CMMC Compliance Program Manager

Posted:
4/7/2026, 3:15:43 PM

Location(s):
El Segundo, California, United States ⋅ California, United States

Experience Level(s):
Senior

Field(s):
IT & Security ⋅ Legal & Compliance ⋅ Product

About Varda

Low Earth orbit is open for business. Varda is accelerating the development of commercial space infrastructure, from in-orbit pharmaceutical processing to reliable and economical reentry capsules. 

From life-saving pharmaceuticals to more powerful fiber optics, there is a world of products used on Earth today that can only be manufactured in space. Varda is accelerating innovation in the orbital economy by creating both the products and infrastructure needed so space can directly benefit life on Earth. Our mission is to expand the economic bounds of humankind. 

Our team is uniquely suited to accomplishing this goal, with leadership and staff comprised of veterans from SpaceX, Blue Origin, major pharmaceutical companies and Silicon Valley. Varda was founded in January 2021 by Will Bruey and Delian Asparouhov with significant backing from world class investors including Khosla Ventures, Lux Capital, Founders Fund, Caffeinated Capital, General Catalyst, and Also Capital. 

Varda is headquartered in El Segundo, California, where we have offices and a production facility where our vehicles, equipment, and materials are built, integrated, and tested. Varda also has offices in Washington, DC and Huntsville, AL.

Join Varda, and work to create a bustling in-space ecosystem.

 

CMMC Compliance Program Manager 

Security Organization • Reports to CISO • On-site 

About the Role 

We are hiring a CMMC Compliance Program Manager to own and drive our CMMC Level 2 certification effort and sustain our compliance posture beyond it. This is the central role in our security organization's compliance function — responsible for translating regulatory requirements into executable controls, coordinating across our security and IT organizations, and delivering a successful C3PAO assessment. 

This is a hands-on, high-accountability role reporting directly to the CISO. You will work closely with our InfoSec Engineer, Security Operations Analyst, IT Director, and our external partners including our C3PAO and our managed SOC and RPO provider (SysARC). You are the person who ensures nothing falls through the cracks between now and certification — and who keeps us audit-ready permanently after. 

The Immediate Mission 

Our C3PAO assessment is scheduled for August. You will own getting us there: 

  • Take full ownership of the System Security Plan (SSP) — documenting how all 110 NIST 800-171 practices are implemented across our environment 
  • Build and maintain the Plan of Action & Milestones (POA&M) for any gaps, with realistic remediation timelines 
  • Coordinate evidence artifact collection from our InfoSec Engineer, IT Director's team, and HR — ensuring every practice has supporting documentation 
  • Manage the day-to-day relationship with SysARC as our RPO — driving deliverables, validating their work products, and integrating their outputs into our evidence packages 
  • Interface directly with our C3PAO as the primary point of contact for scheduling, pre-assessment requests, and assessment coordination 
  • Run a pre-assessment readiness review before the formal C3PAO engagement to identify and close remaining gaps 

What You’ll Own 

CMMC Assessment Program 

  • Own the SSP end-to-end — scope definition, control descriptions, implementation status, and evidence mapping 
  • Maintain the POA&M with current status and drive remediation to closure 
  • Serve as primary liaison to our C3PAO assessors before, during, and after the assessment 
  • Coordinate the SysARC RPO engagement — own the scope of work, milestone tracking, and integration with internal deliverables 
  • Manage assessment scheduling, documentation submissions, and assessor requests 

Control Documentation & Evidence 

  • Define and maintain a control mapping across our tool stack: CrowdStrike, Zscaler, ThreatLocker, Darktrace, and Okta 
  • Collect, organize, and maintain evidence artifacts for all implemented controls — screenshots, config exports, policy documents, training records, access review logs, audit log samples 
  • Coordinate with IT Director's team (Network Engineer, Help Desk) to produce infrastructure evidence: patch logs, change records, configuration documentation 
  • Work with HR to document personnel security controls: background checks, onboarding/offboarding procedures, security awareness training completion 

Policy & Standards 

  • Write and maintain the security policies required by CMMC Level 2 — Acceptable Use, Incident Response, Access Control, Configuration Management, Media Protection, and others 
  • Ensure policies are implemented, communicated, and tied to assessable controls 
  • Own the security awareness training program: content, delivery, tracking, and evidence of completion 

Risk & Continuous Compliance 

  • Maintain the risk register and ensure identified risks are tracked, assigned, and remediated 
  • Establish a continuous monitoring cadence post-certification to maintain audit readiness 
  • Coordinate periodic access reviews, vulnerability scan reviews, and control effectiveness reviews 
  • Track CMMC regulatory updates and assess impact on our compliance posture 

Cross-Functional Coordination 

  • Own the RACI between our Security organization and IT organization for CMMC control ownership and evidence accountability 
  • Brief the CISO weekly on program status, open risks, and blockers 
  • Ensure SysARC's SOC outputs — alert logs, IR documentation, monitoring reports — are captured and organized as AU and IR domain evidence 
  • Coordinate with IT Director to ensure his team understands their evidence obligations and meets deadlines 

What You Won’t Do 

This role is not responsible for security engineering, tool configuration, or SOC operations. Those are owned by our InfoSec Engineer and Security Operations Analyst respectively, with SOC monitoring handled by SysARC. Your lane is program ownership, documentation, evidence, and coordination — not technical implementation. 

Basic Qualifications 

  • 5+ years in GRC, compliance, or security program management roles 
  • Direct, hands-on experience with CMMC Level 2 — either as a primary GRC lead in a C3PAO assessment, or as an RPO practitioner supporting a Level 2 implementation 
  • Demonstrated ability to write and maintain a System Security Plan (SSP) and POA&M against NIST 800-171 
  • Experience managing evidence collection programs for compliance audits — organizing artifacts, tracking gaps, and coordinating across departments 
  • Comfortable working in a lean organization where you own your domain without dedicated staff below you 
  • Experience interfacing with external auditors or assessors as an organizational point of contact 
  • Familiarity with the GovCon or defense industrial base compliance environment 

Preferred Qualifications 

  • Participated in a successful CMMC Level 2 C3PAO assessment as the primary compliance lead or assessment coordinator 
  • Registered Practitioner (RP) credential from the CMMC-AB, or experience working embedded within an RPO 
  • Hands-on familiarity with one or more of our tool stack: CrowdStrike, Zscaler, ThreatLocker, Darktrace, Okta — sufficient to understand what evidence each tool can produce and how to extract it 
  • Experience managing a compliance program alongside a managed SOC or MSSP — understanding how to integrate third-party monitoring outputs into internal compliance evidence 
  • Certifications: CCP (Certified CMMC Professional), CCA (Certified CMMC Assessor), CISA, CISM, or CISSP 
  • Experience at a DoD prime or subcontractor, defense-adjacent technology company, or GovCon-focused MSSP 
  • Familiarity with ITAR/EAR compliance in a defense context — relevant as we grow into regulated programs 

Why This Role Matters 

Our CMMC Level 2 certification is directly tied to our ability to win and retain DoD contracts. This is not a future-state initiative — the assessment is scheduled and the deadline is real. The person in this role will be the reason we pass. 

Beyond August, this role becomes the permanent owner of our compliance posture as we grow, including a major new facility coming online and expanded program requirements. You will have direct access to the CISO, full ownership of a critical function, and the satisfaction of building something that matters. 

Compensation

  • Cybersecurity Analyst: $145,000 - $175,000
  • Leveling and base salary are determined by job-related skills, education level, experience level, and job
  • performance
  • You will be eligible for long-term incentives in the form of stock options and/or long-term cash awards
  • Offer compensation also includes the ability to purchase company stock through the Employee Stock Purchase Plan

ITAR Requirements

  • Varda, like all employers, must ensure that its employees working in the United States are lawfully authorized to work in the U.S.  Additionally, our employees are exposed to and have access to certain export-controlled items. At present, some of our technology to which employees have access requires a license to be exported to individuals other than “U.S. Persons” as defined in U.S. export regulations. Because our employees are provided access to export-controlled items, our current policy is to only hire “U.S. persons” who are permitted to have access to our technology without an export license. 

    “US person” means: U.S. citizen, U.S. lawful permanent resident, or protected individual as defined by 8 U.S.C. 1324b(a)(3) (i.e., individual admitted to the U.S. as a refugee or granted asylum in the U.S.)

     Learn more about the ITAR here.  

Benefits

  • Exciting team of professionals at the top of their field working by your side
  • Equity in a fully funded space startup with potential for significant growth (interns excluded)
  • 401(k) matching (interns excluded)
  • Unlimited PTO (interns excluded)
  • Health insurance, including Vision and Dental
  • Lunch and snacks provided on site every day. Dinners provided twice a week. 
  • Maternity / Paternity leave (interns excluded)

 

Varda Space Industries is an Equal Opportunity Employer.  We celebrate diversity and are committed to creating an inclusive environment for all employees.  Candidates and employees are always evaluated based on merit, qualifications, and performance.  We will never discriminate on the basis of race, color, gender, national origin, ethnicity, veteran status, disability status, age, sexual orientation, gender identity, martial status, mental or physical disability, or any other legally protected status.

 

 

E-Verify Statement

Varda Space Industries, Inc. participates in the U.S. Department of Homeland Security E-Verify program. The E-Verify program is an Internet-based employment eligibility verification system operated by the U.S. Citizenship and Immigration Services. Learn more about the E-Verify program.

 

E-Verify Notice                                                               Right To Work Notice

Read more                                                                             Read more

 

 

Varda Space

Website: https://varda.com/

Headquarter Location: San Francisco, California, United States

Employee Count: 1-10

Year Founded: 2020

IPO Status: Private

Last Funding Type: Series B

Related Postings

Engineering Manager

E Tech Group3/12/2026 ⋅ United States

Identity & Access Management Analyst

abrdn9/14/2025 ⋅ United Kingdom

Advisor - Senior Industrial Design

Eli Lilly and Company3/2/2026 ⋅ United States

DARPA – Tactical Technology Office (TTO) Systems Engineering Support

Amentum3/20/2026 ⋅ United States

Information Security Analyst (5+ Years in Exp Incident Response + Malware Analysis + Technical Analysis + Critical Thinking + IT Security)

Assurant1/23/2026 ⋅ India

Notify

Get a jumpstart on your goals with Notify, the app that ensures you're the first to apply for new job openings!

postings

our prices

login

contact us

privacy policy

Copyright © 2026 Notify