Grc Security Engineer, Federal & Public Sector

at Cursor · Coding AI · San Francisco, CA · Engineering

This role focuses on building the GRC (Governance, Risk, and Compliance) foundation for a company automating coding, specifically targeting federal and regulated markets. The engineer will lead technical execution for compliance, treating it as code by writing code, shipping infrastructure, generating machine-readable artifacts, and designing evidence collection pipelines. Key responsibilities include shaping compliance strategy, owning authorization processes (FedRAMP, SSP authorship, 3PAO engagement), building automated evidence collection, and authoring control narratives. Experience with FedRAMP, NIST 800-53, and automation in compliance is required.

What you'd actually do

  1. Help us evaluate and shape our federal and regulated-market compliance strategy — FedRAMP, impact levels, and international equivalents — and lead the technical execution
  2. Own the technical heavy lifting on any authorization we pursue: control implementation, SSP authorship, 3PAO engagement, POA&M management, and continuous monitoring
  3. Build compliance-as-code: automated evidence collection, machine-readable artifacts, and continuous control monitoring tied into our existing security telemetry
  4. Author honest, defensible control narratives across the major NIST 800-53 families
  5. Influence and drive international compliance strategy as we expand

Skills

Required

  • Direct, hands-on experience with FedRAMP authorization
  • Experience with NIST SP 800-53 Rev. 5
  • Proficiency in coding (Go, Python, or comparable)
  • Experience automating compliance tasks
  • Knowledge of OSCAL
  • Experience in AWS GovCloud, Azure Government, or DoD IL4/5 environments
  • Working knowledge of FIPS 140-3, FedRAMP 20x / KSIs, CMMC

Nice to have

  • Dual-perspective experience (operator and assessor)
  • Contributions to OSCAL tooling or GRC engineering tooling
  • Public writing or speaking on GRC engineering

What the JD emphasized

  • FedRAMP
  • compliance-as-code
  • automated evidence collection
  • machine-readable artifacts
  • continuous monitoring
  • NIST 800-53
  • OSCAL
Read full job description

Our mission is to automate coding. The first step in our journey is to build the best tool for professional programmers, using a combination of inventive research, design, and engineering. Our organization is very flat, and our team is small and talent dense. We particularly like people who are truth-seeking, passionate, and creative. We enjoy spirited debate, crazy ideas, and shipping code.

About the role

Cursor is investing in serving federal and other regulated-market customers, and we're building the GRC foundation to get there. Federal compliance — FedRAMP and adjacent authorizations — is a key path, and we're looking for a senior GRC engineer to lead the technical execution.

This is a hands-on GRC engineering role. We treat compliance as code. You'll write code, ship infrastructure changes, generate machine-readable artifacts, and design evidence collection pipelines that keep compliance honest without dragging engineers into screenshot purgatory. You'll partner closely with our security engineering, infrastructure, and legal teams.

We're in-person with cozy offices in North Beach, San Francisco and Manhattan, New York, complete with well-stocked libraries. SF is preferred for this role since you'll be partnering closely with the GRC and security leadership team in person.

What you'll do

  • Help us evaluate and shape our federal and regulated-market compliance strategy — FedRAMP, impact levels, and international equivalents — and lead the technical execution
  • Own the technical heavy lifting on any authorization we pursue: control implementation, SSP authorship, 3PAO engagement, POA&M management, and continuous monitoring
  • Build compliance-as-code: automated evidence collection, machine-readable artifacts, and continuous control monitoring tied into our existing security telemetry
  • Author honest, defensible control narratives across the major NIST 800-53 families
  • Influence and drive international compliance strategy as we expand
  • Support the broader security team on security and trust enablement as needed

You may be a fit if

  • You have direct, hands-on experience with FedRAMP authorization — as a CSP team member who took a service through ATO, or as a senior assessor at a 3PAO
  • You read NIST SP 800-53 Rev. 5 like a developer reads RFCs — you can argue control intent, not just recite it
  • You write code (Go, Python, or comparable) and have automated something in compliance that other people would have done with screenshots
  • You know what OSCAL is, why it matters, and ideally have generated or consumed it in production
  • You've worked in or alongside AWS GovCloud, Azure Government, or DoD IL4/5 environments
  • You have working knowledge of FIPS 140-3, FedRAMP 20x / KSIs, CMMC, and how DoD impact levels map onto FedRAMP baselines
  • Bonus: dual-perspective experience — you've been an operator who has taken organizations through FedRAMP authorization multiple times and spent time on the 3PAO assessor side. OSCAL tooling or GRC engineering tooling contributions and public writing or speaking on GRC engineering are also a plus

#LI-DNI