Sr. Staff Technology Controls Architecture & Assurance Lead

Archer is an aerospace company based in San Jose, California building an all-electric vertical takeoff and landing aircraft with a mission to advance the benefits of sustainable air mobility. We are designing, manufacturing, and operating an all-electric aircraft that can carry four passengers while producing minimal noise. Our sights are set high and our problems are hard, and we believe that diversity in the workplace is what makes us smarter, drives better insights, and will ultimately lift us all to success. We are dedicated to cultivating an equitable and inclusive environment that embraces our differences, and supports and celebrates all of our team members. Archer is building the future of urban air mobility — and the integrity of that mission depends on a security posture that is not just defensible, but demonstrable. As we scale our defense programs, certify aircraft with the FAA, and expand our enterprise footprint, the stakes of a control failure or compliance gap are measured in mission impact, not just audit findings. At Archer, information security is woven into the aircraft certification process itself — making this role uniquely consequential in ways that go well beyond a traditional enterprise GRC function. Archer is seeking a Senior Staff Technology Controls & Assurance Lead to serve as a cornerstone of our GRC function, reporting to the Sr. Director of Governance, Risk & Compliance. In this high-visibility role, you will own IS policy development, internal controls governance, risk quantification, and engagement with internal and external audit bodies. You are the person who makes our risk posture legible — to our board, to our auditors, to DoD assessors, and to our own engineering teams. This is not a checkbox compliance role. We expect you to operate with the intellectual rigor of a risk analyst, the communication precision of an executive advisor, and the technical depth to understand what our controls actually do. You will bring both qualitative judgment and quantitative discipline to the risk function — building data-driven KRIs, leveraging AI and analytics to surface themes and outliers, and translating signal into action across the organization. What You Will Own

IS POLICY & CONTROLS DEVELOPMENT

Lead the development, maintenance, and lifecycle governance of Archer's Information Security policy library, standards, and control frameworks. Ensure policies are grounded in applicable regulatory obligations — NIST SP 800-171, CMMC Level 2, NIST SP 800-161 C-SCRM, DFARS, ITAR — and translated into implementable control requirements that engineering and operations teams can execute against.

ISSUE MANAGEMENT & RISK MITIGATION GOVERNANCE

Own the enterprise IS Issue Management process from identification through closure — establishing severity thresholds, SLA frameworks, escalation paths, and executive reporting cadences. Govern risk acceptance, exception management, and Plan of Action & Milestones (POA&M) processes. Ensure that open risk items receive time-bound, accountable remediation ownership, and that residual risk is clearly communicated to leadership.

CONTROL SELF-ASSESSMENTS (CSAS)

Design and execute Archer's internal Control Self-Assessment program — developing testing procedures, coordinating with control owners across engineering, IT, finance, and legal, and producing structured findings that drive control improvement. Maintain ongoing awareness of control effectiveness between formal audit cycles to prevent surprise gaps.

INTERNAL & EXTERNAL AUDIT MANAGEMENT

Serve as the primary IS liaison for internal audit, external financial auditors, and government compliance assessors — including CMMC C3PAO assessments and DCSA reviews. Manage evidence collection, artifact packaging, auditor communications, and findings remediation tracking. Translate auditor requests into efficient, well-organized responses that demonstrate the maturity and rigor of Archer's control environment.

SOX ITGC COMPLIANCE

Own Archer's SOX IT General Controls program — coordinating with external auditors, managing ITGC scoping, and ensuring that change management, access controls, and IT operations controls meet the standards required to support a public-company financial reporting environment. Partner with Finance and Internal Audit to maintain SOX readiness year-round.

QUANTITATIVE RISK ANALYSIS & KRI DEVELOPMENT

Build and maintain a meaningful set of Key Risk Indicators (KRIs) that go beyond checkbox coverage metrics to reflect actual risk exposure trends. Apply quantitative risk analysis techniques — including probabilistic modeling and loss magnitude estimation — to prioritize remediation investment and communicate risk in financial terms to executive and board audiences. Leverage AI-assisted analytics and data science techniques to identify themes, concentrations, and anomalies across risk data that qualitative review alone would miss. REGULATORY COMPLIANCE & DEFENSE PROGRAM OBLIGATIONS Maintain deep working knowledge of DFARS View phone number on click.appcast.io, ITAR Part 120-130, CMMC Level 2 practices, and evolving DoD cybersecurity requirements. Advise program teams on data handling, access control, and CUI safeguarding obligations. Ensure Archer's compliance posture is continuously calibrated against new regulatory guidance and remains audit-ready for government assessments supporting active defense contracts. FAA INFORMATION SECURITY & AIRCRAFT CERTIFICATION SUPPORT Partner with Archer's engineering, avionics, and certification teams to ensure that IS controls and governance processes align with FAA Aircraft Systems Information Security/Protection (ASISP) requirements throughout the type certification lifecycle. Support the application of airworthiness security standards — including RTCA DO-326A, DO-356A, and DO-355A — as the FAA applies Special Conditions and Means of Compliance to Archer's aircraft systems. Assess how intentional unauthorized electronic interactions (IUEI) and enterprise IS risk could propagate into aircraft safety domains, and maintain awareness of evolving FAA rulemaking that will shape Archer's certification obligations as we approach type certificate milestones.

EXECUTIVE COMMUNICATION & STAKEHOLDER ENGAGEMENT

Produce crisp, executive-quality risk briefings, board-level dashboards, and audit-ready evidence packages. Communicate complex regulatory and technical risk findings with clarity and precision to non-technical audiences — including the CISO, General Counsel, CFO, and Board Audit Committee. Serve as a trusted advisor to business stakeholders who need to understand their compliance obligations without drowning in framework language. Technology Stack Hands-on experience with the following platforms is expected or highly valued:

SERVICENOW GRC / IRM

AUDITBOARD

JIRA / CONFLUENCE

POWER BI / TABLEAU

VANTA / DRATA / SECUREFRAME

WORKIVA

SPLUNK / SIEM

PYTHON / SQL (DATA ANALYTICS)

AI/LLM TOOLING FOR ANALYSIS

NIST SP 800-53 REV. 5

OSCAL

RTCA DO-326A / DO-356A

CUI REGISTRY / DCSA EMASS

What You Bring 8+ years in information security, with at least 4 years in a GRC, compliance, or IS audit-focused role — ideally spanning both commercial and defense or government-adjacent environments Deep, hands-on working knowledge of NIST SP 800-171 / CMMC Level 2, NIST SP 800-161 (C-SCRM), DFARS View phone number on click.appcast.io, and ITAR — including practical application in an active compliance program, not just familiarity with the frameworks Demonstrated experience managing SOX ITGC programs — including scoping, control design, auditor engagement, and year-round readiness in a public or pre-IPO company environment Proven track record designing and executing Control Self-Assessment (CSA) programs and managing the full issue lifecycle from identification through risk-accepted closure Experience serving as the primary IS point of contact during formal external audits or government compliance assessments — managing evidence, auditor relationships, and findings remediation under deadline pressure Ability to build and maintain quantitative risk models and KRIs — translating risk data into business-impact terms and leveraging data analytics or AI tooling to identify risk themes, trends, and outliers at scale Exceptional written and verbal communication skills — the ability to produce board-ready risk briefings, distill complex regulatory findings into plain language, and command credibility with both technical engineers and C-suite executives U.S. citizenship and eligibility to obtain a DoD Secret security clearance Nice to Have Active DoD Secret or Top Secret/SCI clearance Certifications: CISSP, CISM, CRISC, CISA, or CMMC Registered Practitioner (RP) / Certified Professional (CCP) Familiarity with FAA Aircraft Systems Information Security/Protection (ASISP) requirements and the RTCA DO-326A / DO-356A / DO-355A airworthiness security standard suite — including how these apply to type certification Special Conditions, continued airworthiness obligations, and IS risk assessment for connected and eVTOL aircraft systems Aerospace, aviation, or defense industry experience — including familiarity with FAA certification environments, ITAR/EAR data sharing constraints, and CUI program requirements Hands-on experience with quantitative risk analysis methodologies such as FAIR (Factor Analysis of Information Risk) — ability to communicate risk in dollar-denominated, probabilistic terms Practical experience applying AI, machine learning, or statistical analysis techniques to GRC datasets — anomaly detection, control testing coverage analysis, risk concentration mapping Exposure to FOCI (Foreign Ownership, Control, or Influence) assessments and DCSA facility clearance requirements relevant to a defense contractor environment Prior startup or high-growth company experience — comfort operating in ambiguous, low-bureaucracy environments where program infrastructure must be built, not inherited Please note that this job description is intended to provide a general overview of the position and does not include an exhaustive list of responsibilities and qualifications At Archer we aim to attract, retain, and motivate talent that possess the skills and leadership necessary to grow our business. We drive a pay-for-performance culture and reward performance that supports the Company’s business strategy. For this position we are targeting a base pay between $207,400 - $259,200. Actual compensation offered will be determined by factors such as job-related knowledge, skills, and experience. Archer is proud to be an Equal Opportunity employer committed to diversity and inclusivity in the workplace. All aspects of employment are decided on the basis of merit, qualifications, and business needs. We do not discriminate based upon race, color, religion, sex, sexual orientation, age, national origin, disability status, protected veteran status, gender identity or any other characteristic protected by federal, state or local laws. Archer is committed to working with and providing reasonable accommodations to job applicants with physical or mental disabilities, and those with sincerely held religious beliefs. Applicants who may require reasonable accommodation for any part of the application or hiring process should provide their name and contact information to Archer’s People Team at View email address on click.appcast.io. Reasonable accommodations will be determined on a case-by-case basis. Information collected and processed as part of any job applications you choose to submit is subject to Archer's Candidate Privacy Policy. Archer is unable to provide work visa sponsorship for this position at the present time. Archer is proud to be an Equal Opportunity employer committed to diversity and inclusivity in the workplace. All aspects of employment are decided on the basis of merit, qualifications, and business needs. We do not discriminate based upon race, color, religion, sex, sexual orientation, age, national origin, disability status, protected veteran status, gender identity or any other characteristic protected by federal, state or local laws. Archer Aviation does not engage with external recruiting agencies/individual recruiters with whom it does not have a prior written agreement. Archer reserves the right to make use of any unsolicited resumes that it receives and bears no responsibility for payment of any fees asserted from the use of unsolicited resumes. If you are a recruiting agency or individual recruiter wishing to do business with Archer, please reach out to View email address on click.appcast.io. All employment processes are managed by the Archer People Team.