Director, FedRAMP Program

We are seeking an experienced Director FedRAMP Program to lead our federal compliance and authorization program for our SaaS cloud service offerings. This role reports directly to the Chief Information Security Officer and owns the end-to-end FedRAMP journey from readiness and authorization planning through 3PAO assessment agency sponsor coordination Authorization to Operate (ATO) and post-authorization continuous monitoring.

The ideal candidate has personally led or played a senior leadership role in bringing a SaaS company through FedRAMP Moderate authorization with FedRAMP High experience strongly preferred. This is a cross-functional leadership role requiring deep knowledge of FedRAMP NIST SP 800-53 cloud security SaaS engineering operations SSDLC DevSecOps audit readiness executive communication risk management and federal customer expectations.

This role will serve as the primary program leader connecting Security Engineering Product IT Legal GRC Sales Customer Success external advisors 3PAOs and federal agency stakeholders. Success requires more than managing checklists. This person must be able to drive real control implementation unblock engineering dependencies manage risk tradeoffs and keep executives aligned on timeline scope cost and residual risk.

Key Responsibilities:

FedRAMP Program Leadership

• Own and lead the companys FedRAMP program from readiness (FW has completed RADD for Moderate) through ATO and continuous monitoring.
• Develop the overall FedRAMP ATO strategy roadmap execution plan work breakdown structure milestone plan and executive reporting model.
• Lead the company through FedRAMP Moderate authorization with a path to FedRAMP High for future ATO.
• Define and manage the FedRAMP authorization boundary for the cloud service offering.
• Partner with Security Engineering Product IT Legal Privacy Compliance and GTM teams to align FedRAMP requirements with business and customer needs.
• Translate FedRAMP requirements into clear workstreams owners deliverables deadlines and measurable outcomes.
• Maintain executive-level visibility into program status risks decisions blockers and funding needs.

Authorization Package Ownership

• Own the development maintenance and quality of the FedRAMP authorization package including the SSP SAP SAR POA&M control implementation narratives policies standards procedures control inheritance documentation architecture diagrams data flow diagrams boundary documentation and supporting operational evidence.
• Ensure documentation accurately reflects the real operating environment not aspirational controls.
• Build a durable evidence repository and repeatable evidence collection process.
• Establish documentation quality standards to reduce rework during 3PAO and agency review.

3PAO Advisor and Agency Coordination

• Serve as the primary internal program owner for external FedRAMP partners including advisors consultants 3PAOs and agency stakeholders.
• Coordinate readiness assessments gap assessments formal assessments evidence requests control interviews penetration testing and remediation validation.
• Manage 3PAO engagement timelines dependencies artifacts and issue resolution.
• Support agency sponsor conversations and help prepare materials needed for agency authorization review.
• Ensure the SAR findings are translated into clear remediation plans and risk decisions.

POA&M and Risk Management

• Own the POA&M process for FedRAMP-related findings vulnerabilities control gaps and residual risks.
• Drive timely remediation of POA&M items across Engineering Cloud Infrastructure Cybersecurity IT and Product teams.
• Establish clear ownership due dates severity risk rationale evidence requirements and closure criteria for each POA&M item.
• Escalate overdue or high-risk items to appropriate leadership forums.
• Partner with business and technical owners to determine when remediation mitigation compensating controls or formal risk acceptance is appropriate.
• Maintain a clear view of residual risk for executives and authorizing stakeholders.

Control Implementation and Engineering Alignment

• Partner with Engineering Cloud Infrastructure and Cybersecurity teams to implement FedRAMP-required security controls in a SaaS cloud environment.
• Drive control maturity across identity and access management privileged access management vulnerability management secure configuration management logging monitoring alerting incident response encryption key management change management backup and recovery contingency planning asset inventory boundary protection software supply chain security and secure SDLC.
• Help engineering teams understand not just what is required but why it matters and how to implement it sustainably.
• Identify control implementation gaps early and drive resolution before they become audit blockers.

Continuous Monitoring and Post-ATO Operations

• Assist in building and operating the FedRAMP continuous monitoring program after authorization.
• Own recurring ConMon deliverables evidence collection vulnerability reporting POA&M updates significant change analysis incident reporting coordination and ongoing agency reporting.
• Partner with Security Operations Cybersecurity Engineering and Compliance to maintain authorization posture.
• Establish operational processes to prevent control drift after ATO.
• Track changes to FedRAMP guidance NIST requirements agency expectations and federal cybersecurity directives.
• Prepare the organization for annual assessments and ongoing authorization maintenance.
• Keep abreast of FedRAMP program changes like 20XX and how they might impact our FedRAMP program. 

Executive and Cross-Functional Communication

• Provide clear concise program updates to executives steering committees and board-level stakeholders.
• Communicate program health milestone status material risks funding needs staffing constraints and decision points.
• Create executive-ready reporting that connects FedRAMP work to customer trust federal revenue opportunities risk reduction and operational maturity.
• Facilitate cross-functional decision-making when security requirements conflict with product timelines engineering capacity or customer commitments.
• Serve as the internal FedRAMP translator: able to explain complex requirements in business technical and executive terms.

Federal GTM and Customer Support

• Partner with Sales Legal Customer Success and Cybersecurity GTM teams to support federal customer conversations.
• Help develop accurate FedRAMP-related customer messaging RFP responses trust center content and security collateral.
• Ensure external claims about FedRAMP status roadmap and control maturity are accurate and legally defensible.
• Support customer security reviews and federal procurement diligence related to FedRAMP.

Qualifications :

• 10 years of experience in cybersecurity compliance GRC cloud security audit risk management or security program leadership.
• Direct experience leading or materially contributing to a FedRAMP Moderate ATO for a SaaS or cloud service provider.
• Strong working knowledge of the FedRAMP authorization lifecycle NIST SP 800-53 FedRAMP Rev. 5 requirements SSP SAP SAR POA&M continuous monitoring the 3PAO assessment process and agency authorization processes.
• Demonstrated ability to manage complex cross-functional security programs involving Engineering Product Cloud Infrastructure Cybersecurity Legal GRC and executive stakeholders.
• Experience building and maintaining audit evidence repositories and compliance operating models.
• Strong knowledge of SaaS/cloud architecture preferably AWS Azure or multi-cloud environments.
• Strong understanding of technical security domains including IAM vulnerability management logging/monitoring encryption incident response secure SDLC change management and cloud infrastructure security.
• Proven ability to drive remediation across teams that do not directly report to you.
• Excellent written and verbal communication skills.
• Ability to communicate clearly with both technical teams and executive stakeholders.
• Strong project/program management discipline including milestone planning dependency tracking risk management and executive reporting.

Preferred Qualifications

• Experience leading or supporting FedRAMP High authorization.
• Experience with both agency authorization and legacy JAB-style authorization expectations.
• Experience working directly with FedRAMP advisors 3PAOs agency sponsors and federal customer security teams.
• Experience with SaaS products serving enterprise and/or public sector customers.
• Experience with AWS GovCloud Azure Government or other government cloud environments.
• Experience with adjacent and additive frameworks such as CMMC ITAR SOC 2 ISO 27001 ISO 42001 HIPAA PCI DSS StateRAMP IRAP or ISMAP.
• Experience supporting federal go-to-market RFP responses security questionnaires and customer trust programs.
• Certifications such as CISSP CISM CISA CRISC PMP CCSP or equivalent experience.
• Experience in standing up a new FedRAMP program from scratch.

Additional Information :

Were committed to building a workplace that reflects the diverse world we serve. At Freshworks youll find inclusive teams flexible thinking and opportunities to grow your career - while making work better for millions. 

If this sounds like a journey you want to be part of wed love to meet you. Lets building something refreshing together. 

The annual base salary range for this position is $205000 - $255000 Base Salary. 

Compensation is based on a variety of factors including but not limited to location experience job-related skills and level. Bonus/equity may be available.

At Freshworks we have fostered an environment that enables everyone to find their true potential purpose and passion welcoming colleagues of all backgrounds genders sexual orientations religions and ethnicities. We are committed to providing equal opportunity and believe that diversity in the workplace creates a more vibrant richer environment that boosts the goals of our employees communities and business. Fresh vision. Real impact. Come build it with us.

Remote Work :

No

Employment Type :

Full-time