Compliance Operations Lead
GovSignals · New York, NY · 2 mo ago
HybridManagement$140k–$190k/yrFull-time
About the role
We're hiring a Compliance Operations Lead to build and own our security and compliance function. You'll report directly into the founding team and own GovSignals' entire security and compliance posture end-to-end.
Responsibilities
- Build and run the master compliance program covering FedRAMP High, IL5, CMMC Level 2, SOC 2, and adjacent public-sector frameworks, and maintain a forward-looking roadmap that anticipates new frameworks, customer requirements, and regulatory changes.
- Drive the FedRAMP High ATO roadmap end-to-end — including 3PAO coordination, agency sponsorship navigation, and continuous monitoring once authorized.
- Own evidence management end-to-end: stand up automated policy checks, control evidence capture, and continuous monitoring tooling so we are audit-ready every day, not the week before fieldwork — if it can be scripted, it should be.
- Lead quarterly and annual security documentation cycles, coordinate penetration tests and red-team engagements, and track remediation through to closure.
- Be the primary voice on enterprise security questionnaires and customer trust calls — join pitches and discovery calls as a front-line credibility asset, brief prospects on our compliance roadmap, represent GovSignals at industry and federal/defense forums, and build a customer-facing trust center and reusable response library that compresses sales cycles.
- Embed secure-by-design practices alongside engineering — policy checks in CI/CD, infrastructure-as-code guardrails, and hardened deployment pipelines — while monitoring the evolving threat landscape and proposing proactive hardening measures.
Requirements
- 3+ years leading compliance or security programs at a high-growth technology or defense startup, comfortable operating in a fast-moving, early-stage environment where priorities shift and you own the outcome.
- Demonstrated success achieving and maintaining FedRAMP High ATO or an equivalent high-impact authorization — you've taken a startup through a real authorization and built a compliance program from a blank page.
- Deep working fluency with IL5, CMMC Level 2, SOC 2 Type II, NIST 800-171, and the broader U.S. public-sector compliance landscape.
- Proven ability to design and run automated evidence collection, policy management, and vulnerability-tracking workflows — not just operate someone else's GRC tool — plus experience coordinating red-team, penetration-test, or bug-bounty programs and translating findings into engineering action.
- You write policy and you read code, and can sit with an auditor and a senior engineer in the same meeting and translate cleanly between them.
- Strong written and verbal communication for both technical and executive audiences; comfortable owning customer security reviews end-to-end, because one failed control or one botched questionnaire response can stall a seven-figure deal.
Qualifications
- Nice to have: hands-on exposure to Kubernetes, Terraform, JAMF, and modern DevSecOps toolchains; prior experience supporting an IC or DoD customer base; a background in government contracting, the military, or the intelligence community.
How We Hire
- Intro conversation (30 min) — your background and how you've built and run compliance and security programs.
- Working session (45 min) — walk through a live compliance/authorization scenario and a customer-trust mock, talking through how you'd drive a control or questionnaire to closure.
- Co-founder conversations (15 min) — meet the cofounders.
- Paid work trial (1 day) — real work with the team.
- Offer.
Compensation & Benefits
- Base Salary: $140,000 – $190,000
- Equity: Meaningful stake in a well-funded, fast-growing startup
- Benefits: medical, vision, and dental, unlimited PTO
- Brooklyn Navy Yard office, 3+ days a week in person.