CMMC Compliance Manager

Compliance ManagerPosition SummaryThe Compliance Manager is the organizational owner of the company’s regulatory compliance program, with primary accountability for achieving and maintaining Cybersecurity Maturity Model Certification (CMMC), ensuring alignment with NIST SP 800-171 and applicable DFARS clauses, and managing the identification and tracking of CUI-related contractual obligations across the business.This is a leadership role that sits at the intersection of IT, legal, contracts, operations, and executive management. The Compliance Manager does not just track requirements — they drive the organization’s compliance posture, build a culture of security awareness, and ensure the company is audit-ready at all times. They are the primary point of accountability when a C3PAO assessor walks in the door.Unlike a purely technical security role, the Compliance Manager’s value is in program governance, cross-functional coordination, policy ownership, and risk management — ensuring that every department understands its compliance obligations and meets them consistently.Key Responsibilities:Compliance Program Ownership•      Own and continuously improve the organization’s end-to-end compliance program encompassing CMMC, NIST SP 800-171, DFARS 252.204-7012/7019/7020/7021, and related federal regulations•      Develop, maintain, and enforce the organization’s information security policies, standards, and procedures; ensure they are reviewed at least annually and updated in response to regulatory changes•      Maintain the System Security Plan (SSP), Plan of Action & Milestones (POA&M), and all supporting compliance artifacts; ensure they are current, accurate, and audit-ready at all times•      Own the organization’s risk register; conduct periodic risk assessments and drive remediation planning in partnership with IT and operational leadership•      Track CMMC rulemaking, NIST guidance updates, and DoD policy changes; brief leadership on implications and required organizational responses•      Establish and report on compliance program metrics and key performance indicators (KPIs) to senior leadership on a regular cadenceCMMC Assessment Readiness•      Lead all activities related to preparation for and completion of CMMC third-party assessments (C3PAO); serve as the organization’s primary point of contact with assessors•      Conduct and document internal gap assessments against NIST SP 800-171 and CMMC practice requirements; maintain evidence packages for all 110 practices•      Coordinate with IT to ensure that technical controls are implemented, documented, and generating the evidence required for a successful assessment•      Manage the POA&M lifecycle: identify gaps, assign remediation owners, set milestone dates, track progress, and verify closure•      Prepare staff for assessor interviews; conduct mock assessments and tabletop exercises to identify weaknesses before formal assessment•      Maintain post-assessment continuous compliance, ensuring controls do not degrade between certification cyclesCUI Program Management•      Define, document, and maintain the organization’s CUI scope: categories of CUI handled, all roles and individuals who access CUI, and all systems and locations where CUI is stored, processed, or transmitted•      Maintain the assessment boundary documentation and data flow diagrams in coordination with IT•      Develop and enforce CUI handling procedures, marking standards, and destruction requirements across all departments•      Conduct periodic CUI audits to verify that staff are handling and marking CUI correctly in both digital and physical form•      Serve as the internal resource for CUI classification questions from program managers, engineers, procurement, and other staffContract & Regulatory Compliance•      Partner with the contracts and legal team to review all incoming and existing contracts for CMMC, CUI, and DFARS compliance obligations•      Maintain the organization’s Contract Compliance Register: tracking which contracts require CMMC, what level is required, what CUI is involved, and which systems and personnel are in scope•      Identify and manage subcontractor flow-down obligations; verify that suppliers receiving CUI have appropriate compliance posture and contractual protections in place•      Support bid and proposal activities by assessing CMMC and CUI requirements for new contract opportunities and providing compliance cost and timeline estimates•      Coordinate cyber incident reporting obligations under DFARS 252.204-7012, including liaison with the Defense Industrial Base Cybersecurity (DIBcac) as requiredCross-Functional Coordination & Training•      Serve as the primary compliance liaison to IT, HR, legal, contracts, engineering, procurement, and executive leadership•      Design and deliver an organization-wide security awareness training program; track completion and maintain training records for audit purposes•      Develop role-specific compliance guidance for staff who handle CUI (engineers, program managers, procurement, shipping, etc.)•      Facilitate compliance working groups and steering committee meetings with leadership; prepare and present compliance status briefings•      Support onboarding and offboarding processes from a compliance standpoint, including access reviews and CUI handling acknowledgmentsVendor & Third-Party Risk Management•      Maintain an inventory of third-party vendors and service providers who have access to organizational systems or CUI•      Conduct or coordinate vendor compliance assessments; ensure vendor agreements include appropriate security and CUI protection requirements•      Monitor vendor compliance status and escalate risks to leadership when vendor posture does not meet organizational standards QualificationsEducation•      Bachelor’s degree in Business Administration or related field preferred•      Equivalent combination of education and directly relevant professional experience will be consideredExperience•      5+ years of experience in compliance, regulatory affairs, information security governance, or a related field•      Demonstrated experience managing or leading a compliance program in a DoD contracting environment•      Direct, hands-on experience with NIST SP 800-171 gap assessments and SSP/POA&M development and maintenance•      Experience interpreting and applying DFARS clauses, particularly 252.204-7012/7019/7020/7021•      Proven track record coordinating across multiple business functions (IT, legal, HR, operations) on compliance initiatives•      Experience preparing an organization for and managing an external audit or assessment processKnowledge Requirements•      NIST SP 800-171 — deep working knowledge of all 14 control families and all 110 practices•      CMMC 2.0 framework — Level 1 and 2 requirements, scoping guidance, and assessment methodology•      DFARS cyber clauses — 252.204-7012, 7019, 7020, 7021 and their respective obligations•      CUI program — 32 CFR Part 2002, the CUI Registry, marking requirements, and handling standards•      Federal Acquisition Regulation (FAR) — basic working knowledge as it relates to contractor obligations•      ITAR / EAR — awareness of export control implications for technical data and IT systems•      General IT security concepts — sufficient technical literacy to engage meaningfully with IT on control implementationPreferred Qualifications•      Experience working directly with a C3PAO during a formal CMMC assessment•      Familiarity with NIST SP 800-172 enhanced requirements applicable to CMMC Level 2•      Experience with CUI Enclaves (Preveil, Secureframe, Virtru, Cuick Trac)•      Background in quality management systems (ISO 9001, AS9100) — useful for integrating compliance into operational processes•      Experience managing a compliance program for a manufacturer or engineering firm in the defense industrial base (DIB)•      Familiarity with SPRS (Supplier Performance Risk System) scoring and submission requirements•      Prior experience as a CMMC Registered Practitioner (RP) or Assessor (CCA)Certifications•      One or more of the following certifications is required or strongly preferred:Certified CMMC Professional (CCP)Project Management Professional (PMP) or related certificationsCertified CMMC Assessor (CCA)               Certified Authorization Professional (CAP / CGRC)