Principal of FedRAMP Compliance

How you will impact the organization…

The Principal of Information Security, Governance, Risk, and Compliance (GRC) for FedRAMP at Consensus serves as the central point for operational compliance, maintaining FedRAMP High authorization, and ensuring SaaS platform compliance with federal security mandates. This role is vital to Consensus’ mission of providing secure and trusted communication solutions to federal partners and reports to the Director of GRC. The Principal leads the design, implementation, and oversight of the FedRAMP GRC framework, ensuring effective governance, risk management, and alignment with NIST 800-53 Rev. 5 controls. The Principal manages the lifecycle of FedRAMP compliance activities, including developing and enforcing Rules of Behavior, overseeing background screening for authorized personnel, and tracking Plan of Action and Milestones (POA&M). This role ensures the timely remediation of vulnerabilities in accordance with FedRAMP risk thresholds and oversees incident response training, simulation, and testing in compliance with federal agency expectations. They are accountable for maintaining FedRAMP authorization through compliance efforts, including coordinating with an independent 3PAO for annual assessments, penetration testing, and red team exercises. The Principal leads and is responsible for artifact preparation, quality assurance, and submission for these audits, ensuring that all documentation is maintained per FedRAMP schedules. This includes managing the FedRAMP Security Package, System Security Plan (SSP), all related policies and procedures, and other FedRAMP-related documentation and artifacts, as well as the FedRAMP-compliant hosted secure repository for authorization materials. This role is central to ensuring secure service delivery to the federal government and supports Consensus’ goal of being a trusted Cloud Service Provider in the public sector.

The value you will deliver…

• Lead the design, implementation, and ongoing management of the organization’s FedRAMP High GRC program in alignment with NIST 800-53 Rev. 5.
• Managing third parties, such as managed security service providers performing FedRAMP functions, and directing overall project management support for the FedRAMP program. 
• Develop, track, and report Plan of Action and Milestones (POA&Ms) within 7 days of issue identification.
• Manage vulnerability remediation to ensure compliance with FedRAMP timelines: High (30 days), Moderate (90 days), and Low (180 days). 
• Escalate unremediated vulnerabilities and initiate POA&M creation when remediation cannot meet required deadlines. 
• Compile and submit Monthly Continuous Monitoring (ConMon) reports, including vulnerability scans, POA&M tracker, and asset inventory.
• Coordinate and lead Annual 3PAO Security Assessments, including penetration testing and red team exercises.
• Collect, review, and submit all required security artifacts to support 3PAO audits and VA assessment activities.
• Maintain and update all FedRAMP-required security documentation, policies, and procedures for the SaaS platforms and systems to ensure compliance.
• Manage and maintain a FedRAMP-compliant, hosted secure repository for storing and retrieving FedRAMP security packages.
• Provision access to the FedRAMP package for approved requests submitted through the FedRAMP PMO.
• Administer incident response training to all assigned personnel within 10 days of role assignment and annually thereafter.
• Conduct functional incident response testing every 6 months and report findings to the VA.
• Oversee background checks and reinvestigations for all personnel requiring system access, consistent with high-impact public trust requirements. Other requirements may be adopted to meet customer needs as well. 
• Ensure Rules of Behavior agreements are distributed, acknowledged, and collected before system access authorization.
• Serve as System Steward for the VA-F package in eMASS, managing Risk Management Framework (RMF) activities and workflows.
• Support annual ATO assessments and manage POA&M lifecycle activities within the VA eMASS system.
• Submit and maintain accurate documentation for the initial and ongoing FedRAMP Marketplace listing of Consensus as the CSP.
• Maintain current and accurate SaaS platform and system architecture diagrams, updating as needed when system changes occur.
• Deliver and track annual security and privacy literacy training for all project personnel with system access.
• Submit all Security Change Requests (SCRs) and Deviation Requests to the VA for approval and track resolution. 
• Manage programs and projects for GRC functions to ensure milestones are met and initiatives are on track within budget. 
• Collaborate on the design and implementation of the organization’s broader information security GRC program, including vendor risk, cloud security compliance, and administrative, technical, and organizational controls.
• Ensure that security compliance is deeply integrated into the organization’s cloud technology stack and development lifecycle.
• Identify, evaluate, and implement GRC tools and technologies that support the organization's security objectives, such as policy automation platforms, training and awareness systems, third-party risk management tools, and identity management solutions.
• Provide security and compliance guidance to IT, engineering, and development teams to support the design of secure, compliant, and resilient cloud-based architectures.
• Help cross-functional teams make informed decisions that balance technical requirements with regulatory and compliance obligations.
• Support internal and external audits unrelated to FedRAMP by providing necessary documentation, evidence, and subject matter expertise.
• Assist with responses to customer security assessments and third-party due diligence requests.
• Collaborate with legal, HR, and procurement to address emerging compliance obligations and integrate security into business operations.
• Contribute to the development and delivery of enhanced internal security training and awareness initiatives beyond FedRAMP-specific requirements.
• Participate in the evaluation or deployment of new cybersecurity tools that may enhance the overall security or compliance posture.
• Assist with internal investigations or security incident reviews involving potential policy violations or technical control failures.
• Mentor junior staff or cross-functional team members in information security and compliance best practices.
• Contribute to non-FedRAMP compliance frameworks, such as ISO 27001, SOC 2, or HIPAA, when required.
• Support business continuity planning, disaster recovery documentation, or exercises.
• Perform other duties and responsibilities as required, assigned, or requested. Consensus reserves the right to add or change duties at any time.

What you will bring to the table…

• Holding relevant security certifications such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), or Certified Information Systems Auditor (CISA) that are active and in good standing, or the ability to obtain within 12 months of hire. 
• 8+ years of experience in information security governance, risk, and compliance, with at least 5 years specifically supporting FedRAMP High or other federal compliance frameworks such as FISMA, NIST SP 800-53 rev 5, or RMF.
• 5+ years of experience managing or supporting security assessments with Third Party Assessment Organizations (3PAOs), including artifact collection, audit response, and POA&M management.
• 3+ years of experience working with FedRAMP Secure Repository or similar document repositories in a High-Impact cloud environment.
• 3+ years of hands-on experience using GRC platforms such as RSA Archer, ServiceNow GRC, OneTrust, or LogicGate for control management, risk tracking, and audit readiness.
• 3+ years of experience with vulnerability management platforms such as Tenable, Qualys, or Rapid7, including scan analysis, remediation planning, and report generation.
• 2+ years of experience with identity and access management systems (e.g., Okta, Azure AD) to support access control governance and user behavior auditing.
• Demonstrated experience working within or alongside cloud environments such as AWS GovCloud or Azure Government, including understanding of cloud-native security controls and configurations.
• Familiarity with eMASS for Risk Management Framework (RMF) documentation and workflow management, preferably in support of VA or other federal agency systems.
• Proficiency in using and understanding the inputs and output from the following tools: Nessus Pro, Burp Suite, Splunk, AWS IAM, AWS GovCloud resources, AWS backup and disaster recovery tools, Jira, FortiGate firewall, Fortinet Enterprise Management Server, ManagedEngine Ticking System, Google Workspace apps such as Google Docs, Google Sheets, Microsoft Word, Microsoft Excel, One-time password systems, and Okta Identity Provider.
• Experience in developing and conducting company-wide security training, phishing simulations, and awareness programs to educate employees on security best practices and reduce the risk of security incidents.
• Experience in performing security vendor risk assessments to evaluate and manage third-party security risks effectively, ensuring vendors meet the organization’s security standards.
• Ability to develop and maintain a customer-facing trust center to provide transparency and build trust with customers by clearly communicating the company’s security practices and certifications.
• Skill in handling security inquiries from customers promptly and accurately, enhancing customer confidence in the organization’s security posture.
• Experience in managing information security audits to assess and improve the company’s security posture and compliance with industry standards and regulatory requirements.
• Proficiency in overseeing product security certifications to ensure all products meet necessary security requirements and maintain their certifications.
• Knowledge of business continuity exercises and the ability to coordinate and conduct them to prepare for and respond to potential disruptions, ensuring operational resilience.
• Ability to implement continuous monitoring and assessment programs to identify and address security threats in real time, maintaining a proactive security stance.
• Experience in providing executive and board of directors reporting on the company’s security status, initiatives, and risk management efforts to ensure informed decision-making.
• Skill in developing and enforcing robust security policies and procedures that align with the organization’s goals and objectives, ensuring comprehensive security coverage.
• Demonstrates strong analytical skills to assess complex security risks, interpret compliance requirements, and evaluate technical vulnerabilities.
• Applies precision and thoroughness in managing documentation, tracking POA&Ms, and ensuring compliance with FedRAMP and NIST requirements.
• Maintains the ability to think long-term and align security initiatives with business and cloud technology goals.
• Possesses a strong understanding of cloud architectures, security control implementation, and compliance automation tools.
• Effectively plans, organizes, and coordinates security initiatives, assessments, and remediation efforts under strict deadlines.
• Applies critical thinking to identify root causes of security issues and develop practical, scalable solutions.
• Communicates clearly and effectively with technical and non-technical stakeholders, including auditors, developers, and executive leadership.
• Works collaboratively across various functions, including engineering, legal, IT, and operations, to support security and compliance objectives.
• Guides cross-functional teams, provides subject matter expertise, and influences decision-making to prioritize security and compliance.
• Proactively identifies risks, drives improvements, and anticipates future compliance needs and opportunities for program maturity.
• Responds flexibly to evolving regulatory requirements, customer expectations, and organizational priorities.
• Balances technical feasibility, risk impact, and compliance obligations to support informed, risk-based decisions.
• Builds and refines repeatable, auditable processes for security governance, risk management, and compliance activities.
• Evaluates and implements tools and platforms that automate GRC functions and integrate with cloud-native environments.
• Develops clear, accurate, and actionable policies, procedures, and compliance artifacts.

You will stand out if you also have…

• Bachelor's degree in computer science, information technology, cybersecurity, or equivalent experience. A master's degree may be preferred.
• CISSP and Project Management Professional (PMP) certification is preferred.
• Typically 6-8 years of experience in cybersecurity and information security roles.
• Proven experience in FedRAMP compliance, risk management, and integrating security compliance into software development processes.
• Proficiency in various cybersecurity technologies and tools, including security training and awareness tools, vendor risk management tools, and security compliance and risk register tools.
• Hands-on experience with security assessment and security benchmarking testing tools.
• Familiarity with security information and event management (SIEM) systems.
• Experience in deployment of cloud controls for infrastructure, platform, and applications (IaaS/SaaS/PaaS), specifically within AWS.
• Active, transferable U.S. Security clearance at the Public Trust level or higher preferred

Additional details…

• Location requirements: Fully remote within the U.S. 
• Travel requirements: Up to 10% travel
• Physical requirements: Must be able to sit for long periods, as well as, handle long periods of screen time
• Technology requirements: Reliable, high speed internet
• Eligible for sponsorship: No
• Security clearance: Ability to achieve and maintain a security clearance with the U.S. Government is required

The salary range for this role is $145,000 - $160,000 USD annually. The total compensation package for this position is negotiable and may also include annual performance bonus, ESPP, enhanced time off packages and benefits. This job doesn't have an expiration date and will remain open until a qualified candidate is hired.