Descripción del puesto
<p style="min-height:1.5em">Our mission is to automate coding. The first step in our journey is to build the best tool for professional programmers, using a combination of inventive research, design, and engineering. Our organization is very flat, and our team is small and talent dense. We particularly like people who are truth-seeking, passionate, and creative. We enjoy spirited debate, crazy ideas, and shipping code.</p><p style="min-height:1.5em"><strong>About the role</strong></p><p style="min-height:1.5em">Cursor is investing in serving federal and other regulated-market customers, and we're building the GRC foundation to get there. Federal compliance — FedRAMP and adjacent authorizations — is a key path, and we're looking for a senior GRC engineer to lead the technical execution.</p><p style="min-height:1.5em">This is a hands-on GRC engineering role. We treat compliance as code. You'll write code, ship infrastructure changes, generate machine-readable artifacts, and design evidence collection pipelines that keep compliance honest without dragging engineers into screenshot purgatory. You'll partner closely with our security engineering, infrastructure, and legal teams.</p><p style="min-height:1.5em">We're in-person with cozy offices in North Beach, San Francisco and Manhattan, New York, complete with well-stocked libraries. SF is preferred for this role since you'll be partnering closely with the GRC and security leadership team in person.</p><p style="min-height:1.5em"><strong>What you'll do</strong></p><ul style="min-height:1.5em"><li><p style="min-height:1.5em">Help us evaluate and shape our federal and regulated-market compliance strategy — FedRAMP, impact levels, and international equivalents — and lead the technical execution</p></li><li><p style="min-height:1.5em">Own the technical heavy lifting on any authorization we pursue: control implementation, SSP authorship, 3PAO engagement, POA&M management, and continuous monitoring</p></li><li><p style="min-height:1.5em">Build compliance-as-code: automated evidence collection, machine-readable artifacts, and continuous control monitoring tied into our existing security telemetry</p></li><li><p style="min-height:1.5em">Author honest, defensible control narratives across the major NIST 800-53 families</p></li><li><p style="min-height:1.5em">Influence and drive international compliance strategy as we expand</p></li><li><p style="min-height:1.5em">Support the broader security team on security and trust enablement as needed</p></li></ul><p style="min-height:1.5em"><strong>You may be a fit if</strong></p><ul style="min-height:1.5em"><li><p style="min-height:1.5em">You have direct, hands-on experience with FedRAMP authorization — as a CSP team member who took a service through ATO, or as a senior assessor at a 3PAO</p></li><li><p style="min-height:1.5em">You read NIST SP 800-53 Rev. 5 like a developer reads RFCs — you can argue control intent, not just recite it</p></li><li><p style="min-height:1.5em">You write code (Go, Python, or comparable) and have automated something in compliance that other people would have done with screenshots</p></li><li><p style="min-height:1.5em">You know what OSCAL is, why it matters, and ideally have generated or consumed it in production</p></li><li><p style="min-height:1.5em">You've worked in or alongside AWS GovCloud, Azure Government, or DoD IL4/5 environments</p></li><li><p style="min-height:1.5em">You have working knowledge of FIPS 140-3, FedRAMP 20x / KSIs, CMMC, and how DoD impact levels map onto FedRAMP baselines</p></li><li><p style="min-height:1.5em">Bonus: dual-perspective experience — you've been an operator who has taken organizations through FedRAMP authorization multiple times <em>and</em> spent time on the 3PAO assessor side. OSCAL tooling or GRC engineering tooling contributions and public writing or speaking on GRC engineering are also a plus</p></li></ul><p style="min-height:1.5em">#LI-DNI</p>