Third-Party Risk Management (TPRM) Analyst
Job Description
- Experience working in or supporting defense or government contracting environments.
- Familiarity with SCRM (supply chain risk management) principles and continuous monitoring practices.
- Experience with vendor lifecycle management and related legal and contract management processes.
- Prior experience supporting vendor risk program audits or readiness reviews.
- Understanding of export compliance and U.S. Person verification requirements under ITAR/EAR.
- Relevant professional certification(s) such as CTPRP, CRVPM, CTPRA, C3PRMP, CRISC, or CCP.
- Conduct inherent and residual risk assessments of third parties.
- Perform due diligence reviews, including security and compliance questionnaires.
- Partner with Business Units, Procurement, Legal, Information Security, and Compliance for onboarding and risk evaluation.
- Support continuous monitoring activities, including periodic risk assessments.
- Monitor and analyze third-party performance, incidents, and risk indicators.
- Collaborate with cross-functional teams to ensure adherence to defense-specific standards.
- Support the design and enhancement of TPRM workflows.
- Assist in developing and maintaining the third-party inventory.
- Create and maintain executive dashboards and risk reports.
- Assist in regulatory, customer, and internal audits.
- Bachelor’s degree in business administration, risk management, information security, cybersecurity, or related discipline (or equivalent work experience).
- 3–5 years of hands-on experience in third-party risk management, supply chain risk management (SCRM), cybersecurity governance, or compliance.
- Working knowledge of defense and federal regulatory frameworks, including NIST SP 800-171, DFARS 252.204-7012, CMMC Levels 1–2, ITAR/EAR, ISO 27001, and SOC 2.
- Demonstrated experience performing vendor risk assessments, evaluating due diligence evidence, documenting findings, and tracking remediation through closure.
- Solid understanding of information security principles, data protection requirements, and control frameworks relevant to defense supply chains.
- Proven project management and coordination skills.
- Strong written and verbal communication skills.
- Proficient in Microsoft 365, Excel-based risk scoring models, and GRC/TPRM platforms (e.g., ServiceNow, Archer, ProcessUnity, OneTrust).
- Strong analytical and critical-thinking skills.
- Excellent interpersonal and communication skills.
- High attention to detail with strong organizational and time-management abilities.
- Proven ability to prioritize tasks and manage competing deadlines.
- Strong sense of ethics, confidentiality, and commitment to national security compliance.
- Comprehensive health insurance plans (Saronic pays 100% of the premium for employees and 80% for dependents)
- Coverage for routine dental check-ups, orthodontics, and vision care (Saronic pays 99% of the premium for employees and 80% for dependents)
- Generous PTO and Holidays
- Paid maternity and paternity leave
- Industry-standard salaries with opportunities for performance-based bonuses
- 401(k) plan
- Equity options to give employees a stake in the company’s success
- Basic life insurance and short- and long-term disability coverage
- Free lunch benefit
- Unlimited free drinks and snacks in the office
Saronic Technologies is a leader in revolutionizing defense autonomy at sea, dedicated to developing state-of-the-art solutions that enhance maritime operations for the Department of Defense (DoD) through autonomous and intelligent platforms.
We are seeking a Third-Party Risk Management Analyst to join our Governance, Risk, and Compliance (GRC) team supporting a defense and aerospace organization. In this role, you will be responsible for evaluating, managing, and mitigating risks associated with third-party vendors, suppliers, and service providers. You will work closely with the Business Units, Procurement, Security, Legal, IT, Supply Chain, and Compliance teams to ensure our third parties comply with NIST SP 800-171, DFARS 252.204-7012, CMMC, and ITAR/EAR obligations and meet contractual requirements.
This position is ideal for a professional with 3–5 years of experience in third-party risk management, vendor due diligence, or related cybersecurity compliance functions who thrives in a dynamic, mission-driven environment. This role contributes directly to safeguarding sensitive defense data, maintaining compliance across the third-party ecosystem, and strengthening supply chain resilience.
Responsibilities
- Conduct inherent and residual risk assessments of third parties based on data classification, service criticality, geographic exposure, and regulatory obligations.
- Perform due diligence reviews, including security and compliance questionnaires, evidence validation, and documentation of control effectiveness.
- Partner with Business Units, Procurement, Legal, Information Security, and Compliance to ensure timely onboarding, risk evaluation, and remediation tracking to closure and follow-up validation.
- Support continuous monitoring activities, including periodic risk assessments, sanctions screening, and adverse-media reviews across the vendor lifecycle.
- Monitor and analyze third-party performance, incidents, and risk indicators to identify emerging risk and trends.
- Collaborate with cross-functional teams to ensure adherence to defense-specific standards and regulatory frameworks (e.g., NIST SP 800-171, DFARS, CMMC, ITAR).
- Support the design and enhancement of TPRM workflows, including process automation and data-driven risk analytics.
- Assist in developing and maintaining the third-party inventory, ensuring all vendor profiles, tier classifications, and risk ratings are accurately captured, continuously updated, and aligned with program governance requirements.
- Create and maintain executive dashboards and risk reports summarizing vendor posture, risk trends, and remediation progress for leadership.
- Assist in regulatory, customer, and internal audits, ensuring third-party documentation and evidence meet defense-sector and compliance requirements.
Required Qualifications
- Bachelor’s degree in business administration, risk management, information security, cybersecurity, or related discipline (or equivalent work experience).
- 3–5 years of hands-on experience in third-party risk management, supply chain risk management (SCRM), cybersecurity governance, or compliance.
- Working knowledge of defense and federal regulatory frameworks, including NIST SP 800-171, DFARS 252.204-7012, CMMC Levels 1–2, ITAR/EAR, ISO 27001, and SOC 2.
- Demonstrated experience performing vendor risk assessments, evaluating due diligence evidence, documenting findings, and tracking remediation through closure.
- Solid understanding of information security principles, data protection requirements, and control frameworks relevant to defense supply chains.
- Proven project management and coordination skills, with the ability to manage multiple concurrent assessments in a deadline-driven environment.
- Strong written and verbal communication skills, including the ability to translate technical risks into business-level insights and recommendations for leadership.
- Proficient in Microsoft 365, Excel-based risk scoring models, and GRC/TPRM platforms (e.g., ServiceNow, Archer, ProcessUnity, OneTrust).
- Strong analytical and critical-thinking skills, with the ability to identify and assess emerging risks proactively.
- Excellent interpersonal and communication skills, with the ability to collaborate effectively across business units, technical teams, and leadership levels.
- High attention to detail with strong organizational and time-management abilities.
- Proven ability to prioritize tasks and manage competing deadlines in a fast-paced, mission-critical environment.
- Strong sense of ethics, confidentiality, and commitment to national security compliance.
Preferred Qualifications
- Experience working in or supporting defense or government contracting environments.
- Familiarity with SCRM (supply chain risk management) principles and continuous monitoring practices.
- Experience with vendor lifecycle management and related legal and contract management processes.
- Prior experience supporting vendor risk program audits or readiness reviews.
- Understanding of export compliance and U.S. Person verification requirements under ITAR/EAR.
- Relevant professional certification(s) such as CTPRP (Certified Third-Party Risk Professional), CRVPM, CTPRA (Certified Third-Party Risk Assessor ), C3PRMP (Certified Third-Party Risk Management Professional), CRISC (Certified in Risk and Information Systems Control), or CCP (CMMC Certified Professional).
Benefits:
Medical Insurance: Comprehensive health insurance plans covering a range of services
Saronic pays 100% of the premium for employees and 80% for dependents
Dental and Vision Insurance: Coverage for routine dental check-ups, orthodontics, and vision care
Saronic pays 99% of the premium for employees and 80% for dependents
Time Off: Generous PTO and Holidays
Parental Leave: Paid maternity and paternity leave to support new parents
Competitive Salary: Industry-standard salaries with opportunities for performance-based bonuses
Retirement Plan: 401(k) plan
Stock Options: Equity options to give employees a stake in the company’s success
Life and Disability Insurance: Basic life insurance and short- and long-term disability coverage
Additional Perks: Free lunch benefit and unlimited free drinks and snacks in the office
This role requires access to export-controlled information or items that require “U.S. Person” status. As defined by U.S. law, individuals who are any one of the following are considered to be a “U.S. Person”: (1) U.S. citizens, (2) legal permanent residents (a.k.a. green card holders), and (3) certain protected classes of asylees and refugees, as defined in 8 U.S.C. 1324b(a)(3)._
Saronic does not discriminate on the basis of race, sex, color, religion, age, national origin, marital status, disability, veteran status, genetic information, sexual orientation, gender identity or any other reason prohibited by law in provision of employment opportunities and benefits.
