Third Party Risk Manager

Archer is an aerospace company based in San Jose, California building an all-electric vertical takeoff and landing aircraft with a mission to advance the benefits of sustainable air mobility. We are designing, manufacturing, and operating an all-electric aircraft that can carry four passengers while producing minimal noise. Our sights are set high and our problems are hard, and we believe that diversity in the workplace is what makes us smarter, drives better insights, and will ultimately lift us all to success. We are dedicated to cultivating an equitable and inclusive environment that embraces our differences, and supports and celebrates all of our team members. Archer is an aerospace company based in San Jose, California building an all-electric vertical takeoff and landing aircraft with a mission to advance the benefits of sustainable air mobility. We are designing, manufacturing, and operating an all-electric aircraft that can carry four passengers while producing minimal noise. Our sights are set high and our problems are hard, and we believe that diversity in the workplace is what makes us smarter, drives better insights, and will ultimately lift us all to success. We are dedicated to cultivating an equitable and inclusive environment that embraces our differences, and supports and celebrates all of our team members. Job Overview Archer is building the future of urban air mobility. Our supply chain spans hundreds of vendors — from avionics hardware suppliers to cloud infrastructure providers — and a compromise anywhere in that ecosystem could impact aircraft certification, delay FAA approvals, or expose sensitive information. You are key to effective enforcement of our extended enterprise third-party risk posture. Archer is seeking a Senior Third Party Risk Management (TPRM) Engineer to execute our vendor cyber risk function across all tiers of our supplier ecosystem. In this high-visibility role, you will use platforms like BitSight to continuously monitor, investigate, triage, and action security risks introduced by third-party partners and their downstream (4th-party) suppliers. You will serve as the connective tissue between Security, Sourcing, Legal, and executive leadership — translating third party risk indicators into actionable threat intelligence and coordinated response actions while ensuring strict compliance with NIST SP 800-171, CMMC Level 2, and SOX ITGC requirements. This role requires both hands-on technical depth and program-building acumen. You will support and execute Archer's TPRM function from the ground up, develop risk-tiered due diligence processes, and ensure vendor security posture remains aligned with our CMMC Level 2, NIST SP 800-161, and DFARS obligations as we grow our defense programs. Key Responsibilities ● Operate BitSight and complementary EASM/continuous monitoring platforms as the primary lens into Archer's third-party attack surface. Maintain a tiered vendor inventory, configure portfolio monitoring, tune alert thresholds, and ensure new vendors are onboarded into the program at contract execution. ● Conduct deep-dive investigations into vendor risk signals — including unpatched CVEs, exposed services, credential leaks, certificate anomalies, business deterioration, and dark web indicators. Correlate external ratings data with internal telemetry to assess true business exposure and eliminate false positives before escalation. ● Extend visibility beyond direct vendors to identify and monitor critical 4th-party sub-processor dependencies. Map supply chain concentration risks, single points of failure, and foreign ownership or influence (FOCI) concerns for vendors supporting defense programs or handling CUI. ● Drive risk closure by issuing formal findings, coordinating with internal vendor relationship owners, and tracking remediation commitments through resolution. Engage procurement and legal channels when vendors are non-responsive or remediation timelines are unacceptable. ● Produce crisp, executive-quality risk briefings, board-level metrics, and ad-hoc deep-dives for the CISO, General Counsel, and program security leads. Escalate critical or rapidly-deteriorating vendor risk findings in near-real-time with clear business impact statements and recommended courses of action. ● Design and administer risk-tiered security questionnaires for new and renewing vendors. Evaluate responses, validate claims against external signals, execute integrated due diligence checkpoints in Archer's procurement workflow. ● Influence, develop and maintain TPRM policies, standards, and procedures aligned to NIST SP 800-161 (C-SCRM), CMMC Level 2 SR practices, and ISO 27036. Provide transparency to external audits and government assessments by maintaining organized evidence of vendor risk controls and remediation activity. ● Serve as the TPRM lead during vendor-related security incidents — coordinating with Archer's internal IR team, managing vendor communications under legal hold protocols, and driving root cause analysis and contractual remedies following a third-party breach. Required Qualifications ● 7+ years in cybersecurity with at least 3 years of dedicated third-party or supply chain risk management experience ● Demonstrated hands-on proficiency with BitSight or an equivalent continuous monitoring platform — including alert tuning, portfolio management, vendor engagement workflows, and peer benchmarking ● Deep working knowledge of NIST SP 800-161 (C-SCRM), NIST CSF, CMMC Level 2 SR and CA practices, and ISO 27036 as they apply to vendor security governance ● Experience conducting structured vendor security due diligence across SaaS, cloud infrastructure, hardware manufacturers, and professional services suppliers ● Proven ability to investigate and triage cyber risk findings at scale — correlating external signals with business context to produce prioritized, actionable intelligence for both technical and non-technical stakeholders ● Familiarity with 4th-party risk mapping, sub-processor disclosure reviews, and supply chain concentration risk analysis ● Excellent written and verbal communication skills — able to translate complex vendor risk findings into executive-ready briefings, board-level dashboards, and actionable ● Eligibility to obtain a DoD Secret security clearance Preferred Qualifications ● Certifications: CTPRP (Prevalent), CRISC, CISSP, CISM, or equivalent risk management credentials

• Active DoD Secret or Top Secret/SCI clearance
• Familiarity with ITAR/EAR data sharing constraints and their implications for

vendor contracting and CUI handling

• Exposure to FOCI (Foreign Ownership, Control, or Influence) assessments
• Experience integrating TPRM tooling with GRC platforms or building risk

workflow automation (e.g., auto-routing findings, SLA tracking, contract clause triggers) ● Prior startup or high-growth company experience — comfort operating with limited bureaucracy and building programs that scale with business growth Please note that this job description is intended to provide a general overview of the position and does not include an exhaustive list of responsibilities and qualifications At Archer we aim to attract, retain, and motivate talent that possess the skills and leadership necessary to grow our business. We drive a pay-for-performance culture and reward performance that supports the Company’s business strategy. For this position we are targeting a base pay between $207,400 - $259,200. Actual compensation offered will be determined by factors such as job-related knowledge, skills, and experience. ARCHER IS PROUD TO BE AN EQUAL OPPORTUNITY EMPLOYER COMMITTED TO DIVERSITY AND INCLUSIVITY IN THE WORKPLACE. ALL ASPECTS OF EMPLOYMENT ARE DECIDED ON THE BASIS OF MERIT, QUALIFICATIONS, AND BUSINESS NEEDS. WE DO NOT DISCRIMINATE BASED UPON RACE, COLOR, RELIGION, SEX, SEXUAL ORIENTATION, AGE, NATIONAL ORIGIN, DISABILITY STATUS, PROTECTED VETERAN STATUS, GENDER IDENTITY OR ANY OTHER CHARACTERISTIC

PROTECTED BY FEDERAL, STATE OR LOCAL LAWS.

ARCHER IS COMMITTED TO WORKING WITH AND PROVIDING REASONABLE ACCOMMODATIONS TO JOB APPLICANTS WITH PHYSICAL OR MENTAL DISABILITIES, AND THOSE WITH SINCERELY HELD RELIGIOUS BELIEFS. APPLICANTS WHO MAY REQUIRE REASONABLE ACCOMMODATION FOR ANY PART OF THE APPLICATION OR HIRING PROCESS SHOULD PROVIDE THEIR NAME AND CONTACT INFORMATION TO ARCHER’S PEOPLE TEAM AT View email address on click.appcast.io [View email address on click.appcast.io]. REASONABLE ACCOMMODATIONS WILL BE DETERMINED ON A

CASE-BY-CASE BASIS.

-------------------------------------------------------------------------------- INFORMATION COLLECTED AND PROCESSED AS PART OF ANY JOB APPLICATIONS YOU CHOOSE TO SUBMIT IS SUBJECT TO ARCHER'S CANDIDATE PRIVACY POLICY [ ARCHER IS UNABLE TO PROVIDE WORK VISA SPONSORSHIP FOR THIS POSITION AT THE

PRESENT TIME.

ARCHER IS PROUD TO BE AN EQUAL OPPORTUNITY EMPLOYER COMMITTED TO DIVERSITY AND INCLUSIVITY IN THE WORKPLACE. ALL ASPECTS OF EMPLOYMENT ARE DECIDED ON THE BASIS OF MERIT, QUALIFICATIONS, AND BUSINESS NEEDS. WE DO NOT DISCRIMINATE BASED UPON RACE, COLOR, RELIGION, SEX, SEXUAL ORIENTATION, AGE, NATIONAL ORIGIN, DISABILITY STATUS, PROTECTED VETERAN STATUS, GENDER IDENTITY OR ANY OTHER CHARACTERISTIC

PROTECTED BY FEDERAL, STATE OR LOCAL LAWS.

ARCHER AVIATION DOES NOT ENGAGE WITH EXTERNAL RECRUITING AGENCIES/INDIVIDUAL RECRUITERS WITH WHOM IT DOES NOT HAVE A PRIOR WRITTEN AGREEMENT. ARCHER RESERVES THE RIGHT TO MAKE USE OF ANY UNSOLICITED RESUMES THAT IT RECEIVES AND BEARS NO RESPONSIBILITY FOR PAYMENT OF ANY FEES ASSERTED FROM THE USE OF UNSOLICITED RESUMES. IF YOU ARE A RECRUITING AGENCY OR INDIVIDUAL RECRUITER WISHING TO DO BUSINESS WITH ARCHER, PLEASE REACH OUT TO View email address on click.appcast.io [View email address on click.appcast.io]. ALL EMPLOYMENT PROCESSES ARE MANAGED BY THE ARCHER PEOPLE TEAM.