Director, Governance, Risk and Compliance

About The Position

Requirements

• 10–15+ years of cybersecurity GRC experience with deep Federal and DoD exposure
• Hands-on ownership of FedRAMP authorizations
• Direct experience with DoD Cloud SRG IL5 and/or IL6
• Strong knowledge of CMMC, NIST SP 800-171, RMF, and NIST SP 800-53
• Experience in high-growth environments
• Experience at a GovCloud, SaaS, or defense-focused startup
• Relevant certifications (CISSP, CISM, CISA, CRISC)
• Experience supporting regulated revenue growth pre- and post-ATO
• Ability to operate at both executive and execution levels
• U.S. citizenship required; active or eligible clearance preferred

Responsibilities

• Design and own Lila’s enterprise GRC program, including policies, standards, risk frameworks, and operating cadence.
• Translate complex regulatory requirements into practical, implementable controls for software, engineering, and operations teams.
• Own Lila Trust Portal as a strategic GRC asset, aligning disclosures with regulatory requirements, customer expectations, and go-to-market needs while partnering with Security, Legal, Privacy, Product, and Sales to ensure consistency and credibility.
• Own the full FedRAMP lifecycle from readiness through ATO and continuous monitoring.
• Serve as primary point of contact for 3PAOs, sponsoring agencies, and Authorizing Officials.
• Drive development and maintenance of SSPs, POA&Ms, SARs, CMPs, and supporting evidence.
• Partner with executives on risk acceptance and remediation prioritization.
• Lead compliance strategy for DoD Cloud Computing SRG IL5 and IL6 environments.
• Work directly with cloud and security engineering teams to meet high-impact requirements.
• Support customer security reviews, audits, and authorization packages.
• Define and execute Lila’s CMMC readiness and compliance roadmap.
• Align NIST SP 800-171 controls, across engineering, IT, and business operations.
• Prepare Lila for CMMC assessments tied to defense contracts.
• Execute risk assessments for onboarding new vendors and re-evaluating existing ones, assessing cybersecurity, financial, and operational risks.
• Monitor vendor performance against Service Level Agreements (SLAs) and report risk profiles to senior leadership.
• Ensure vendor compliance with internal policies and external regulations, specifically focusing on data security.
• Identify risks, facilitate remediation plans, and, if necessary, assist with risk acceptance processes.
• Run enterprise risk assessments, gap analyses, and mitigation plans.
• Implement lightweight automation for evidence collection, validation, and reporting.
• Deliver executive-level dashboards focused on real risk and progress.
• Act as a trusted advisor to the CISO on compliance risk and deal enablement.
• Lead customer due diligence, security questionnaires, and regulatory briefings.
• Represent the company during audits, assessments, and government reviews.

Benefits

• bonus potential
• generous early equity