Compliance Operations Lead

Compliance Operations Lead

In government contracting, compliance is a moat. FedRAMP High, IL5, CMMC Level 2, SOC 2—these are the gates that decide which platforms get to serve the DoD, the Intelligence Community, and the largest agencies in the federal government. We need a Compliance Operations Lead who treats that gate as offense, not paperwork.

This is not a role where you write policy docs, file them in a binder, and chase tickets through a GRC tool. You will own GovSignals' entire security and compliance posture end-to-end—architecting the program, automating the evidence, partnering directly with engineering, and standing in front of customers and auditors as the face of our trust story. You'll move at product speed. When a control fails or an auditor flags an exception, you fix it because it's yours.

Compliance at GovSignals is a product. It ships, it scales, and it has to keep up with an aggressive engineering cadence. We want someone who automates evidence collection in CI/CD instead of chasing screenshots. Someone who treats every customer security review as a sales asset, not a tax. Someone who has done this before at a high-growth defense or dual-use startup—and knows the difference between checking the box and building something defensible.

This role reports directly into the founding team. You will have full company support to hit our compliance milestones, and you'll be expected to prioritize compliance as a means to an end—shipping product and unlocking customers.

Key Responsibilities

Compliance Program Ownership

• Build and run the master compliance program covering FedRAMP High, IL5, CMMC Level 2, SOC 2, and adjacent public-sector frameworks.
• Drive the FedRAMP High ATO roadmap end-to-end, including 3PAO coordination, agency sponsorship navigation, and continuous monitoring once authorized
• Maintain a forward-looking compliance roadmap that anticipates new frameworks, customer requirements, and regulatory changes—we shouldn't be reacting; we should be ahead

Evidence Automation & Audit Readiness

• Own evidence management end-to-end: gather, organize, and automate collection so we are audit-ready every day, not the week before fieldwork
• Stand up automated policy checks, control evidence capture, and continuous monitoring tooling—if it can be scripted, it should be
• Lead quarterly and annual security documentation cycles, coordinate penetration tests and red-team engagements, and track remediation through to closure

Customer Trust, BD & Sales Enablement

• Be the primary voice on enterprise security questionnaires and customer trust calls—we win deals when buyers trust our posture
• Partner directly with Sales as a front-line credibility asset—join customer pitches and discovery calls, brief prospects on our compliance roadmap, and close the trust gap that often decides seven-figure deals
• Help represent GovSignals at industry conferences, customer events, and federal/defense forums—build relationships with security leaders at target accounts and bring back signal that shapes our roadmap
• Translate complex compliance posture into clear narratives for both technical security teams and non-technical executives
• Build and maintain a customer-facing trust center, security collateral, and reusable response library that compresses sales cycles

Engineering Partnership

• Embed secure-by-design practices alongside engineering—policy checks in CI/CD, infrastructure-as-code guardrails, hardened deployment pipelines
• Identify smart, outside-of-the-box solutions to compliance roadblocks. Help guide company roadmaps to scope and prepare for compliance changes.
• Monitor the evolving threat landscape and propose proactive hardening measures—you don't wait for an incident to drive change

Who You Are

You've taken a startup through a real high-impact authorization—FedRAMP High, IL5, or equivalent. You know what it takes to build a compliance program from a blank page, not just optimize one someone else built.

You write policy and you read code. You can sit with an auditor and a senior engineer in the same meeting and translate cleanly between them. You see compliance as a product surface, not a paperwork exercise—something that ships, scales, and gets better with every release.

You're fast, but not sloppy. You understand that one failed control or one botched questionnaire response can stall a seven-figure deal, and you operate with that level of seriousness. You're not looking for a 9-to-5. You're looking for a mission—and the ownership stake to go with it.

Required Qualifications

• 3+ years leading compliance or security programs at a high-growth technology or defense startup
• Demonstrated success achieving and maintaining FedRAMP High ATO or an equivalent high-impact authorization
• Deep working fluency with IL5, CMMC Level 2, SOC 2 Type II, NIST 800-171, and the broader U.S. public-sector compliance landscape
• Proven ability to design and run automated evidence collection, policy management, and vulnerability-tracking workflows—not just operate someone else's GRC tool
• Strong written and verbal communication skills for both technical and executive audiences; comfortable owning customer security reviews end-to-end
• Experience coordinating red-team, penetration-test, or bug-bounty programs and translating findings into engineering action
• Comfort operating in a fast-moving, early-stage environment where priorities shift and you own the outcome

Bonus: Hands-on exposure to Kubernetes, Terraform, JAMF, and modern DevSecOps toolchains; prior experience supporting an IC or DoD customer base.

What This is Not

This is not a role for a compliance manager who needs a ten-person GRC team to function. If your job has been reviewing tickets in Drata or Vanta and emailing auditors back, this isn't the right fit. If you treat compliance as a paperwork function rather than a competitive weapon, this isn't the right fit. If "startup hours" sounds like a red flag rather than a rallying cry, this isn't the right fit.

We need someone who runs toward hard problems, automates relentlessly, and measures their impact in authorizations achieved and customer deals unblocked—not policies filed.

Compensation & Benefits

• Base Salary: 140,000 - 190,000
• Equity: Meaningful stake in a well-funded, fast-growing startup—we want you to win big when we win big
• Benefits: Medical, Vision, and Dental
• Unlimited PTO
• Direct access to the founding team and end-to-end ownership from day one