Compliance Manager

Position SummaryThe Compliance Manager is the organizational owner of the company's regulatory compliance program, with primary accountability for achieving and maintaining Cybersecurity Maturity Model Certification (CMMC), ensuring alignment with NIST SP 800-171 and applicable DFARS clauses, and managing the identification and tracking of CUI-related contractual obligations across the business. This is a leadership role that sits at the intersection of IT, legal, contracts, operations, and executive management. The Compliance Manager does not just track requirements - they drive the organization's compliance posture, build a culture of security awareness, and ensure the company is audit-ready at all times. They are the primary point of accountability when a C3PAO assessor walks in the door. Key Responsibilities:Compliance Program OwnershipOwn and continuously improve the organization's end-to-end compliance program encompassing CMMC, NIST SP 800-171, DFARS 252.204-7012/7019/7020/7021, and related federal regulationsDevelop, maintain, and enforce the organization's information security policies, standards, and procedures; ensure they are reviewed at least annually and updated in response to regulatory changesMaintain the System Security Plan (SSP), Plan of Action & Milestones (POA&M), and all supporting compliance artifacts; ensure they are current, accurate, and audit-ready at all timesOwn the organization's risk register; conduct periodic risk assessments and drive remediation planning in partnership with IT and operational leadershipTrack CMMC rulemaking, NIST guidance updates, and DoD policy changes; brief leadership on implications and required organizational responsesEstablish and report on compliance program metrics and key performance indicators (KPIs) to senior leadership on a regular cadence CMMC Assessment ReadinessLead all activities related to preparation for and completion of CMMC third-party assessments (C3PAO); serve as the organization's primary point of contact with assessorsConduct and document internal gap assessments against NIST SP 800-171 and CMMC practice requirements; maintain evidence packages for all 110 practicesCoordinate with IT to ensure that technical controls are implemented, documented, and generating the evidence required for a successful assessmentManage the POA&M lifecycle: identify gaps, assign remediation owners, set milestone dates, track progress, and verify closurePrepare staff for assessor interviews; conduct mock assessments and tabletop exercises to identify weaknesses before formal assessmentMaintain post-assessment continuous compliance, ensuring controls do not degrade between certification cycles CUI Program ManagementDefine, document, and maintain the organization's CUI scope: categories of CUI handled, all roles and individuals who access CUI, and all systems and locations where CUI is stored, processed, or transmittedMaintain the assessment boundary documentation and data flow diagrams in coordination with ITDevelop and enforce CUI handling procedures, marking standards, and destruction requirements across all departmentsConduct periodic CUI audits to verify that staff are handling and marking CUI correctly in both digital and physical formServe as the internal resource for CUI classification questions from program managers, engineers, procurement, and other staff Preferred Education & Certification(s): Bachelor's Degree, preferably in Cybersecurity, Information Technology or similar fieldCertified CMMC Professional (CCP)Certified CMMC Assessor (CCA)Project Management Professional (PMP)Certified Authorization Professional (CAP / CGRC)