Information Security Program Manager

Summary

Join Rubrik's Public Sector Product Certification and Compliance Team as a Program Manager to lead continuous monitoring and compliance activities for Rubrik's government cloud service offerings. This mission-critical role involves managing compliance programs, representing Rubrik externally with government agencies and third-party assessors, and collaborating internally with various teams. The ideal candidate is a subject matter expert in FedRAMP, NIST SP800-53, NIST SP800-171, and Department of Defense Impact Level security requirements, with experience in assessment, authorization, and continuous monitoring for a Cloud Service Provider. Responsibilities include program management, operations, and technical tasks related to compliance, reporting, and security. The position offers a competitive salary, bonus potential, equity, and benefits.

Requirements

• 6+ years of related work experience in Information Security or relevant Compliance roles in the tech / SaaS industry (previous experience in a SaaS company context preferred)
• 4+ years of experience in a U.S. public sector compliance role associated with FedRAMP, DoD Impact Levels, Controlled Unclassified Information, and/or government Assurance & Authorization activity
• Solid writing skills in Authorization Package artifacts like System Security Plan, Customer Responsibility Matrix, System-specific Policies, and SSP Appendices
• Relentless attention to detail for accuracy and conformance but able to put progress over perfection at the macro level
• Leader by influence, able to address conflict productively and professionally, solid sense of humor, keeps things in perspective
• Resourceful and resilient in a dynamic, high velocity, business environment that’s sometimes like a start up
• Comfortable wearing many hats in a small, agile team that enjoys working together to get things done
• Subject Matter Expert / SME with advanced knowledge of government compliance and cloud security risks, vulnerabilities, and threats, and can take these issues through triage / risk treatment conversations
• Deep understanding of relevant information security frameworks, including FedRAMP, NIST 800-53, NIST 800-171, CJIS, and DoD Cloud Security Requirements Guide
• Develops plans and roadmaps, and implements cross-functional policy, process, and procedures to meet planned objectives
• Hands-on experience with agile project management tools (e.g., Jira, Confluence)
• Detail-oriented and able to understand the bigger picture by using technical expertise and problem solving abilities to prioritize efforts and work through ambiguity and issues
• Ability to ramp up quickly and learn new technologies with minimal lag time

Responsibilities

• Program Manager / Service Lead / Control Owner for Rubrik’s Continuous Monitoring (ConMon) Compliance capability, covering requirements for FedRAMP, DoD Impact Level, CJIS, and similar frameworks
• Maintain the calendar of continuous monitoring activities covering weekly, monthly, quarterly, and annual compliance requirements for FedRAMP, DoD Impact Level, and similar programs
• As our secondary/backup Information Systems Security Officer (ISSO), collaborate with a range of stakeholders from individual contributors to senior leadership to external parties including Agency Partners and/or Third Party Security Assessor (3PAO)
• Drive activities related to the remediation of technical security and compliance risks with cross-functional teams, including, but not limited to, engaging third party services, managing remediation projects, leading groups to consensus and action, assigning and tracking work items, producing reports, and escalating risks and issues
• Serve as a subject matter expert and an integral member of the Public Sector Product Certifications and Compliance Team, cultivating strong relationships across the company to aid in program transparency, strategic consensus, expectation setting, risk and vulnerability awareness, and continual process improvement
• Monitor changes in relevant regulations, laws, and industry standards to adapt the program accordingly. Identify challenges with emerging compliance requirements and best practices to sustain compliance as the landscape evolves
• Working with the primary ISSO, write, maintain, and disseminate all or parts of Rubrik’s government Authorization Package(s) and related artifacts as a cohesive body of work, obtaining content and updates from Control Owners when needed and ensuring the package is correct, complete, and current
• Manage the Plan of Action and Milestones (POA&M) workbook and use it to log and report vulnerability remediation status for Rubrik’s government cloud service offering(s)
• Package and submit monthly ConMon reporting with remediation evidence, and independently manage similar duties for FedRAMP, StateRAMP, Department of Defense and other Authorizations and Attestations
• Ensure Agency Partner approval or concurrence for monthly reporting (POA&M closures, deviation requests, and significant change handling) and annual test plans or exercises (Incident Response, Information System Contingency Plan, and Red Team testing)
• Respond to Executive Orders, requests from CISA and other entities that require responsive action or reporting, and assist as needed with incident response involving public sector organizations
• Lead the FedRAMP Training program, ensuring annual refresh of content by content owners, enrolling and tracking required FedRAMP and CJIS training for users, and follow up to suspend access when users fail to complete their training on a timely basis
• As time permits, participate in Change Control Board activities, supporting security impact analyses and scoping controls for significant changes. Raise questions and make recommendations when needed to help determine whether requested changes should be approved and implemented as presented
• Cover “other duties as assigned” that may fall outside of core responsibilities to help ensure the team’s success
• ISSO duties: assist and/or cover for the ISSO in planning for, preparing for, and executing on assessments by analyzing information and conducting interviews to identify areas of non-compliance and prepare control owners for annual review
• Develop and manage activities using JIRA as a primary project and work tracking tool
• Drive automation where opportunities exist for effectiveness, efficiency, and scalability
• Produce ConMon / Auth Package artifacts in OSCAL format using GRC tooling
• Develop and share expertise in cloud services (GCP, Azure, AWS) and cloud security

Preferred Qualifications

• Familiarity with / interest in use of OSCAL for automation is a plus
• Bachelor’s degree or equivalent in Security, Computer Science, Management Information Systems, Business Administration or related field preferred
• Professional certifications in Information Security, Cloud Security, and/or Systems Audit/Assessment (e.g., CISSP, CISA, CCSK) preferred, Project Management skills a plus

Benefits

• Bonus potential
• Equity
• Benefits