Program Manager -FedRAMP programs & Azure Gov

Role : Program Manager Location: Pittsburgh, PA, Lake Mary, FL, or New York , NY ( Remote is an option too)Duration : 12 Months JOB DESCRIPTIONRole OverviewClient is seeking a seasoned Program Manager to lead the creation, authorization, and continuous governance of a FedRAMP-compliant Azure Government tenant underpinning government paymenttransaction services. You will own the end-to-end program—system boundary definition, documentation, ATO readiness, , and continuous monitoring—ensuring sustained compliance at FedRAMP High The ideal candidate blends rigorous compliance leadership with strong cloud security and platform enablement skills and has demonstrated success in -system subject to federal compliance.Key ResponsibilitiesProgram Leadership and GovernanceOwn the multi-year FedRAMP roadmap for an Azure Government tenant supporting government transactions; define milestones, risks, dependencies, and decision gates.Establish governance forums and operating mechanisms across engineering, cloud platform, information security, risk/compliance, legal, payment operations, and 3PAOs.Maintain program OKRs/KPIs: POA&M closure velocity, control coverage, vulnerability SLAs, ConMon completeness, audit readiness, and Drive disciplined change control, evidence management, , and control attestation workflows aligned to FedRAMP requirements.Manage external partners and 3PAO activities (readiness, assessments, remediation)FedRAMP Authorization (ATO) ReadinessLead authoring and maintenance of FedRAMP artifacts: SSP and associated FedRAMP appendices, POA&M, policies/standards/procedures, boundary diagrams, and data flows tailored to Azure Government/GCC High constructs.Define and maintain the system boundary and data categorization supporting payment transactions; align to FedRAMP High baseline.Coordinate control implementation across all FedRAMP control families. .Conduct gap analyses against NIST SP 800-53 controls; drive remediation plans and ensure traceability from control narratives to technical and process evidence.Continuous Monitoring & OperationsStand up and run Continuous Monitoring, in alignment with FedRAMP High guidelines, for the Azure Government tenant: scanning cadence, patch cycles, configuration baseline monitoring, control effectiveness checks, incident handling, and change compliance.Own POA&M lifecycle: triage findings, prioritize by risk, execute corrective actions, validate closure, reporting outstanding actions, and update artifacts.Maintain real-time dashboards and reporting for control posture, exceptions, residual risk, and operational health across payment services and shared services.Ensure SSP and supporting documentation are promptly updated to reflect material changes to boundary, services, configurations, or controls.Coordinate security incident response processes with SOC teams and act as interface with the client throughout the incident lifecycle including root cause analysis and closure.Audit, Stakeholder, and External EngagementServe as the primary contact for internal/external audits, 3PAO assessments, and authorizing officials; coordinate evidence collection and subject matter responses.Prepare teams for assessments; lead walkthroughs, demos, and artifact reviews; shepherd remediation and risk acceptance processes as appropriate.Enable engineering, operations, and payment teams with training and lightweight process embeds to sustain day-to-day FedRAMP compliance.Risk Management and Issue ResolutionMaintain a program risk register spanning control gaps, architectural changes, data flows, vendor dependencies, and operational risks in payment services.Escalate issues with quantified impact; drive compensating controls or risk acceptance decisions in partnership with risk/compliance.RequiredQualifications7+ years of program management in regulated cloud environments; 3+ years directly owning FedRAMP programs, artifacts, and Continuous Monitoring.Hands-on oversight,authorship, maintenance and response experience with SSP, POA&M, SAP/SAR; proven track record achieving/maintaining ATO for cloud services.Deep knowledge of NIST SP 800-53 control families, FedRAMP Moderate/High baselines, -ConMon processes, and 3PAO engagements.Strong familiarity with Azure Government or GCC High and core security capabilities: identity/access, logging/monitoring, encryption, policy enforcement, landing zone patterns.Demonstrated success orchestrating cross-functional teams (security, cloud/platform, payments, operations, compliance, legal) to deliver complex regulatory programs.Exceptional communication skills: executive reporting, control narratives, audit responses, and stakeholder management.Bachelor’s degree in Information Security, Computer Science, Information Systems, or related field; equivalent experience considered.Preferred QualificationsDirect experience enabling government payment transactions on cloud platforms and aligning control implementations to transactional risk profiles.Azure-focused security experience (Defender for Cloud, Sentinel, Azure Policy/Blueprints, Key Vault, Private Link, Purview).Prior experience collaborating with federal agencies, sponsoring organizations, or authorizing officials for ATOs.Experience with security compliance to IRS 1075 requirements Certifications: PMP, CISSP, CCSP, CISM, Azure Security Engineer Associate, or equivalent.Key CompetenciesOwnership and disciplined execution across multi-workstream, cross-functional programs.Ability to translate regulatory requirements into practical, testable technical and process controls.Risk-based decision-making with clear prioritization and measurable outcomes.Influencing and stakeholder leadership; driving alignment without formal authority.Documentation rigor and audit readiness; maintaining high-quality, current artifacts.Continuous improvement mindset; leveraging metrics to improve control posture and operational efficiency.Work Arrangement and LocationFlexible work arrangements may be available in accordance with BNY policies and applicable role requirements.Limited travel may be required for assessments, audits, or stakeholder workshops.Program KPIs (example targets; customizable)POA&M closure: ≤ 30 calendar days average for High findings; ≤ 60 for Moderate.Continuous Monitoring: 100% monthly reporting completeness across in-scope services.Configuration drift: ≤ 5% variance from baseline across evaluated resources per month.Vulnerability remediation: Meet or exceed FedRAMP timelines by severity category.Audit readiness: “Green” status across evidence.completeness and control demonstration prior to 3PAO assessments.Best Regards,Bismillah Arzoo (AB)