CMMC Program Manager

About The Position

Requirements

• 5–8+ years of experience in cybersecurity compliance, information assurance, or security program management within a DoD contracting environment
• Demonstrated experience managing NIST SP 800-171 compliance and preparing organizations for audits or assessments
• Experience supporting CUI environments and DFARS 252.204-7012 requirements
• Experience coordinating assessments, audits, or regulatory reviews
• Strong working knowledge of: CMMC Level 2 NIST SP 800-171 32 CFR Part 117 (NISPOM) 32 CFR Part 170 DFARS 252.204-7012 / 7019 / 7020
• Ability to translate regulatory requirements into actionable program controls
• Strong documentation, risk analysis, and stakeholder communication skills
• Ability to obtain and maintain a Top Secret clearance (active clearance preferred).

Nice To Haves

• Prior experience working directly with a C3PAO or supporting formal CMMC assessments
• Certifications such as CISSP, CISM, CISA, GSLC, CRISC, or CCSP
• Experience supporting multiple facilities or business units
• Familiarity with RMF, NIST SP 800-53, or FedRAMP environments

Responsibilities

• Serve as the Program Owner for the company’s CMMC Level 2 compliance effort
• Develop, maintain, and execute the CMMC compliance roadmap, ensuring alignment with DoD timelines and contract requirements
• Establish governance structures, roles, and accountability for cybersecurity compliance across business units
• Ensure alignment between CMMC, NIST SP 800-171, DFARS, and NISPOM (32 CFR Part 117) requirements
• Maintain authoritative oversight of all 110 NIST SP 800-171 security requirements applicable to the CMMC Level 2 boundary
• Ensure security controls are fully implemented, documented, and operating as intended
• Coordinate with IT and system owners to validate technical, administrative, and physical safeguards
• Monitor control effectiveness and address compliance drift through periodic reviews
• Own and maintain the System Security Plan (SSP) and ensure it accurately reflects the current environment
• Manage Plans of Action & Milestones (POA&Ms), including prioritization, remediation tracking, and closure validation
• Establish and maintain a centralized evidence repository to support CMMC assessments and DoD inquiries
• Ensure documentation remains audit-ready at all times
• Plan and conduct onsite and remote self-assessments against NIST SP 800-171 and CMMC Level 2 requirements
• Prepare the organization for C3PAO assessments, including pre-assessment readiness reviews and gap analyses
• Serve as the primary interface with C3PAOs, DoD representatives, and external auditors
• Coordinate assessment logistics, evidence presentation, and response to findings
• Partner with the FSO to ensure CUI identification, marking, handling, transmission, and storage align with NISPOM and CMMC requirements
• Validate CUI data flows and system boundaries supporting covered defense information (CDI)
• Support training and awareness initiatives related to CUI handling and cybersecurity responsibilities
• Implement a continuous compliance monitoring strategy to identify emerging risks and control weaknesses
• Track cybersecurity risks and report status, trends, and remediation progress to leadership
• Ensure timely reporting and response to cybersecurity incidents involving CUI in coordination with Security and IT
• Support supply chain and subcontractor cybersecurity compliance oversight where applicable
• Develop and oversee CMMC and NIST 800-171 training programs for employees, system users, and leadership
• Ensure role-based cybersecurity training is conducted and documented annually
• Promote a culture of cybersecurity accountability and compliance awareness
• Act as a trusted advisor to executive leadership on CMMC readiness, risks, and compliance posture
• Coordinate cross-functional efforts between Security, IT, Contracts, Legal, HR, and Program Management
• Provide regular executive-level reporting on CMMC status, risks, POA&M progress, and audit readiness