Staff Security Assurance Controls Manager

About The Position

Requirements

• Bachelor's degree in Information Security, Computer Science, Engineering, Risk Management, or related field—or equivalent practical experience.
• 7–10+ years of experience managing and operating security/compliance programs, including at least one of: FedRAMP, ISO 27001, or SOC 2.
• 3–5+ years of experience managing third-party audits (e.g., ATO, SOC, ISO certs), including evidence preparation, auditor interface, and corrective actions.
• Proficient in project management: planning, tracking, reporting, and issue resolution.
• Strong understanding of security control domains (e.g., access control, vulnerability management, encryption, logging, change management).
• Experience working in cloud-native environments (AWS, GCP preferred).
• Familiarity with GRC platforms such as LogicGate, ServiceNow GRC, or Archer.

Nice To Haves

• NIST 800-63 experience with identity proofing and authenticator management is preferred
• Experience leading or contributing to FedRAMP Continuous Monitoring (ConMon) activities or significant change requests (SCR) / change management.
• Policy, plan, procedure management.
• Deep understanding of control implementation across cloud-native and DevOps environments.
• CISSP, CISA, CCSK, or ISO 27001 Lead Auditor certification.
• Cloud security certifications (e.g., GCP, AWS, etc.) are a plus.
• Experience working in SaaS or regulated environments (e.g., healthcare, finance, government).

Responsibilities

• Framework Ownership: Serve as the day-to-day owner for one or more frameworks (e.g., NIST 800-63, FedRAMP, ISO 27001, SOC 2), ensuring alignment between framework requirements and internal controls.
• Control Lifecycle Management: Collaborate with control owners to design, implement, document, and monitor controls. Define control objectives, implementation guidance, and assurance requirements.
• Audit & Assessment Readiness: Coordinate internal and external audits by developing audit plans, preparing walkthroughs, and managing evidence collection activities.
• Continuous Monitoring: Maintain a recurring schedule of control validations based on framework-specific frequency requirements (e.g., FedRAMP ConMon). Track control health and remediation actions.
• Gap Analysis & Risk Assessments: Lead gap analyses between new framework requirements and existing control coverage. Facilitate Security Impact Assessments (SIAs) to assess compliance implications of changes and identify risks.
• Compliance Documentation: Manage organizational policies. Ensure up-to-date, reviewer-approved documentation exists for policies, procedures, and implementation statements. Lead annual reviews and updates.
• Control Remediation & POA&M Management: Partner with control owners to define corrective actions, manage Plans of Action & Milestones (POA&Ms), and track resolution through closure. Propose and coordinate the design of controls to mitigate risks.
• Stakeholder Engagement: Act as a trusted partner to engineering, product, infrastructure, and customer-facing teams. Provide clear guidance on what controls are required, why, and how to satisfy them.
• Tooling & Metrics: Support the use of GRC and data pipelines to automate evidence collection, track control status, and generate metrics for reporting. Internal and External: Contribute to executive and board-level reporting, as well as external customer reporting such as through Continuous Monitoring reports.

Benefits

• ID.me offers comprehensive medical, dental, vision, health savings account, flexible spending accounts (medical, limited purpose, dependent care, commuter benefit accounts), basic and voluntary life and AD&D insurance, 401(k) with company match, parental leave, ability to participate in unlimited paid time off subject to the terms and conditions of the PTO policy, including 8 company wide holidays, short and long-term disability insurance, accident and critical illness insurance, referral bonus policy, employee assistance program, pet insurance, travel assistant program, wellbeing and childcare discounts, benefit advocates, and a learning and development benefit.