CMMC Program Manager

Overview

The CMMC Program Manager is responsible for the end-to-end management, sustainment, and continuous improvement of the company's Cybersecurity Maturity Model Certification (CMMC) Level 2 program in support of DoD contracts involving Controlled Unclassified Information (CUI).

This role provides enterprise-level governance and oversight to ensure compliance with DFARS 252.204-7012, 32 CFR Part 170, 32 CFR Part 117, and NIST SP 800-171, and serves as the primary authority for CMMC program readiness, audit preparation, and sustainment.

The position works closely with the FSO, IT, Legal, Contracts, HR, and Program Management to ensure cybersecurity requirements are fully integrated into business operations.

Responsibilities

The following reflects management's definition of essential functions for this job but does not restrict the tasks that may be assigned.

CMMC Program Governance & Oversight

• Serve as the Program Owner for the company's CMMC Level 2 compliance effort
• Develop, maintain , and execute the CMMC compliance roadmap, ensuring alignment with DoD timelines and contract requirements
• Establish governance structures, roles, and accountability for cybersecurity compliance across business units
• Ensure alignment between CMMC, NIST SP 800-171, DFARS, and NISPOM (32 CFR Part 117) requirements

NIST SP 800-171 Control Management

• Maintain authoritative oversight of all 110 NIST SP 800-171 security requirements applicable to the CMMC Level 2 boundary
• Ensure security controls are fully implemented, documented, and operating as intended
• Coordinate with IT and system owners to validate technical, administrative, and physical safeguards
• Monitor control effectiveness and address compliance drift through periodic reviews

Documentation & Evidence Management

• Own and maintain the System Security Plan (SSP) and ensure it accurately reflects the current environment
• Manage Plans of Action & Milestones (POA&Ms), including prioritization, remediation tracking, and closure validation
• Establish and maintain a centralized evidence repository to support CMMC assessments and DoD inquiries
• Ensure documentation remains audit-ready at all times

Audit Readiness & Assessment Support

• Plan and conduct onsite and remote self-assessments against NIST SP 800-171 and CMMC Level 2 requirements
• Prepare the organization for C3PAO assessments, including pre-assessment readiness reviews and gap analyses
• Serve as the primary interface with C3PAOs, DoD representatives, and external auditors
• Coordinate assessment logistics , evidence presentation, and response to findings

CUI Program Integration

• Partner with the FSO to ensure CUI identification, marking, handling, transmission, and storage align with NISPOM and CMMC requirements
• Validate CUI data flows and system boundaries supporting covered defense information (CDI)
• Support training and awareness initiatives related to CUI handling and cybersecurity responsibilities

Risk Management & Continuous Monitoring

• Implement a continuous compliance monitoring strategy to identify emerging risks and control weaknesses
• Track cybersecurity risks and report status, trends, and remediation progress to leadership
• Ensure timely reporting and response to cybersecurity incidents involving CUI in coordination with Security and IT
• Support supply chain and subcontractor cybersecurity compliance oversight where applicable

Training & Awareness

• Develop and oversee CMMC and NIST 800-171 training programs for employees, system users, and leadership
• Ensure role-based cybersecurity training is conducted and documented annually
• Promote a culture of cybersecurity accountability and compliance awareness

Leadership & Coordination

• Act as a trusted advisor to executive leadership on CMMC readiness, risks, and compliance posture
• Coordinate cross-functional efforts between Security, IT, Contracts, Legal, HR, and Program Management
• Provide regular executive-level reporting on CMMC status, risks, POA&M progress, and audit readiness

Qualifications

Required Qualifications

Experience

• 5-8+ years of experience in cybersecurity compliance, information assurance, or security program management within a DoD contracting environment
• Demonstrated experience managing NIST SP 800-171 compliance and preparing organizations for audits or assessments
• Experience supporting CUI environments and DFARS 252.204-7012 requirements
• Experience coordinating assessments, audits, or regulatory reviews

Knowledge & Skills

• Strong working knowledge of:
  • CMMC Level 2
  • NIST SP 800-171
  • 32 CFR Part 117 (NISPOM)
  • 32 CFR Part 170
  • DFARS 252.204-7012 / 7019 / 7020
• Ability to translate regulatory requirements into actionable program controls
• Strong documentation, risk analysis, and stakeholder communication skills

Preferred Qualifications

• Prior experience working directly with a C3PAO or supporting formal CMMC assessments
• Certifications such as CISSP, CISM, CISA, GSLC, CRISC, or CCSP
• Experience supporting multiple facilities or business units
• Familiarity with RMF, NIST SP 800-53, or FedRAMP environments

Success Factors for This Role

• Proactive ownership of the CMMC program rather than reactive compliance
• Strong coordination across technical and non-technical teams
• Ability to maintain continuous audit readiness
• Clear communication of cybersecurity risk and compliance status to leadership
• Attention to detail combined with enterprise-level strategic thinking

Clearance Requirement:

• Ability to obtain and maintain a Top Secret clearance (active clearance preferred).

Location:

• Remote with onsite support as needed . Travel required.

Physical Requirements: The ideal candidate must at a minimum be able to meet the following physical requirements of the job with or without a reasonable accommodation :

• Ability to perform repetitive motions with the hands, wrists, and fingers
• Ability to engage in and follow audible communications in emergency situations
• Ability to sit for prolonged periods at a desk and working on a computer

The Nakupuna Companies use a market-based compensation strategy to ensure that our employees are compensated within applicable market ranges commensurate with multiple factors, including but not limited to the individual's particular combination of education, knowledge, skills, competencies, and experience, as well as contract-specific affordability, organizational requirements, and position location. The projected compensation range for this position is $90,000.00 to $110,000.00 (annualized USD). The salary range displayed represents the typical salary range for this position and is just one component of Nakupuna Companies total compensation package for employees.