Principal, Public Sector SecOps & GRC

How you will impact the organization…

The Principal, Public Sector SecOps & GRC serves as the central security and compliance leader for all public sector engagements, encompassing federal, state, and local mandates. Evolving from a purely compliance-focused mandate, this role bridges Security Operations (SecOps) and Governance, Risk, and Compliance (GRC) to ensure comprehensive defense and continuous authorization across Consensus’ public sector SaaS platforms.

This role is vital to Consensus’ mission of providing secure and trusted communication solutions to public sector partners. The Principal leads the design, implementation, and oversight of a unified security framework that aligns with NIST 800-53 Rev. 5 controls, FedRAMP High authorizations, GovRAMP, CMMC, and emerging SLED requirements (such as TexasRAMP and StateRAMP). By unifying SecOps and GRC, this leader ensures timely threat mitigation, streamlined audit processes, and the secure delivery of cloud services to government agencies at all levels.

The value you will deliver…

• Public Sector GRC Leadership: Lead the design, implementation, and ongoing management of a unified GRC program encompassing FedRAMP High Rev. 5, GovRAMP, CMMC, and SLED/StateRAMP frameworks.
• Continuous Monitoring & Reporting: Compile and submit Monthly Continuous Monitoring (ConMon) reports, including vulnerability scans, POA&M trackers, and asset inventories for all applicable public sector frameworks.
• Vulnerability & SecOps Management: Oversee threat hunting and vulnerability remediation to ensure compliance with strict federal timelines, specifically: High (30 days), Moderate (90 days), and Low (180 days).
• POA&M Escalation: Escalate unremediated vulnerabilities and initiate Plan of Action and Milestones (POA&M) creation within 7 days of issue identification when remediation deadlines cannot be met.
• Audit Coordination: Coordinate and lead Annual 3PAO Security Assessments, including penetration testing and red team exercises, across FedRAMP and other public sector programs.
• Artifact Management: Manage and maintain a compliant, hosted secure repository for storing, retrieving, and provisioning access to security packages and artifacts.
• Third-Party & Project Oversight: Manage third parties, including managed security service providers (MSSPs) performing public sector security functions, and direct project management support for these programs.
• System Stewardship: Serve as System Steward for the VA-F package in eMASS, managing Risk Management Framework (RMF) activities, ATO assessments, and workflows.
• Marketplace Maintenance: Submit and maintain accurate documentation for the initial and ongoing marketplace listings (e.g., FedRAMP, StateRAMP) of Consensus as a Cloud Service Provider (CSP).
• Incident Response Operations: Oversee actionable incident response testing every 6 months , and administer incident response training to all assigned personnel within 10 days of role assignment and annually thereafter.
• Access & Trust Governance: Oversee background checks and reinvestigations for all personnel requiring system access, consistent with high-impact public trust requirements , and enforce Rules of Behavior agreements.
• Architecture & Change Control: Maintain current SaaS platform architecture diagrams and submit all Security Change Requests (SCRs) and Deviation Requests for approval.
• Commercial Framework Integration: Contribute to non-FedRAMP commercial compliance frameworks, such as ISO 27001, SOC 2, or HIPAA, ensuring unified control mappings across public and private sector services.
• Cross-Functional Enablement: Provide security and compliance guidance to IT, engineering, and development teams to support the design of secure, compliant, and resilient cloud-based architectures.
• Tooling & Automation: Identify, evaluate, and implement GRC and SecOps tools that support policy automation, identity management, and threat intelligence.
• Customer Trust: Assist with responses to customer security assessments and third-party due diligence requests from prospective SLED and federal agencies.
• Mentorship: Mentor junior staff or cross-functional team members in information security, compliance best practices, and secure development lifecycles.
• Resilience Planning: Support business continuity planning, disaster recovery documentation, and live operational exercises.
• Perform other duties and responsibilities as required, assigned, or requested. Consensus reserves the right to add or change duties at any time.

What you will bring to the table…

• Required Degree: Bachelor's degree in computer science, information technology, or cybersecurity.
• Required Certifications: Active Certified Information Systems Security Professional (CISSP) and Project Management Professional (PMP) certification.
• Required Background Checks: Undergo a Public Trust Background Investigation with a favorable suitability determination.
• 8+ years of experience in information security governance, risk, and compliance, with at least 5 years specifically supporting FedRAMP High, FISMA, NIST SP 800-53 rev 5, or RMF.
• 5+ years in the ISSM or ISSO role managing the security package for federal government agencies high-impact systems.
• 5+ years of experience managing or supporting security assessments with Third Party Assessment Organizations (3PAOs).
• 3+ years of hands-on experience using GRC platforms (e.g., RSA Archer, ServiceNow GRC, OneTrust) and vulnerability management platforms (e.g., Tenable, Qualys, Rapid7).
• 2+ years direct experience mapping controls and leading assessments for GovRAMP, CMMC (Level 2+), and StateRAMP/SLED requirements.
• 2+ years of experience with identity and access management systems (e.g., Okta, Azure AD) for access control governance.
• Cloud Architecture Proficiency: Demonstrated experience working within cloud environments such as AWS GovCloud or Azure Government, including cloud-native security controls.
• Systems & Tooling Mastery: Proficiency with AWS CLI, Powershell and scripting automated compliance tasks in Windows and Linux systems tools, Nessus Pro, Burp Suite, Splunk, AWS IAM, Jira, FortiGate firewalls, eMASS, Box.com for Gov, and Okta for Gov Identity Provider.
• Analytical Critical Thinking: Demonstrates strong analytical skills to assess complex security risks, interpret compliance requirements, and evaluate technical vulnerabilities.
• Process Engineering: Builds and refines repeatable, auditable processes for security governance, risk management, and compliance activities.
• Cross-Functional Communication: Communicates clearly and effectively with technical and non-technical stakeholders, including auditors, developers, and executive leadership.
• Continuous Assessment: Ability to implement continuous monitoring and assessment programs to identify and address security threats in real-time, maintaining a proactive SecOps stance.

Additional details… 

• Location requirements: Fully remote within the U.S. 
• Travel requirements: Up to 10% travel. 
• Physical requirements: Must be able to sit for long periods, as well as, handle long periods of screen time.
• Technology requirements: Reliable, high speed internet.
• Eligible for sponsorship: No.
• This position is contingent upon satisfactory completion of a more extensive background check through the Federal Government as a Public Trust Position. Requirements include (subject to change), but are not limited to, active U.S. Citizenship or green card holder residing in the U.S. for a minimum of 3 consecutive years and working location is in the U.S.

The salary range for this role is $160,000 - $170,000 USD annually.  The total compensation package for this position is negotiable and may also include annual performance bonus, ESPP, enhanced time off packages and benefits. This job doesn't have an expiration date and will remain open until a qualified candidate is hired.