CMMC Compliance Lead

About The Position

Requirements

• Bachelor’s degree in Information Systems, Cybersecurity, Engineering, or related field (or equivalent experience).
• Extensive hands‑on experience with CMMC 2.0, NIST SP 800‑171, and DoD cybersecurity requirements.
• Demonstrated expertise conducting CMMC gap analyses, readiness assessments, and control evaluations.
• Strong technical understanding of security controls across access control, configuration management, incident response, logging/monitoring, vulnerability management, and secure system design.
• Experience implementing and validating technical, administrative, and physical controls required for CMMC compliance.
• Deep familiarity with CUI handling requirements, enclave design, and scoping methodologies.
• Experience supporting or preparing for third‑party assessments or regulatory audits.
• Strong communication and interpersonal skills with the ability to guide and influence technical and non‑technical teams.
• Proficiency with compliance tracking tools, GRC platforms, or evidence management systems.
• Ability to work independently and as part of a team; may manage small teams or project groups.
• Travel may be required.
• U.S. Citizen, U.S. Permanent Resident (Green Card holder) or asylee/refugee status as defined by 8 U.S.C. 1324b(a)(3) required.
• Must be able to travel within the Continental U.S. and internationally when required.
• This position requires access to information that is subject to compliance with the International Traffic Arms Regulations (“ITAR”) and/or the Export Administration Regulations (“EAR”). In order to comply with the requirements of the ITAR and/or the EAR, applicants must qualify as a U.S. person under the ITAR and the EAR, or a person to be approved for an export license by the governing agency whose technology comes under its jurisdiction. Please understand that any job offer that requires approval of an export license will be conditional on AeroVironment’s determination that it will be able to obtain an export license in a time frame consistent with AeroVironment’s business requirements. A “U.S. person” according to the ITAR definition is a U.S. citizen, U.S. lawful permanent resident (green card holder), or protected individual such as a refugee or asylee. See 22 CFR § 120.15. Some positions will require current U.S. Citizenship due to contract requirements.

Nice To Haves

• Certifications such as CCP, CCA, CISSP, Security+, CISM, or similar preferred.
• Experience in defense, aerospace, manufacturing, or other DoD‑regulated industries strongly preferred.
• Experience interpreting and applying ITAR, EAR, SOX, and other regulatory requirements.
• Strong analytical skills, attention to detail, and commitment to producing high‑quality compliance documentation.
• Ability to influence at all levels of the organization and drive clarity in complex, ambiguous environments.
• Demonstrated leadership qualities including collaboration, adaptability, and a commitment to continuous improvement.
• Alignment with AV Values (Trust & Teamwork, Customer Commitment, Ownership & Results, Innovate & Simplify).

Responsibilities

• CMMC Leadership & Expertise Serve as AV’s subject matter expert on CMMC 2.0 requirements, assessment objectives, scoping rules, and evidence expectations.
• Lead detailed gap analyses across technical, administrative, and physical controls to identify deficiencies and required remediation.
• Translate CMMC practices into clear, actionable technical requirements for IT, Engineering, Security, Facilities, HR, and other impacted teams.
• Guide and validate the implementation of required controls, ensuring alignment with CMMC and NIST SP 800‑171 assessment criteria.
• Support CUI scoping activities including asset inventory validation, boundary definition, and data flow mapping.
• Compliance Program Execution Support the development, implementation, and maintenance of cybersecurity compliance programs aligned with CMMC, SOX, UKCE, ITAR, EAR, and other regulatory requirements.
• Maintain compliance with external regulations and internal policies, ensuring consistent application across all in‑scope systems and processes.
• Develop and implement compliance policies, procedures, and standards for cybersecurity, and assist other functional organizations in developing their own.
• Coordinate with IT Infrastructure, Enterprise Systems, Legal, Risk Management, and other departments to ensure compliance requirements are understood and executed.
• Audit Readiness & Evidence Management Lead the creation, refinement, and maintenance of compliance documentation including SSPs, POA&Ms, ConMon materials, policies, procedures, and evidence artifacts.
• Establish structured evidence collection and artifact management processes to ensure audit readiness.
• Perform internal readiness assessments, mock audits, and control testing to prepare AV for C3PAO evaluation.
• Oversee compliance audits and assessments, ensuring timely remediation and accurate reporting.
• Collaborate with external advisors, consultants, and assessors to support readiness and certification activities.
• Risk Management & Reporting Conduct risk assessments and provide recommendations to mitigate cybersecurity and compliance risks.
• Assess and report progress toward compliance objectives, including readiness status and control maturity.
• Advise leadership on compliance risks, technical challenges, and factors that may impact certification timelines or sustainment.
• Generate reports for senior cybersecurity leadership and contribute to executive‑level updates.
• Training, Communication & Cross‑Functional Support Provide guidance and training to employees on cybersecurity compliance matters, including role‑based CMMC responsibilities.
• Develop awareness materials and communication strategies to support compliance adoption across the organization.
• Represent the cybersecurity function in meetings, planning sessions, and cross‑functional initiatives.

Benefits

• AV offers an excellent benefits package including medical, dental vision, 401K with company matching, a 9/80 work schedule and a paid holiday shutdown.