×
Register Here to Apply for Jobs or Post Jobs. X

Director of Compliance - FedRamp

Job in Boulder, Boulder County, Colorado, 80301, USA
Listing for: ECA Staffing Solutions, Inc.
Full Time position
Listed on 2026-07-01
Job specializations:
  • IT/Tech
    Cybersecurity, Information Security, IT Business Analyst
Job Description & How to Apply Below

Director Of Compliance

This is a new position. You will own company's entire compliance program, not just one framework, not just one environment. You will build and maintain an integrated compliance architecture that maps shared controls across every framework they operate under, communicate it clearly to internal and external stakeholders, and drive strategy across commercial, federal, and contractual obligations. The centerpiece of the next 18 months is FedRAMP Moderate authorization and a hard contractual deadline with real consequences.

But the job extends well beyond it. You are responsible for how client manages compliance as a business capability: efficiently, clearly, and in a way that becomes a competitive advantage as they grow. You will coordinate across their GRC and Sec Ops vendor (Anitian), their 3

PAO assessor (A-Lign, their federal sponsor, and internal engineering and legal functions. Your job is to manage multiple frameworks as an integrated system, not as seven separate programs. Where a control satisfies multiple frameworks, that overlap should be documented, leveraged, and clearly communicated across the business.

SOC 2 Type 2 – Commercial Environment – 140 controls – Active program- complete/ongoing

GDPR – Commercial Customers with EU data exposure – Managed

HIPAA – Applicable to financial data handling requirements – Managed

GovRAMP/StateRAMP – State level emerging requirement – Monitoring

FedRAMP Moderate - 323 NIST 800-53 controls. Federal ATO by Sep 30, 2027. Hard deadline – Active Build

CJIS - Criminal Justice Information Services — law enforcement data handling – Monitoring

ISO 27001 - Not yet pursued. Roadmap decision for this role to assess and recommend.

A core part of this role is building a control mapping that shows where requirements overlap across these frameworks—so the business understands what we get for free, what we still owe, and where investment is warranted.

FedRAMP Authorization Program
  • Master program timeline from today through Full ATO (September 30, 2027)
  • Control tracking across all 323 federal controls — implementation status, evidence status, owner
  • Coordination with Anitian (GRC/Sec Ops), A-Lign (3

    PAO), FedRAMP PMO, and the FTC Authorizing Official's office
  • SSP documentation quality — reviewing sections before external review
  • Evidence calendar and artifact collection ahead of the October 2026 RAR and Q1–2027 full assessment
  • Biweekly program health reporting to CEO and CTO — RAG status, no noise
Integrated Compliance Architecture
  • Build and maintain a unified control framework that maps requirements across SOC 2, GDPR, HIPAA, FedRAMP, CJIS, and GovRAMP
  • Identify and document control overlap so Valid8 is never doing compliance work twice when once is sufficient
  • Own the compliance calendar across all frameworks — renewals, audits, assessments, and evidence windows
  • Make the ISO 27001 roadmap recommendation: pursue, defer, or skip based on customer demand and resource cost
Contracts And Commercial Compliance
  • Own review and management of customer contracts for compliance-related terms — MSAs, DPAs, security addenda, and data handling requirements
  • Own vendor contract compliance — ensuring Anitian, A-Lign, and other compliance-adjacent vendors are meeting their obligations
  • Own federal contracting compliance tied to the FTC PWS and any FAR clause requirements
  • Flag contract risk to the CEO before it becomes a program risk
Internal Communication And Strategy
  • Translate the compliance posture into language that works for the board, customers, prospects, and sales
  • Build the internal reporting structure so engineering, product, and leadership all understand what compliance requires of them and when
  • Be the point of escalation when compliance conflicts with product velocity—make the call or bring the right decision to the right person
Required
  • You have lived through a FedRAMP Moderate authorization at a vendor — not as a consultant or auditor. You were on the vendor side, and you know what it feels like when a milestone slips.
  • You understand NIST 800-53 control families well enough to read an SSP section and know whether it is complete without being the one writing the policy.
  • You have…
To View & Apply for jobs on this site that accept applications from your location or country, tap the button below to make a Search.
(If this job is in fact in your jurisdiction, then you may be using a Proxy or VPN to access this site, and to progress further, you should change your connectivity to another mobile device or PC).
 
 
 
Search for further Jobs Here:
(Try combinations for better Results! Or enter less keywords for broader Results)
Location
Increase/decrease your Search Radius (miles)
0
200
Filters
Education Level
Experience Level (years)
Posted in last:
Salary