Program Manager

Program ManagerRole OverviewWe are seeking a seasoned Program Manager to lead the creation, authorization, and continuous governance of a FedRAMP-compliant Azure Government tenant underpinning government payment transaction services. This role owns the end-to-end program, including system boundary definition, documentation, ATO readiness, and continuous monitoring, ensuring sustained compliance at FedRAMP High.The ideal candidate blends rigorous compliance leadership with strong cloud security and platform enablement skills and has demonstrated success in systems subject to federal compliance.Key ResponsibilitiesProgram Leadership and GovernanceOwn the multi-year FedRAMP roadmap for an Azure Government tenant supporting government transactions; define milestones, risks, dependencies, and decision gatesEstablish governance forums and operating mechanisms across engineering, cloud platform, information security, risk/compliance, legal, payment operations, and 3PAOsMaintain program OKRs/KPIs, including POA&M closure velocity, control coverage, vulnerability SLAs, continuous monitoring completeness, and audit readinessDrive disciplined change control, evidence management, and control attestation workflows aligned to FedRAMP requirementsManage external partners and 3PAO activities, including readiness, assessments, and remediationFedRAMP Authorization (ATO) ReadinessLead authoring and maintenance of FedRAMP artifacts, including SSP and associated appendices, POA&M, policies, standards, procedures, boundary diagrams, and data flows tailored to Azure Government/GCC HighDefine and maintain system boundary and data categorization supporting payment transactions aligned to FedRAMP High baselineCoordinate control implementation across all FedRAMP control familiesConduct gap analyses against NIST SP 800-53 controls; drive remediation plans and ensure traceability from control narratives to technical and process evidenceContinuous Monitoring & OperationsStand up and operate Continuous Monitoring aligned with FedRAMP High guidelines, including scanning cadence, patch cycles, configuration baseline monitoring, control effectiveness checks, incident handling, and change complianceOwn POA&M lifecycle: triage findings, prioritize by risk, execute corrective actions, validate closure, report outstanding actions, and update artifactsMaintain dashboards and reporting for control posture, exceptions, residual risk, and operational healthEnsure SSP and supporting documentation reflect material changes to system boundary, services, configurations, or controlsCoordinate incident response with SOC teams and manage the incident lifecycle, including root cause analysis and closureAudit, Stakeholder, and External EngagementServe as the primary contact for internal/external audits, 3PAO assessments, and authorizing officialsCoordinate evidence collection and subject matter responsesPrepare teams for assessments, lead walkthroughs and artifact reviews, and manage remediation and risk acceptance processesEnable engineering, operations, and payment teams through training and process integration to sustain FedRAMP complianceRisk Management and Issue ResolutionMaintain a program risk register covering control gaps, architectural changes, data flows, vendor dependencies, and operational risksEscalate issues with quantified impact; drive compensating controls or risk acceptance decisions in partnership with risk/complianceRequired Qualifications7+ years of program management in regulated cloud environments; 3+ years directly owning FedRAMP programs, artifacts, and Continuous MonitoringHands-on oversight, authorship, maintenance, and response experience with SSP, POA&M, SAP/SAR; proven track record achieving/maintaining ATO for cloud servicesDeep knowledge of NIST SP 800-53 control families, FedRAMP Moderate/High baselines, Continuous Monitoring processes, and 3PAO engagementsStrong familiarity with Azure Government or GCC High and core security capabilities: identity/access, logging/monitoring, encryption, policy enforcement, landing zone patternsDemonstrated success orchestrating cross-functional teams (security, cloud/platform, payments, operations, compliance, legal) to deliver complex regulatory programsExceptional communication skills: executive reporting, control narratives, audit responses, and stakeholder managementBachelor's degree in Information Security, Computer Science, Information Systems, or related field; equivalent experience consideredPreferred QualificationsDirect experience enabling government payment transactions on cloud platforms and aligning control implementations to transactional risk profilesAzure-focused security experience (Defender for Cloud, Sentinel, Azure Policy/Blueprints, Key Vault, Private Link, Purview)Prior experience collaborating with federal agencies, sponsoring organizations, or authorizing officials for ATOsExperience with security compliance to IRS 1075 requirementsCertifications: PMP, CISSP, CCSP, CISM, Azure Security Engineer Associate, or equivalentKey CompetenciesOwnership and disciplined execution across multi-workstream, cross-functional programsAbility to translate regulatory requirements into practical, testable technical and process controlsRisk-based decision-making with clear prioritization and measurable outcomesInfluencing and stakeholder leadership; driving alignment without formal authorityDocumentation rigor and audit readiness; maintaining high-quality, current artifactsContinuous improvement mindset; leveraging metrics to improve control posture and operational efficiencyWork Arrangement and LocationFlexible work arrangements may be available in accordance with organizational policies and applicable role requirementsLimited travel may be required for assessments, audits, or stakeholder workshopsProgram KPIs (example targets; customizable)POA&M closure: ≤ 30 calendar days average for High findings; ≤ 60 for ModerateContinuous Monitoring: 100% monthly reporting completeness across in-scope servicesConfiguration drift: ≤ 5% variance from baseline across evaluated resources per monthVulnerability remediation: Meet or exceed FedRAMP timelines by severity categoryAudit readiness: "Green" status across evidence completeness and control demonstration prior to 3PAO assessments