or federal compliance engineering roles with demonstrated technical depth and leadership capabilities.
Multi-Perspective Authorization ExperienceBonus qualification: dual-perspective experience as both an operator (CSP side) who has led multiple organizations through FedRAMP authorization and as a technical assessor/consultant (3PAO side) providing compliance guidance to cloud service providers.
Compliance Automation LeadershipTrack record of designing and implementing compliance automation initiatives, compliance-as-code implementations, or GRC tooling solutions that measurably reduced compliance manual effort and improved control monitoring efficiency.
Public Thought LeadershipBonus: evidence of expertise sharing through public technical writing, conference speaking engagements, or open-source contributions related to GRC engineering, OSCAL tooling, or FedRAMP compliance practices in technology organizations.
Skills
Required skills
FedRAMP Compliance FrameworkExpert-level understanding of FedRAMP requirements, authorization process flows (JAB vs. agency-specific), continuous monitoring obligations, and security controls baseline selection for cloud service offerings.
NIST 800-53 Control MappingAbility to map organizational capabilities to NIST SP 800-53 control families (AC, AU, AT, CA, CM, CP, IA, IR, MA, MP, PE, PL, PS, RA, SA, SC, SI), articulate control implementation rationale, and develop control narratives defensible to federal assessors.
Python or Go ProgrammingProduction-grade programming proficiency enabling design and implementation of compliance automation scripts, continuous monitoring integrations, and evidence collection pipelines in modern cloud-native environments.
Cloud Security ArchitectureUnderstanding of cloud-native security controls, infrastructure-as-code compliance validation, Identity and Access Management (IAM) control implementation, encryption and key management for regulated workloads, and container/Kubernetes security within federal compliance contexts.
Compliance DocumentationExpert drafting of Security System Plans (SSPs), control implementation descriptions, system security plans for federal systems, POA&M documents, and other compliance artifacts required for FedRAMP and federal compliance authorizations.
Security Control AssessmentExperience participating in or leading security control assessments, vulnerability management for compliance, evidence collection for control validation, and continuous monitoring program design and implementation.
Nice to have
OSCAL and Machine-Readable ComplianceExperience generating, consuming, or validating OSCAL-formatted compliance artifacts; understanding of machine-readable compliance standards and benefits of structured compliance data for automation and continuous monitoring.
AWS GovCloud OperationsHands-on experience architecting, securing, or operating workloads in AWS GovCloud regions including FedRAMP-compliant AWS services, GovCloud-specific security controls, and government cloud compliance frameworks.
DoD Impact Level ComplianceExperience with Department of Defense security requirements including DISA Security Technical Implementation Guides (STIGs), DoD Information Security (INFOSEC), IL4/IL5 system authorization, and DoD Risk Management Framework (RMF) compliance processes.
International Compliance FrameworksKnowledge of international compliance frameworks including SOC 2 Type II, ISO 27001/27002, GDPR compliance controls, regional data protection requirements, and cross-border data residency compliance architecture.
Infrastructure-as-Code ComplianceExperience implementing compliance validation in CI/CD pipelines, policy-as-code enforcement (Terraform, CloudFormation validation), compliance scanning automation, and federated compliance monitoring across infrastructure deployment.
CMMC and Supply Chain SecurityUnderstanding of Cybersecurity Maturity Model Certification (CMMC) requirements for Department of Defense contractor compliance, controlled unclassified information (CUI) protections, and supply chain risk management frameworks.
GRC Tool ExpertiseExperience with GRC platforms (ServiceNow GRC, Archer, Workiva, Domo), compliance automation tools, continuous monitoring platforms, or custom compliance engineering tooling development.
Security Standards and CryptographyWorking knowledge of FIPS 140-3 cryptographic module validation, Federal Information Processing Standards (FIPS) compliance for algorithms and encryption, and FedRAMP key storage and encryption requirements.
Compensation & benefits
Salary
USD 180,000 – 280,000 (annual)
Apply for this position
You'll be redirected to the company's application page
More Jobs at Cursor
33 other open positions
Cursor
View all jobs
Built to make you extraordinarily productive, Cursor is the best way to build software with AI.
San Francisco, California, United StatesFounded 2021cursor.com
Tech Stack
Languages
PythonGoTerraform or CloudFormationYAML/JSON
Frameworks
NIST SP 800-53 Revision 5OSCAL (Open Security Controls Assessment Language)FedRAMP Authorization FrameworkRisk Management Framework (RMF)
Databases
PostgreSQL or Cloud-Native DatabasesTime-Series Databases
Tools
FedRAMP Documentation and Assessment ToolsCloud Provider GRC ServicesSecurity Information and Event Management (SIEM)CI/CD and DevOps PlatformsCompliance and GRC Platforms
Other
AWS GovCloudAzure Government CloudKubernetes and Container SecurityIdentity and Access Management (IAM)Encryption and Key ManagementSecurity and Compliance Monitoring