Program Manager

Program Manager

Role Overview

We are seeking a seasoned Program Manager to lead the creation, authorization, and continuous governance of a FedRAMP-compliant Azure Government tenant underpinning government payment transaction services. This role owns the end-to-end program, including system boundary definition, documentation, ATO readiness, and continuous monitoring, ensuring sustained compliance at FedRAMP High.

The ideal candidate blends rigorous compliance leadership with strong cloud security and platform enablement skills and has demonstrated success in systems subject to federal compliance.

Key Responsibilities

Program Leadership and Governance

• Own the multi-year FedRAMP roadmap for an Azure Government tenant supporting government transactions; define milestones, risks, dependencies, and decision gates
• Establish governance forums and operating mechanisms across engineering, cloud platform, information security, risk/compliance, legal, payment operations, and 3PAOs
• Maintain program OKRs/KPIs, including POA&M closure velocity, control coverage, vulnerability SLAs, continuous monitoring completeness, and audit readiness
• Drive disciplined change control, evidence management, and control attestation workflows aligned to FedRAMP requirements
• Manage external partners and 3PAO activities, including readiness, assessments, and remediation

FedRAMP Authorization (ATO) Readiness

• Lead authoring and maintenance of FedRAMP artifacts, including SSP and associated appendices, POA&M, policies, standards, procedures, boundary diagrams, and data flows tailored to Azure Government/GCC High
• Define and maintain system boundary and data categorization supporting payment transactions aligned to FedRAMP High baseline
• Coordinate control implementation across all FedRAMP control families
• Conduct gap analyses against NIST SP 800-53 controls; drive remediation plans and ensure traceability from control narratives to technical and process evidence

Continuous Monitoring & Operations

• Stand up and operate Continuous Monitoring aligned with FedRAMP High guidelines, including scanning cadence, patch cycles, configuration baseline monitoring, control effectiveness checks, incident handling, and change compliance
• Own POA&M lifecycle: triage findings, prioritize by risk, execute corrective actions, validate closure, report outstanding actions, and update artifacts
• Maintain dashboards and reporting for control posture, exceptions, residual risk, and operational health
• Ensure SSP and supporting documentation reflect material changes to system boundary, services, configurations, or controls
• Coordinate incident response with SOC teams and manage the incident lifecycle, including root cause analysis and closure

Audit, Stakeholder, and External Engagement

• Serve as the primary contact for internal/external audits, 3PAO assessments, and authorizing officials
• Coordinate evidence collection and subject matter responses
• Prepare teams for assessments, lead walkthroughs and artifact reviews, and manage remediation and risk acceptance processes
• Enable engineering, operations, and payment teams through training and process integration to sustain FedRAMP compliance

Risk Management and Issue Resolution

• Maintain a program risk register covering control gaps, architectural changes, data flows, vendor dependencies, and operational risks
• Escalate issues with quantified impact; drive compensating controls or risk acceptance decisions in partnership with risk/compliance

Required Qualifications

• 7+ years of program management in regulated cloud environments; 3+ years directly owning FedRAMP programs, artifacts, and Continuous Monitoring
• Hands-on oversight, authorship, maintenance, and response experience with SSP, POA&M, SAP/SAR; proven track record achieving/maintaining ATO for cloud services
• Deep knowledge of NIST SP 800-53 control families, FedRAMP Moderate/High baselines, Continuous Monitoring processes, and 3PAO engagements
• Strong familiarity with Azure Government or GCC High and core security capabilities: identity/access, logging/monitoring, encryption, policy enforcement, landing zone patterns
• Demonstrated success orchestrating cross-functional teams (security, cloud/platform, payments, operations, compliance, legal) to deliver complex regulatory programs
• Exceptional communication skills: executive reporting, control narratives, audit responses, and stakeholder management
• Bachelor’s degree in Information Security, Computer Science, Information Systems, or related field; equivalent experience considered

Preferred Qualifications

• Direct experience enabling government payment transactions on cloud platforms and aligning control implementations to transactional risk profiles
• Azure-focused security experience (Defender for Cloud, Sentinel, Azure Policy/Blueprints, Key Vault, Private Link, Purview)
• Prior experience collaborating with federal agencies, sponsoring organizations, or authorizing officials for ATOs
• Experience with security compliance to IRS 1075 requirements
• Certifications: PMP, CISSP, CCSP, CISM, Azure Security Engineer Associate, or equivalent

Key Competencies

• Ownership and disciplined execution across multi-workstream, cross-functional programs
• Ability to translate regulatory requirements into practical, testable technical and process controls
• Risk-based decision-making with clear prioritization and measurable outcomes
• Influencing and stakeholder leadership; driving alignment without formal authority
• Documentation rigor and audit readiness; maintaining high-quality, current artifacts
• Continuous improvement mindset; leveraging metrics to improve control posture and operational efficiency

Work Arrangement and Location

• Flexible work arrangements may be available in accordance with organizational policies and applicable role requirements
• Limited travel may be required for assessments, audits, or stakeholder workshops

Program KPIs (example targets; customizable)

• POA&M closure: ≤ 30 calendar days average for High findings; ≤ 60 for Moderate
• Continuous Monitoring: 100% monthly reporting completeness across in-scope services
• Configuration drift: ≤ 5% variance from baseline across evaluated resources per month
• Vulnerability remediation: Meet or exceed FedRAMP timelines by severity category
• Audit readiness: “Green” status across evidence completeness and control demonstration prior to 3PAO assessments