Compliance Manager

Position Summary

The Compliance Manager is the organizational owner of the company's regulatory compliance program, with primary accountability for achieving and maintaining Cybersecurity Maturity Model Certification (CMMC), ensuring alignment with NIST SP 800-171 and applicable DFARS clauses, and managing the identification and tracking of CUI-related contractual obligations across the business.

This is a leadership role that sits at the intersection of IT, legal, contracts, operations, and executive management. The Compliance Manager does not just track requirements - they drive the organization's compliance posture, build a culture of security awareness, and ensure the company is audit-ready at all times. They are the primary point of accountability when a C3PAO assessor walks in the door.

Key Responsibilities:

Compliance Program Ownership

• Own and continuously improve the organization's end-to-end compliance program encompassing CMMC, NIST SP 800-171, DFARS 252.204-7012/7019/7020/7021, and related federal regulations
• Develop, maintain, and enforce the organization's information security policies, standards, and procedures; ensure they are reviewed at least annually and updated in response to regulatory changes
• Maintain the System Security Plan (SSP), Plan of Action & Milestones (POA&M), and all supporting compliance artifacts; ensure they are current, accurate, and audit-ready at all times
• Own the organization's risk register; conduct periodic risk assessments and drive remediation planning in partnership with IT and operational leadership
• Track CMMC rulemaking, NIST guidance updates, and DoD policy changes; brief leadership on implications and required organizational responses
• Establish and report on compliance program metrics and key performance indicators (KPIs) to senior leadership on a regular cadence

CMMC Assessment Readiness

• Lead all activities related to preparation for and completion of CMMC third-party assessments (C3PAO); serve as the organization's primary point of contact with assessors
• Conduct and document internal gap assessments against NIST SP 800-171 and CMMC practice requirements; maintain evidence packages for all 110 practices
• Coordinate with IT to ensure that technical controls are implemented, documented, and generating the evidence required for a successful assessment
• Manage the POA&M lifecycle: identify gaps, assign remediation owners, set milestone dates, track progress, and verify closure
• Prepare staff for assessor interviews; conduct mock assessments and tabletop exercises to identify weaknesses before formal assessment
• Maintain post-assessment continuous compliance, ensuring controls do not degrade between certification cycles

CUI Program Management

• Define, document, and maintain the organization's CUI scope: categories of CUI handled, all roles and individuals who access CUI, and all systems and locations where CUI is stored, processed, or transmitted
• Maintain the assessment boundary documentation and data flow diagrams in coordination with IT
• Develop and enforce CUI handling procedures, marking standards, and destruction requirements across all departments
• Conduct periodic CUI audits to verify that staff are handling and marking CUI correctly in both digital and physical form
• Serve as the internal resource for CUI classification questions from program managers, engineers, procurement, and other staff

Preferred Education & Certification(s):

• Bachelor's Degree, preferably in Cybersecurity, Information Technology or similar field
• Certified CMMC Professional (CCP)
• Certified CMMC Assessor (CCA)
• Project Management Professional (PMP)
• Certified Authorization Professional (CAP / CGRC)