Compliance & Security Manager

Summary

The Compliance & Security Manager role is responsible for ensuring organizational compliance with CMMC, ITAR, and DFARS regulations through the development and maintenance of comprehensive security policies, procedures, and documentation such as SSPs and POA&Ms. It involves leading gap assessments, coordinating internal audits, and managing third-party evaluations to identify and remediate vulnerabilities. The position requires cross-functional collaboration with IT, HR, legal, and business units to align technical controls with NIST 800-171 standards and maintain accurate evidence for audits. Additional responsibilities include overseeing physical security operations, supplier risk management, contract compliance, and training programs related to cybersecurity, insider risk, and CUI handling. The role also includes monitoring regulatory changes, reporting compliance metrics to leadership, and investigating breaches. While acting in a lead capacity, it does not include direct personnel management

Responsibilities

CMMC Compliance

• Develop and maintain policies, standards and procedures, lifecycle, document processes, risks, exceptions, operational action plan to the appropriate CMMC levels.
• Develop and maintain documentation, including System Security Plan (SSP), Plan of action & Milestones (POA&M), and control implementation guidelines.
• Coordinate internal gap analyses and risk assessments to identify areas of non-compliance/vulnerabilities and propose remediations in accordance with organizations appropriate CMMC levels.
• Coordinate and lead CMMC gap assessments, including annual self-assessments, and third-party assessments (C3PAO).
• Provide evidence in response to audit engagement or other assessments/state exams. Evaluate evidentiary documentation for accuracy and completeness and reconcile evidence and other assessment documentation to ensure compliance with audit controls and regulatory requirements.
• Work cross-functionally with IT team members, HR team members, business team members, and legal to ensure technical controls are implemented in alignment with NIST 800-171 control requirements and evidence is recorded,
• Monitor compliance dashboards and provide oversight on policy deviations, privileged access, systems hardening, data flow boundary monitoring, security monitoring and response.
• Proactively monitor evolving changes to relevant legislation and accreditation standards; DOW, DFARS, CMMC regulations, and assess organizations’ impact through continuous monitoring and mitigation plans.
• Oversee and evaluate supplier risk including contractors, sub-contractors, Joint Venture (JV) partners compliance when CUI/FCI is shared or processed by third parties.
• Coordinate training and awareness programs for CUI handling, Insider Risk, Cybersecurity awareness, and compliance procedures.
• Review and negotiate contracts and third-party agreements for security and compliance obligations.
• Report on compliance posture metrics to leadership and stakeholders
• Investigate and report compliance breaches, and develop remediation plans
• Develop and enforce policies for handling Controlled Unclassified Information (CUI).
  
  

ITAR / DFARS Compliance

• Ensure compliance with International Traffic in Arms Regulations (ITAR) and Defense Federal Acquisition Regulation Supplement (DFARS).
• Train staff on ITAR/DFARS requirements and monitor adherence.
  
  

Physical Security

• Oversee physical security operations including access control, surveillance, and visitor management.
• Conduct regular security audits and vulnerability assessments of facilities.
• Develop and maintain emergency response and incident management protocols.
• Coordinate with facilities and HR to ensure secure onboarding/offboarding and access review processes.
• Evaluate physical security of VYTL locations based upon work scope performed at each location to meet compliance regulations.
  
  

Management Responsibilities

Acts in capacity of a "lead person." Does not have management responsibility for the people to whom they provide work direction

Positional Requirements & Qualifications

• Education & Experience:
• Bachelor’s degree in information technology, Computer Science, or related field
• Certifications such as Security , CMMC CCP, CCA, or CISSP are highly desirable.
• LEAN, Six Sigma or other process improvement/project management training and/or experience is a plus

Skills & Abilities

• Strong understanding of IT systems, cybersecurity, and data protection laws
• Familiarity with frameworks like NIST, ISO 27001, and CMMC.
• U.S. Citizenship required due to ITAR regulations
• Deep understanding of CMMC, NIST SP 800-171, ITAR, and DFARS regulations.
• Experience with physical security systems (e.g., badge access, CCTV, intrusion detection).
• Excellent analytical and problem-solving skills
• Ability to communicate complex technical concepts to non-technical stakeholders
• Ability to comprehend complex problems and to collaborate and explore alternative solutions.
• Develop process improvements and/or make recommendations for changes to ensure compliance.
• A strong working knowledge of audit/assessment terminology.
• Proficient in MS Office with advanced skills in Excel and Visio
• Strong analytical, problem solving, collaboration and technical skills.
• Strong time management skills
• Ability to work under pressure and meet deadlines.
• Clear background check and drug/alcohol screening
  
  

Essential Physical Functions

• Lifting up to 25 pounds
• Bending, stooping, ability to stand for extended periods of time
• Must be able to travel and have a clear driving record in accordance with company driving guidelines
  
  

This job description is intended to describe the general nature and level of the work being performed. This is not an exhaustive list of all duties and responsibilities. The company reserves the right to amend and change responsibilities to meet business and organizational needs as necessary.