CMMC Compliance Program Manager

Security Organization • Reports to CISO • On-site

About the Role

We are hiring a CMMC Compliance Program Manager to own and drive our CMMC Level 2 certification effort and sustain our compliance posture beyond it. This is the central role in our security organization's compliance function — responsible for translating regulatory requirements into executable controls, coordinating across our security and IT organizations, and delivering a successful C3PAO assessment.

This is a hands-on, high-accountability role reporting directly to the CISO. You will work closely with our InfoSec Engineer, Security Operations Analyst, IT Director, and our external partners including our C3PAO and our managed SOC and RPO provider (SysARC). You are the person who ensures nothing falls through the cracks between now and certification — and who keeps us audit-ready permanently after.

The Immediate Mission

Our C3PAO assessment is scheduled for August. You will own getting us there:

• Take full ownership of the System Security Plan (SSP) — documenting how all 110 NIST 800-171 practices are implemented across our environment
• Build and maintain the Plan of Action & Milestones (POA&M) for any gaps, with realistic remediation timelines
• Coordinate evidence artifact collection from our InfoSec Engineer, IT Director's team, and HR — ensuring every practice has supporting documentation
• Manage the day-to-day relationship with SysARC as our RPO — driving deliverables, validating their work products, and integrating their outputs into our evidence packages
• Interface directly with our C3PAO as the primary point of contact for scheduling, pre-assessment requests, and assessment coordination
• Run a pre-assessment readiness review before the formal C3PAO engagement to identify and close remaining gaps

What You’ll Own

CMMC Assessment Program

• Own the SSP end-to-end — scope definition, control descriptions, implementation status, and evidence mapping
• Maintain the POA&M with current status and drive remediation to closure
• Serve as primary liaison to our C3PAO assessors before, during, and after the assessment
• Coordinate the SysARC RPO engagement — own the scope of work, milestone tracking, and integration with internal deliverables
• Manage assessment scheduling, documentation submissions, and assessor requests

Control Documentation & Evidence

• Define and maintain a control mapping across our tool stack: CrowdStrike, Zscaler, ThreatLocker, Darktrace, and Okta
• Collect, organize, and maintain evidence artifacts for all implemented controls — screenshots, config exports, policy documents, training records, access review logs, audit log samples
• Coordinate with IT Director's team (Network Engineer, Help Desk) to produce infrastructure evidence: patch logs, change records, configuration documentation
• Work with HR to document personnel security controls: background checks, onboarding/offboarding procedures, security awareness training completion

Policy & Standards

• Write and maintain the security policies required by CMMC Level 2 — Acceptable Use, Incident Response, Access Control, Configuration Management, Media Protection, and others
• Ensure policies are implemented, communicated, and tied to assessable controls
• Own the security awareness training program: content, delivery, tracking, and evidence of completion

Risk & Continuous Compliance

• Maintain the risk register and ensure identified risks are tracked, assigned, and remediated
• Establish a continuous monitoring cadence post-certification to maintain audit readiness
• Coordinate periodic access reviews, vulnerability scan reviews, and control effectiveness reviews
• Track CMMC regulatory updates and assess impact on our compliance posture

Cross-Functional Coordination

• Own the RACI between our Security organization and IT organization for CMMC control ownership and evidence accountability
• Brief the CISO weekly on program status, open risks, and blockers
• Ensure SysARC's SOC outputs — alert logs, IR documentation, monitoring reports — are captured and organized as AU and IR domain evidence
• Coordinate with IT Director to ensure his team understands their evidence obligations and meets deadlines

What You Won’t Do

This role is not responsible for security engineering, tool configuration, or SOC operations. Those are owned by our InfoSec Engineer and Security Operations Analyst respectively, with SOC monitoring handled by SysARC. Your lane is program ownership, documentation, evidence, and coordination — not technical implementation.

Basic Qualifications

• 5+ years in GRC, compliance, or security program management roles
• Direct, hands-on experience with CMMC Level 2 — either as a primary GRC lead in a C3PAO assessment, or as an RPO practitioner supporting a Level 2 implementation
• Demonstrated ability to write and maintain a System Security Plan (SSP) and POA&M against NIST 800-171
• Experience managing evidence collection programs for compliance audits — organizing artifacts, tracking gaps, and coordinating across departments
• Comfortable working in a lean organization where you own your domain without dedicated staff below you
• Experience interfacing with external auditors or assessors as an organizational point of contact
• Familiarity with the GovCon or defense industrial base compliance environment

Preferred Qualifications

• Participated in a successful CMMC Level 2 C3PAO assessment as the primary compliance lead or assessment coordinator
• Registered Practitioner (RP) credential from the CMMC-AB, or experience working embedded within an RPO
• Hands-on familiarity with one or more of our tool stack: CrowdStrike, Zscaler, ThreatLocker, Darktrace, Okta — sufficient to understand what evidence each tool can produce and how to extract it
• Experience managing a compliance program alongside a managed SOC or MSSP — understanding how to integrate third-party monitoring outputs into internal compliance evidence
• Certifications: CCP (Certified CMMC Professional), CCA (Certified CMMC Assessor), CISA, CISM, or CISSP
• Experience at a DoD prime or subcontractor, defense-adjacent technology company, or GovCon-focused MSSP
• Familiarity with ITAR/EAR compliance in a defense context — relevant as we grow into regulated programs

Why This Role Matters

Our CMMC Level 2 certification is directly tied to our ability to win and retain DoD contracts. This is not a future-state initiative — the assessment is scheduled and the deadline is real. The person in this role will be the reason we pass.

Beyond August, this role becomes the permanent owner of our compliance posture as we grow, including a major new facility coming online and expanded program requirements. You will have direct access to the CISO, full ownership of a critical function, and the satisfaction of building something that matters.

Compensation

• Cybersecurity Analyst: $145,000 - $175,000
• Leveling and base salary are determined by job-related skills, education level, experience level, and job
• performance
• You will be eligible for long-term incentives in the form of stock options and/or long-term cash awards
• Offer compensation also includes the ability to purchase company stock through the Employee Stock Purchase Plan