Job Details

Company Overview

ID.me is the next-generation digital identity wallet that simplifies how individuals securely prove their identity online. Consumers can verify their identity with ID.me once and seamlessly login across websites without having to create a new login and verify their identity again. Over 152 million users experience streamlined login and identity verification with ID.me at 20 federal agencies, 45 state government agencies, and 70+ healthcare organizations. More than 600+ consumer brands use ID.me to verify communities and user segments to honor service and build more authentic relationships. ID.mes technology meets the federal standards for consumer authentication set by the Commerce Department and is approved as a NIST 800-63-3 IAL2 / AAL2 credential service provider by the Kantara Initiative. ID.me is committed to No Identity Left Behind to enable all people to have a secure digital identity. To learn more, visit

Role Overview

ID.me is seeking a Staff GRC Engineer to lead the technical infrastructure build, management, and tooling supporting Governance, Risk, and Compliance operations. This individual will design, build, and maintain automation and tooling that streamline control testing, continuous monitoring, evidence collection, and compliance reporting.

As a Staff GRC Engineer, youll turn governance and compliance into systems: codified controls, automated evidence, and opinionated guardrails that keep pace with rapid feature development and refactoring. Youll partner tightly with Security Engineering, Product/AppSec, Privacy, IT, and ERM to prevent compliance drift and make the secure path the paved path. As the technical owner of the GRC platform, the Senior GRC Engineer will architect data relationships, automate control workflows, and integrate evidence sources from security tools. Your north star is reduced manual effort, lower the cost and burden of compliance, and improve audit readiness through technical innovation.

This is a fully onsite position in one of our hub locations (Mountain View CA or McLean VA).

Key Responsibilities

• Compliance-as-code & guardrails
• Translate NIST 800-53r5 (FedRAMP Moderate), ISO/IEC 27001:2022, and SOC 2 controls into testable checks (e.g., OPA/Rego, Conftest, Checkov, InSpec) integrated with CI/CD and infrastructure-as-code (Terraform, Helm).
• Build pre-release gates tied to control impact (e.g., boundary changes, data flows, authz patterns) and publish green paths via reusable modules and reference architectures.
• Automation & evidence
• Engineer integrations (Python/TypeScript, APIs, webhooks) to continuously collect evidence from GCP/GKE, AWS/K8s, GitHub, Jira, Okta, endpoint/EDR, vuln scanners, and code scanning tools.
• Maintain a single source of truth for the control catalog, mappings, and tests; drive KCI/KRI dashboards and near-real-time conformance reporting.
• FedRAMP operations
• Support ConMon operations (scan results, inventory, change logs), POA&M lifecycle, and programmatic SSP updates (OSCAL/OpenControl where possible) so authorization posture keeps pace with releases.
• Coordinate with 3PAO/assessors and support artifacts for audits (SOC 2 Type II, ISO surveillance).
• Design-stage coverage
• Embed lightweight threat modeling and control checkpoints in early design (intake forms, templates, design reviews); track exceptions and time-boxed compensating controls.
• Support code and data management for FAIR-informed risk analysis and treatment plans.
• Partner with TPRM control automation and system interoperability.

Basic Qualifications

• 5+ years of experience in Security Engineering, DevOps, GRC Engineering, or Security Automation.
• Practical experience automating controls/evidence and familiarity with programmatic evidence lifecycle management, system-of-record validation, and compliance data architecture.
• Scripting/engineering proficiency (Python or TypeScript), REST APIs, JSON/YAML, Git, and basic SQL.
• Working knowledge of NIST 800-53r5, ISO 27001, and SOC 2; you can map controls across frameworks and test them.
• Strong documentation skills and stakeholder communication across Security, Product, and Compliance.
• Demonstrated ability to translate compliance requirements into logical rules, controls, and technical implementation plans.
• Experience integrating tools such as CrowdStrike, Tenable, Splunk, Nessus, Jira, or AWS Config into automated evidence collection pipelines.

Preferred Qualifications

• Experience with major compliance frameworks such as NIST 800-53, FedRAMP, ISO 27001, SOC 2, or HIPAA.
• Experience designing conditional logic for control outcomes, audit workflow triggers, or continuous control monitoring.
• Experience with CI/CD workflows or Infrastructure-as-Code tools (e.g., Terraform, Jenkins) as part of compliance automation.
• Ability to visualize and communicate compliance insights through dashboards, reports, and metrics.
• Understanding of control inheritance, POA&M management, and risk acceptance workflows in regulated environments.

Equal Employment Opportunity & Privacy

ID.me maintains a work environment free from discrimination, where employees are treated with dignity and respect. All ID.me employees share in the responsibility for fulfilling our commitment to equal employment opportunity. ID.me does not discriminate against any employee or applicant on the basis of age, ancestry, color, gender identity or expression, genetic information, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran status, race, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable laws, regulations and ordinances. ID.me adheres to these principles in all aspects of employment, including recruitment, hiring, training, compensation, promotion, benefits, social and recreational programs, and discipline. In addition, ID.me's policy is to provide reasonable accommodation to qualified employees who have protected disabilities to the extent required by applicable laws, regulations and ordinances where a particular employee works. Upon request we will provide you with more information about such accommodations.

Please review our Privacy Policy, including our CCPA policy, at id.me/privacy. If you provide ID.me with any personally identifiable information you confirm that you have read and agree to be bound by the terms and conditions set out in our Privacy Policy.

ID.me participates in E-Verify.