GRC Security Engineer, Federal & Public Sector (FedRAMP)

Cursor · San Francisco

Our mission is to automate coding. The first step in our journey is to build the best tool for professional programmers, using a combination of inventive research, design, and engineering. Our organization is very flat, and our team is small and talent dense. We particularly like people who are truth-seeking, passionate, and creative. We enjoy spirited debate, crazy ideas, and shipping code.

About the role

Cursor is opening up to the federal government. We're targeting FedRAMP High and DoD IL5 authorizations to put Cursor in the hands of every federal developer, intelligence analyst, and warfighter who needs the best AI-powered code editor. This role owns that program end-to-end on the GRC side — partnering with our 3PAO, a federal sponsor, our engineering teams re-architecting on AWS GovCloud, and Legal — to take us from kickoff to ATO and into continuous monitoring.

This is not a Word-document role. We treat compliance as code. You'll write Go and Python, ship Terraform changes, generate OSCAL artifacts, and design the evidence collection pipelines that keep us in continuous authorization without dragging engineers into screenshot purgatory. You'll partner with our security engineering team (already running Semgrep, Endor Labs, RunReveal, AWS GuardDuty, Datadog, and a homegrown Bugbot) and extend that telemetry into the GovCloud boundary.

We're in-person with cozy offices in North Beach, San Francisco and Manhattan, New York, complete with well-stocked libraries. SF is preferred for this role since you'll be partnering closely with the GRC and security leadership team in person.

What you’ll do

  • Own Cursor's FedRAMP High authorization end-to-end: SSP authorship, 3PAO engagement (we're working with Coalfire), agency sponsor relationship, SAR/SAP review, POA&M management, and ATO sustainment

  • Drive the FedRAMP boundary architecture and ~25–30 vendor replacements for the GovCloud re-architecture in partnership with Infrastructure

  • Stand up DoD IL5 authorization on top of FedRAMP High once the civilian package is in flight

  • Build the compliance-as-code stack: automated evidence collection, OSCAL-formatted artifacts, machine-readable POA&Ms, continuous control monitoring tied into Datadog/RunReveal/AWS GuardDuty

  • Author and maintain the federal control narratives for SC, AC, IA, CM, RA, SI, and AU families — honestly, in a way that survives 3PAO inspection

  • Partner with Legal and Sales to enable federal pursuits: agency briefings, ATO storytelling, SCRM and supply-chain attestations, FedRAMP Marketplace listing

  • Influence international compliance strategy as we expand: IRAP (Australia), CCCS (Canada), Cyber Essentials Plus / G-Cloud (UK), and intelligence community equivalents

  • Own the FedRAMP 20x readiness story — KSIs, machine-readable evidence, automated continuous monitoring — and represent Cursor in the 20x community

You may be a fit if

  • You've taken at least one cloud service to a FedRAMP Moderate or High ATO, or assessed several as a 3PAO senior assessor

  • You read NIST SP 800-53 Rev. 5 like a developer reads RFCs — you can argue control intent, not just recite it

  • You write code. Go, Python, or comparable. You've automated something in compliance that other people would have done with screenshots

  • You know what OSCAL is, why it matters, and ideally have generated or consumed it in anger

  • You've worked in or alongside AWS GovCloud, Azure Government, or DoD IL4/5 environments

  • You have working knowledge of FIPS 140-3, FedRAMP 20x / KSIs, CMMC, and how DoD IL levels map onto FedRAMP baselines

  • You are truth-seeking — you would rather write an honest "Partially Implemented" with a credible POA&M than a clever "Implemented" that won't survive testing

  • Bonus: prior 3PAO assessor experience, OSCAL tooling contributions, public writing or speaking on GRC engineering, CISSP / CCSP / CCSK / AWS Security Specialty

#LI-DNI

Apply →