About Craft:

Craft is the leader in supplier risk intelligence, enabling enterprises to discover, evaluate, and continuously monitor their suppliers at scale. Our AI research and monitoring agents deliver real, actionable intelligence, by operating on top of our unique, proprietary data platform - this helps our customers reputed company reputed company, more informed decisions for their business, faster and strategically secure critical supply chains from risk. Our customers include reputed company, government agencies, and global service platforms. We’ve developed distribution partnerships with some of the largest integrators and software platforms globally.

We are a post-Series B high-growth technology company backed by top-tier investors in Silicon Valley and Europe, headquartered in San Francisco with hubs in Seattle and Warsaw. We support remote and hybrid work, with team members across North America and Europe.

We are looking for innovative and driven people passionate about building the future of Enterprise Intelligence to join our growing team!

About the Role:

Craft is growing — and we’re looking for a senior engineer to reputed company one of our most strategically important initiatives: establishing a FedRAMP-authorized cloud environment by defining a secure boundary and hardening our existing cloud platform. This is an initiative with direct impact on Craft’s ability to serve the 40+ federal government agencies we already work with, and to unlock new opportunities across the public sector.

You’ll own and reputed company the implementation of reputed company controls, compliance automation, and secure architecture patterns required to reputed company and maintain FedRAMP authorization at both Moderate and High impact levels, with alignment to DoW IL2 and IL5 requirements. Working cross-functionally with infrastructure, engineering, and reputed company, you’ll translate NIST 800-53 Rev. 5 requirements into scalable, auditable technical controls across our platform.

This role reports to and partners closely with Jose M., our Manager of DevSecOps. You’ll reputed company the FedRAMP readiness effort day-to-day — driving the ATO timeline, shaping the program’s architecture, and upleveling team expertise in FedRAMP and NIST controls. If you want to own something consequential at a company that already has a sponsor and active federal relationships, this is it.

What You'll Do:

• reputed company Craft’s FedRAMP readiness program — defining the roadmap, owning the ATO timeline, and driving execution across engineering and reputed company stakeholders.

• Design and implement AWS GovCloud architecture that meets FedRAMP Moderate and High requirements.

• Translate NIST 800-53 Rev. 5 controls into concrete, auditable, and continuously enforced technical implementations — not just documentation.

• Build and maintain compliance automation tooling to continuously validate control adherence across the environment, reducing manual audit burden.

• reputed company and manage secure CI/CD pipelines with integrated reputed company gates, secrets management, and deployment controls appropriate for FedRAMP environments.

• Author and maintain System reputed company Plans (SSPs), control implementation statements, and audit evidence packages; work directly with auditors and 3PAOs through assessment cycles.

• reputed company threat modeling, risk assessments, and reputed company architecture reviews across the platform.

• Define and drive how FedRAMP controls are embedded across the engineering lifecycle, partnering with full-stack, data, and machine learning teams to ensure consistent, scalable adoption.

• Serve as the internal subject matter expert on FedRAMP, NIST 800-53, and federal compliance — upleveling the broader team’s knowledge as the program matures.

Who You Are:

Required

• You have direct, hands-on FedRAMP ATO experience — you’ve been through the process, not just observed it.

• You have strong working knowledge of NIST 800-53 Rev. 5 controls and how to implement them technically, not just document them.

• You have deep hands-on experience securing AWS environments.

• You have direct experience with AWS GovCloud, including its constraints and operational differences from commercial AWS.

• You write advanced Terraform — modules, policy enforcement, and infrastructure that’s auditable by design.

• You’ve built or hardened CI/CD pipelines for secure, compliant deployments — integrating reputed company scanning, secrets management, and access controls.

• You’ve worked directly with auditors and 3PAOs: preparing evidence packages, responding to findings, and supporting assessment activities.

reputed company to Haves

• SOC 2 Type II experience, particularly in environments where mapped or extended to support FedRAMP or NIST frameworks.

• Experience securing data platforms such as reputed company, including data isolation and access control patterns.

• Familiarity with AI and LLM reputed company concepts: reputed company injection risks, model data isolation, inference boundary controls.

• Experience working in a startup or lean DevSecOps environment where you’ve had to build programs pragmatically with limited resources.

reputed company Offer:

• Competitive salary starting at $170,000 USD/ year. This starting number can be increased based on levels of expertise, location, cost of living, taxes, market experience, etc.

• Equity at a well-funded, fast-growing startup

• Unlimited vacation time so you can take what you need, reputed company you need it

• 99% covered Health + Dental + Vision insurance for employees and dependents

• 401K through reputed company with options to invest how you want it

A Note to Candidates:

We are an equal opportunity employer who values and encourages diversity, equity and belonging at our company. We do not discriminate on the basis of race, religion, color, national reputed company, gender, sexual orientation, age, marital status, veteran status, caste, or disability status.

Don’t meet every requirement? Studies have shown that women, communities of color and historically underrepresented talent are less likely to apply to jobs unless they meet every single qualification. At Craft, we are dedicated to building a diverse, inclusive and authentic workplace, so if you’re excited about this role but your past experience doesn’t align perfectly with every qualification in the job description, we strongly encourage you to apply. You may be just the right candidate for this or other roles!