Director, FedRAMP Program

About The Position

Requirements

• 10+ years of experience in cybersecurity, compliance, GRC, cloud security, audit, risk management, or security program leadership.
• Direct experience leading or materially contributing to a FedRAMP Moderate ATO for a SaaS or cloud service provider.
• Strong working knowledge of the FedRAMP authorization lifecycle, NIST SP 800-53, FedRAMP Rev. 5 requirements, SSP, SAP, SAR, POA&M, continuous monitoring, the 3PAO assessment process, and agency authorization processes.
• Demonstrated ability to manage complex, cross-functional security programs involving Engineering, Product, Cloud Infrastructure, Cybersecurity, Legal, GRC, and executive stakeholders.
• Experience building and maintaining audit evidence repositories and compliance operating models.
• Strong knowledge of SaaS/cloud architecture, preferably AWS, Azure, or multi-cloud environments.
• Strong understanding of technical security domains, including IAM, vulnerability management, logging/monitoring, encryption, incident response, secure SDLC, change management, and cloud infrastructure security.
• Proven ability to drive remediation across teams that do not directly report to you.
• Excellent written and verbal communication skills.
• Ability to communicate clearly with both technical teams and executive stakeholders.
• Strong project/program management discipline, including milestone planning, dependency tracking, risk management, and executive reporting.

Nice To Haves

• Experience leading or supporting FedRAMP High authorization.
• Experience with both agency authorization and legacy JAB-style authorization expectations.
• Experience working directly with FedRAMP advisors, 3PAOs, agency sponsors, and federal customer security teams.
• Experience with SaaS products serving enterprise and/or public sector customers.
• Experience with AWS GovCloud, Azure Government, or other government cloud environments.
• Experience with adjacent and additive frameworks such as CMMC, ITAR, SOC 2, ISO 27001, ISO 42001, HIPAA, PCI DSS, StateRAMP, IRAP, or ISMAP.
• Experience supporting federal go-to-market, RFP responses, security questionnaires, and customer trust programs.
• Certifications such as CISSP, CISM, CISA, CRISC, PMP, CCSP, or equivalent experience.
• Experience in standing up a new FedRAMP program from scratch.

Responsibilities

• Own and lead the company’s FedRAMP program from readiness (FW has completed RADD for Moderate) through ATO and continuous monitoring.
• Develop the overall FedRAMP ATO strategy, roadmap, execution plan, work breakdown structure, milestone plan, and executive reporting model.
• Lead the company through FedRAMP Moderate authorization, with a path to FedRAMP High for future ATO.
• Define and manage the FedRAMP authorization boundary for the cloud service offering.
• Partner with Security, Engineering, Product, IT, Legal, Privacy, Compliance, and GTM teams to align FedRAMP requirements with business and customer needs.
• Translate FedRAMP requirements into clear workstreams, owners, deliverables, deadlines, and measurable outcomes.
• Maintain executive-level visibility into program status, risks, decisions, blockers, and funding needs.
• Own the development, maintenance, and quality of the FedRAMP authorization package, including the SSP, SAP, SAR, POA&M, control implementation narratives, policies, standards, procedures, control inheritance documentation, architecture diagrams, data flow diagrams, boundary documentation, and supporting operational evidence.
• Ensure documentation accurately reflects the real operating environment, not aspirational controls.
• Build a durable evidence repository and repeatable evidence collection process.
• Establish documentation quality standards to reduce rework during 3PAO and agency review.
• Serve as the primary internal program owner for external FedRAMP partners, including advisors, consultants, 3PAOs, and agency stakeholders.
• Coordinate readiness assessments, gap assessments, formal assessments, evidence requests, control interviews, penetration testing, and remediation validation.
• Manage 3PAO engagement timelines, dependencies, artifacts, and issue resolution.
• Support agency sponsor conversations and help prepare materials needed for agency authorization review.
• Ensure the SAR findings are translated into clear remediation plans and risk decisions.
• Own the POA&M process for FedRAMP-related findings, vulnerabilities, control gaps, and residual risks.
• Drive timely remediation of POA&M items across Engineering, Cloud Infrastructure, Cybersecurity, IT, and Product teams.
• Establish clear ownership, due dates, severity, risk rationale, evidence requirements, and closure criteria for each POA&M item.
• Escalate overdue or high-risk items to appropriate leadership forums.
• Partner with business and technical owners to determine when remediation, mitigation, compensating controls, or formal risk acceptance is appropriate.
• Maintain a clear view of residual risk for executives and authorizing stakeholders.
• Partner with Engineering, Cloud Infrastructure, and Cybersecurity teams to implement FedRAMP-required security controls in a SaaS cloud environment.
• Drive control maturity across identity and access management, privileged access management, vulnerability management, secure configuration management, logging, monitoring, alerting, incident response, encryption, key management, change management, backup and recovery, contingency planning, asset inventory, boundary protection, software supply chain security, and secure SDLC.
• Help engineering teams understand not just what is required, but why it matters and how to implement it sustainably.
• Identify control implementation gaps early and drive resolution before they become audit blockers.
• Assist in building and operating the FedRAMP continuous monitoring program after authorization.
• Own recurring ConMon deliverables, evidence collection, vulnerability reporting, POA&M updates, significant change analysis, incident reporting coordination, and ongoing agency reporting.
• Partner with Security Operations, Cybersecurity, Engineering, and Compliance to maintain authorization posture.
• Establish operational processes to prevent control drift after ATO.
• Track changes to FedRAMP guidance, NIST requirements, agency expectations, and federal cybersecurity directives.
• Prepare the organization for annual assessments and ongoing authorization maintenance.
• Keep abreast of FedRAMP program changes, like 20XX, and how they might impact our FedRAMP program.
• Provide clear, concise program updates to executives, steering committees, and board-level stakeholders.
• Communicate program health, milestone status, material risks, funding needs, staffing constraints, and decision points.
• Create executive-ready reporting that connects FedRAMP work to customer trust, federal revenue opportunities, risk reduction, and operational maturity.
• Facilitate cross-functional decision-making when security requirements conflict with product timelines, engineering capacity, or customer commitments.
• Serve as the internal FedRAMP translator: able to explain complex requirements in business, technical, and executive terms.
• Partner with Sales, Legal, Customer Success, and Cybersecurity GTM teams to support federal customer conversations.
• Help develop accurate FedRAMP-related customer messaging, RFP responses, trust center content, and security collateral.
• Ensure external claims about FedRAMP status, roadmap, and control maturity are accurate and legally defensible.
• Support customer security reviews and federal procurement diligence related to FedRAMP.

Benefits

• multiple options for dental, medical, vision, disability, and life insurance
• Equity + ESPP
• flexible PTO
• flexible spending
• commuter benefits
• wellness benefits
• adoption and parental leave benefits