Principal, Governance, Risk and Compliance

Join Our Team!

Sunbelt Rentals strives to be the customer's first choice in the equipment rental industry. From pumps to scaffolding to general construction tools, we aim to be the only call needed to outfit a job site with the proper equipment. Not only do we offer a vast fleet that ranks among the best in the industry, we pair it all with a friendly and knowledgeable staff.

Our employees are our greatest asset, and although we present a comprehensive equipment offering, our expertise and service are what truly distinguish us from the competition.

We pride ourselves on investing in our workforce and offer competitive benefits, as well as extensive on-the-job training for all eligible employees.

As a highly successful national company, we are constantly looking for talented individuals to support our growth. If you are interested in pursuing a rewarding career, we invite you to review our opportunities!

The Principal, IT Governance, Risk and Compliance (GRC) is an experienced individual contributor responsible for designing, implementing, and advancing the organization's comprehensive IT compliance program and control framework. You will function as a technical authority for control design, compliance assessment, regulatory adherence, and policy operationalization, with particular focus in Sarbanes‑Oxley General IT Controls (GITC), PCI‑DSS compliance, and CMMC. You will work across IT, business units, Internal Audit, and senior leadership to ensure the organization meets its compliance obligations, maintains effective controls, and operates within legal and regulatory boundaries.

• Design and oversee the implementation of a comprehensive, enterprise-scale IT governance and control framework that meets NIST CSF, CMMC (NIST 800-171), PCI-DSS, SOX GITC, and emerging regulatory requirements in data privacy and artificial intelligence.
• Establish framework alignment and control crosswalks that map NIST CSF, SOX GITC, PCI-DSS, and CMMC/NIST 800-171 controls to optimize testing efficiency and reduce audit redundancy.
• Provide first-line consulting to business and IT leadership on audit/assessment findings, risk implications, and remediation strategies across SOX internal audits, PCI-DSS QSA assessments, and CMMC assessments.

• Maintain and update the organization's comprehensive compliance information security policy framework, ensuring policies remain current with regulatory changes and organizational evolution
• Conduct regular policy reviews (annual minimum, or upon regulatory change) evaluating:
  • Alignment with current regulatory requirements (SOX GITC, PCI-DSS, CMMC, NIST, etc.)
  • Relevance to current organizational structure and systems
  • Operational effectiveness and staff understanding
  • Gap identification between policy requirements and organizational practices
• Lead policy update processes translating regulatory changes into operational policy updates.
• Create policy crosswalks mapping policies to regulatory requirements and control frameworks
• Lead policy exception and risk acceptance documentation and tracking processes.

• Serve as subject matter expert in designing and executing effective control assessments across NIST CSF, PCI-DSS, CMMC, SOX GITC, and other frameworks.
• Assess the quality and effectiveness of implemented controls through documentation review, testing procedures, and stakeholder interviews.
• Identify control gaps, design flaws, and opportunities for enhancement; communicate findings and remediation recommendations.
• Establish control remediation processes; track remediation progress and verify corrective actions.
• Create audit-ready control documentation including control descriptions, test procedures, evidence matrices, and compliance mappings.
• Maintain compliance documentation repositories and evidence management systems.
• Serve as advisor to IT teams, business units, and operational leaders on control requirements and compliance obligations specific to their functions

• Lead the creation and ongoing maintenance of procedural documentation for control operation for PCI-DSS, SOX, and other applicable regulations, specifying control descriptions, operational procedures and evidence requirements.
• Develop, implement and maintain compliance operations processes and workflows.
• Establish compliance metrics and KPIs tracking control effectiveness and maturity progression.

• Prepare and maintain evidence for assessments and other compliance reviews.
• Develop and maintain compliance calendars coordinating control operation and assessment activities.

• Develop and maintain NIST 800-171/CMMC control documentation including control descriptions, implementation narratives, testing procedures, and evidence repositories
• Develop and maintain CMMC Plan of Actions and Milestones (POA&M) documenting gaps, remediation strategies, and status…