CMMC Compliance Program Manager

About Varda

Low Earth orbit is open for business. Varda is accelerating the development of commercial space infrastructure from in-orbit pharmaceutical processing to reliable and economical reentry capsules.

From life-saving pharmaceuticals to more powerful fiber optics there is a world of products used on Earth today that can only be manufactured in space. Varda is accelerating innovation in the orbital economy by creating both the products and infrastructure needed so space can directly benefit life on Earth. Our mission is to expand the economic bounds of humankind.

Our team is uniquely suited to accomplishing this goal with leadership and staff comprised of veterans from SpaceX Blue Origin major pharmaceutical companies and Silicon Valley. Varda was founded in January 2021 by Will Bruey and Delian Asparouhov with significant backing from world class investors including Khosla Ventures Lux Capital Founders Fund Caffeinated Capital General Catalyst and Also Capital.

Varda is headquartered in El Segundo California where we have offices and a production facility where our vehicles equipment and materials are built integrated and tested. Varda also has offices in Washington DC and Huntsville AL.

Join Varda and work to create a bustling in-space ecosystem.

CMMC Compliance Program Manager

Security Organization Reports to CISO On-site

About the Role

We are hiring a CMMC Compliance Program Manager to own and drive our CMMC Level 2 certification effort and sustain our compliance posture beyond it. This is the central role in our security organizations compliance function responsible for translating regulatory requirements into executable controls coordinating across our security and IT organizations and delivering a successful C3PAO assessment.

This is a hands-on high-accountability role reporting directly to the CISO. You will work closely with our InfoSec Engineer Security Operations Analyst IT Director and our external partners including our C3PAO and our managed SOC and RPO provider (SysARC). You are the person who ensures nothing falls through the cracks between now and certification and who keeps us audit-ready permanently after.

The Immediate Mission

Our C3PAO assessment is scheduled for August. You will own getting us there:

• Take full ownership of the System Security Plan (SSP) documenting how all 110 NIST 800-171 practices are implemented across our environment
• Build andmaintainthe Plan of Action & Milestones (POA&M) for any gaps with realistic remediation timelines
• Coordinate evidence artifact collection from our InfoSec Engineer IT Directors team and HR ensuring every practice has supporting documentation
• Manage the day-to-day relationship withSysARCas our RPO driving deliverablesvalidatingtheir work products and integrating their outputs into our evidence packages
• Interface directly with our C3PAO as the primary point of contact for scheduling pre-assessment requests and assessment coordination
• Run a pre-assessment readiness review before the formal C3PAO engagement toidentifyand close remaining gaps

What Youll Own

CMMC Assessment Program

• Own the SSP end-to-end scope definition control descriptions implementation status and evidence mapping
• Maintain the POA&M withcurrent statusand drive remediation to closure
• Serve as primary liaison to our C3PAO assessors before during and after the assessment
• Coordinate theSysARCRPO engagement own the scope of work milestone tracking and integration with internal deliverables
• Manage assessment scheduling documentation submissions and assessor requests

Control Documentation & Evidence

• Define andmaintaina control mapping across our tool stack: CrowdStrike ZscalerThreatLocker Darktrace and Okta
• Collect organize andmaintainevidence artifacts for all implemented controls screenshots config exports policy documents training records access review logs audit log samples
• Coordinate with IT Directors team (Network Engineer Help Desk) to produce infrastructure evidence: patch logs change records configuration documentation
• Work with HR to document personnel security controls: background checks onboarding/offboarding procedures security awareness training completion

Policy & Standards

• Write andmaintainthe security policies required by CMMC Level 2 Acceptable Use Incident Response Access Control Configuration Management Media Protection and others
• Ensure policies are implemented communicated and tied to assessable controls
• Own the security awareness training program: content delivery tracking and evidence of completion

Risk & Continuous Compliance

• Maintain the risk register and ensure identified risks are tracked assigned and remediated
• Establish a continuous monitoring cadence post-certification tomaintainaudit readiness
• Coordinate periodic access reviews vulnerability scan reviews and control effectiveness reviews
• Track CMMC regulatory updates and assess impact on our compliance posture

Cross-Functional Coordination

• Own the RACI between our Security organization and IT organization for CMMC control ownership and evidence accountability
• Brief the CISO weekly on program status open risks and blockers
• EnsureSysARCsSOC outputs alert logs IR documentation monitoring reports are captured and organized as AU and IR domain evidence
• Coordinate with IT Director to ensure his team understands their evidence obligations and meets deadlines

What YouWontDo

This role is not responsible for security engineering tool configuration or SOC operations. Those are owned by our InfoSec Engineer and Security Operations Analyst respectively with SOC monitoring handled by SysARC. Your lane is program ownership documentation evidence and coordination not technical implementation.

Basic Qualifications

• 5 years in GRC compliance or security program management roles
• Direct hands-on experience with CMMC Level 2 either as a primary GRC lead in a C3PAO assessment or as an RPO practitioner supporting a Level 2 implementation
• Demonstrated ability to write andmaintaina System Security Plan (SSP) and POA&M against NIST 800-171
• Experience managing evidence collection programs for compliance audits organizing artifacts tracking gaps and coordinating across departments
• Comfortable working in a lean organization where you own your domain without dedicated staff below you
• Experience interfacing with external auditors or assessors as an organizational point of contact
• Familiarity with theGovConor defense industrial base compliance environment

Preferred Qualifications

• Participated in a successful CMMC Level 2 C3PAO assessment as the primary compliance lead or assessment coordinator
• Registered Practitioner (RP) credential from the CMMC-AB or experience working embedded within an RPO
• Hands-on familiarity with one or more of our toolstack: CrowdStrike ZscalerThreatLocker Darktrace Okta sufficient to understand what evidence each tool can produce and how to extract it
• Experience managing a compliance program alongside a managed SOC or MSSP understanding how to integrate third-party monitoring outputs into internal compliance evidence
• Certifications: CCP (Certified CMMC Professional) CCA (Certified CMMC Assessor) CISA CISM or CISSP
• Experience at a DoD prime or subcontractor defense-adjacent technology company orGovCon-focused MSSP
• Familiarity with ITAR/EAR compliance in a defense context relevant as we grow into regulated programs

Why This Role Matters

Our CMMC Level 2 certification is directly tied to our ability to win and retain DoD contracts. This is not a future-state initiative the assessment is scheduled and the deadline is real. The person in this role will be the reason we pass.

Beyond August this role becomes the permanent owner of our compliance posture as we grow including a major new facility coming online and expanded program requirements. You will have direct access to the CISO full ownership of a critical function and the satisfaction of building something that matters.

Compensation

• $145000 - $175000
• Leveling and base salary are determined by job-related skills education level experience level and job
• performance
• You will be eligible for long-term incentives in the form of stock options and/or long-term cash awards
• Offer compensation also includes the ability to purchase company stock through the Employee Stock Purchase Plan

• Varda like all employers must ensure that its employees working in the United States are lawfully authorized to work in the U.S. Additionally our employees are exposed to and have access to certain export-controlled items. At present some of our technology to which employees have access requires a license to be exported to individuals other than U.S. Persons as defined in U.S. export regulations. Because our employees are provided access to export-controlled items our current policy is to only hire U.S. persons who are permitted to have access to our technology without an export license.

  US person means: U.S. citizen U.S. lawful permanent resident or protected individual as defined by 8 U.S.C. 1324b(a)(3) (i.e. individual admitted to the U.S. as a refugee or granted asylum in the U.S.)

  Learn more about the ITAR here.

Benefits