CMMC Compliance Program Manager

CMMC Compliance Program Manager Varda Space Industries Operations, Compliance / Regulatory El Segundo, CA, USA USD 145k-175k / year + Equity Posted on Apr 8, 2026 Apply now About Varda Low Earth orbit is open for business . Varda is accelerating the development of commercial space infrastructure, from in-orbit pharmaceutical processing to reliable and economical reentry capsules. From life-saving pharmaceuticals to more powerful fiber optics, there is a world of products used on Earth today that can only be manufactured in space. Varda is accelerating innovation in the orbital economy by creating both the products and infrastructure needed so space can directly benefit life on Earth. Our mission is to expand the economic bounds of humankind. Our team is uniquely suited to accomplishing this goal, with leadership and staff comprised of veterans from SpaceX, Blue Origin, major pharmaceutical companies and Silicon Valley. Varda was founded in January 2021 by Will Bruey and Delian Asparouhov with significant backing from world class investors including Khosla Ventures, Lux Capital, Founders Fund, Caffeinated Capital, General Catalyst, and Also Capital. Varda is headquartered in El Segundo, California, where we have offices and a production facility where our vehicles, equipment, and materials are built, integrated, and tested. Varda also has offices in Washington, DC and Huntsville, AL. Join Varda, and work to create a bustling in-space ecosystem. CMMC Compliance Program Manager Security Organization • Reports to CISO • On-site About the Role We are hiring a CMMC Compliance Program Manager to own and drive our CMMC Level 2 certification effort and sustain our compliance posture beyond it. This is the central role in our security organization's compliance function — responsible for translating regulatory requirements into executable controls, coordinating across our security and IT organizations, and delivering a successful C3PAO assessment. This is a hands-on, high-accountability role reporting directly to the CISO. You will work closely with our InfoSec Engineer, Security Operations Analyst, IT Director, and our external partners including our C3PAO and our managed SOC and RPO provider (SysARC). You are the person who ensures nothing falls through the cracks between now and certification — and who keeps us audit-ready permanently after. The Immediate Mission Our C3PAO assessment is scheduled for August. You will own getting us there: Take full ownership of the System Security Plan (SSP) — documenting how all 110 NIST 800-171 practices are implemented across our environment Build and maintain the Plan of Action & Milestones (POA&M) for any gaps, with realistic remediation timelines Coordinate evidence artifact collection from our InfoSec Engineer, IT Director's team, and HR — ensuring every practice has supporting documentation Manage the day-to-day relationship with SysARC as our RPO — driving deliverables, validating their work products, and integrating their outputs into our evidence packages Interface directly with our C3PAO as the primary point of contact for scheduling, pre-assessment requests, and assessment coordination Run a pre-assessment readiness review before the formal C3PAO engagement to identify and close remaining gaps What You'll Own CMMC Assessment Program Own the SSP end-to-end — scope definition, control descriptions, implementation status, and evidence mapping Maintain the POA&M with current status and drive remediation to closure Serve as primary liaison to our C3PAO assessors before, during, and after the assessment Coordinate the SysARC RPO engagement — own the scope of work, milestone tracking, and integration with internal deliverables Manage assessment scheduling, documentation submissions, and assessor requests Control Documentation & Evidence Define and maintain a control mapping across our tool stack: CrowdStrike, Zscaler, ThreatLocker, Darktrace, and Okta Collect, organize, and maintain evidence artifacts for all implemented controls — screenshots, config exports, policy documents, training records, access review logs, audit log samples Coordinate with IT Director's team (Network Engineer, Help Desk) to produce infrastructure evidence: patch logs, change records, configuration documentation Work with HR to document personnel security controls: background checks, onboarding/offboarding procedures, security awareness training completion Policy & Standards Write and maintain the security policies required by CMMC Level 2 — Acceptable Use, Incident Response, Access Control, Configuration Management, Media Protection, and others Ensure policies are implemented, communicated, and tied to assessable controls Own the security awareness training program: content, delivery, tracking, and evidence of completion Risk & Continuous Compliance Maintain the risk register and ensure identified risks are tracked, assigned, and remediated Establish a continuous monitoring cadence post-certification to maintain audit readiness Coordinate periodic access reviews, vulnerability scan reviews, and control effectiveness reviews Track CMMC regulatory updates and assess impact on our compliance posture Cross-Functional Coordination Own the RACI between our Security organization and IT organization for CMMC control ownership and evidence accountability Brief the CISO weekly on program status, open risks, and blockers Ensure SysARC's SOC outputs — alert logs, IR documentation, monitoring reports — are captured and organized as AU and IR domain evidence Coordinate with IT Director to ensure his team understands their evidence obligations and meets deadlines What You Won't Do This role is not responsible for security engineering, tool configuration, or SOC operations. Those are owned by our InfoSec Engineer and Security Operations Analyst respectively, with SOC monitoring handled by SysARC. Your lane is program ownership, documentation, evidence, and coordination — not technical implementation. Basic Qualifications 5+ years in GRC, compliance, or security program management roles Direct, hands-on experience with CMMC Level 2 — either as a primary GRC lead in a C3PAO assessment, or as an RPO practitioner supporting a Level 2 implementation Demonstrated ability to write and maintain a System Security Plan (SSP) and POA&M against

NIST 800-171

Experience managing evidence collection programs for compliance audits — organizing artifacts, tracking gaps, and coordinating across departments Comfortable working in a lean organization where you own your domain without dedicated staff below you Experience interfacing with external auditors or assessors as an organizational point of contact Familiarity with the GovCon or defense industrial base compliance environment Preferred Qualifications Participated in a successful CMMC Level 2 C3PAO assessment as the primary compliance lead or assessment coordinator Registered Practitioner (RP) credential from the CMMC-AB, or experience working embedded within an RPO Hands-on familiarity with one or more of our tool stack: CrowdStrike, Zscaler, ThreatLocker, Darktrace, Okta — sufficient to understand what evidence each tool can produce and how to extract it Experience managing a compliance program alongside a managed SOC or MSSP — understanding how to integrate third-party monitoring outputs into internal compliance evidence

Certifications:

CCP (Certified CMMC Professional), CCA (Certified CMMC Assessor), CISA, CISM, or CISSP Experience at a DoD prime or subcontractor, defense-adjacent technology company, or GovCon-focused MSSP Familiarity with

ITAR/EAR

compliance in a defense context — relevant as we grow into regulated programs Why This Role Matters Our CMMC Level 2 certification is directly tied to our ability to win and retain DoD contracts. This is not a future-state initiative — the assessment is scheduled and the deadline is real. The person in this role will be the reason we pass. Beyond August, this role becomes the permanent owner of our compliance posture as we grow, including a major new facility coming online and expanded program requirements. You will have direct access to the CISO, full ownership of a critical function, and the satisfaction of building something that matters.

Compensation Cybersecurity Analyst:

$145,000 - $175,000 Leveling and base salary are determined by job-related skills, education level, experience level, and job performance You will be eligible for long-term incentives in the form of stock options and/or long-term cash awards Offer compensation also includes the ability to purchase company stock through the Employee Stock Purchase Plan ITAR Requirements Varda, like all employers, must ensure that its employees working in the United States are lawfully authorized to work in the U.S. Additionally, our employees are exposed to and have access to certain export-controlled items. At present, some of our technology to which employees have access requires a license to be exported to individuals other than "U.S. Persons" as defined in U.S. export regulations. Because our employees are provided access to export-controlled items, our current policy is to only hire "U.S. persons" who are permitted to have access to our technology without an export license. "US person" means: U.S. citizen, U.S. lawful permanent resident, or protected individual as defined by 8 U.S.C. 1324b(a)(3) (i.e., individual admitted to the U.S. as a refugee or granted asylum in the U.S.) Learn more about the ITAR here . Benefits Exciting team of professionals at the top of their field working by your side Equity in a fully funded space startup with potential for significant growth (interns excluded) 401(k) matching (interns excluded) Unlimited PTO (interns excluded) Health insurance, including Vision and Dental Lunch and snacks provided on site every day. Dinners provided twice a week.

Maternity / Paternity

leave (interns excluded) Varda Space Industries is an Equal Opportunity Employer. We celebrate diversity and are committed to creating an inclusive environment for all employees. Candidates and employees are always evaluated based on merit, qualifications, and performance. We will never discriminate on the basis of race, color, gender, national origin, ethnicity, veteran status, disability status, age, sexual orientation, gender identity, martial status, mental or physical disability, or any other legally protected status. E-Verify Statement Varda Space Industries, Inc. participates in the U.S. Department of Homeland Security E-Verify program. The E-Verify program is an Internet-based employment eligibility verification system operated by the U.S. Citizenship and Immigration Services. Learn more about the E-Verify program. E-Verify Notice Right To Work Notice Read more Read more Apply now See more open positions at Varda Space Industries