Program Manager

Role Overview

Client is seeking a seasoned Program Manager to lead the creation, authorization, and continuous governance of a FedRAMP-compliant Azure Government tenant underpinning government payment

transaction services. You will own the end-to-end program—system boundary definition, documentation, ATO readiness, , and continuous monitoring—ensuring sustained compliance at FedRAMP High The ideal candidate blends rigorous compliance leadership with strong cloud security and platform enablement skills and has demonstrated success in -system subject to federal compliance.

Key Responsibilities

Program Leadership and Governance

• Own the multi-year FedRAMP roadmap for an Azure Government tenant supporting government transactions; define milestones, risks, dependencies, and decision gates.
• Establish governance forums and operating mechanisms across engineering, cloud platform, information security, risk/compliance, legal, payment operations, and 3PAOs.
• Maintain program OKRs/KPIs: POA&M closure velocity, control coverage, vulnerability SLAs, ConMon completeness, audit readiness, and Drive disciplined change control, evidence management, , and control attestation workflows aligned to FedRAMP requirements.
• Manage external partners and 3PAO activities (readiness, assessments, remediation)

FedRAMP Authorization (ATO) Readiness

• Lead authoring and maintenance of FedRAMP artifacts: SSP and associated FedRAMP appendices, POA&M, policies/standards/procedures, boundary diagrams, and data flows tailored to Azure Government/GCC High constructs.
• Define and maintain the system boundary and data categorization supporting payment transactions; align to FedRAMP High baseline.
• Coordinate control implementation across all FedRAMP control families. .
• Conduct gap analyses against NIST SP 800-53 controls; drive remediation plans and ensure traceability from control narratives to technical and process evidence.

Continuous Monitoring & Operations

• Stand up and run Continuous Monitoring, in alignment with FedRAMP High guidelines, for the Azure Government tenant: scanning cadence, patch cycles, configuration baseline monitoring, control effectiveness checks, incident handling, and change compliance.
• Own POA&M lifecycle: triage findings, prioritize by risk, execute corrective actions, validate closure, reporting outstanding actions, and update artifacts.
• Maintain real-time dashboards and reporting for control posture, exceptions, residual risk, and operational health across payment services and shared services.
• Ensure SSP and supporting documentation are promptly updated to reflect material changes to boundary, services, configurations, or controls.
• Coordinate security incident response processes with SOC teams and act as interface with the client throughout the incident lifecycle including root cause analysis and closure.

Audit, Stakeholder, and External Engagement

• Serve as the primary contact for internal/external audits, 3PAO assessments, and authorizing officials; coordinate evidence collection and subject matter responses.
• Prepare teams for assessments; lead walkthroughs, demos, and artifact reviews; shepherd remediation and risk acceptance processes as appropriate.
• Enable engineering, operations, and payment teams with training and lightweight process embeds to sustain day-to-day FedRAMP compliance.

Risk Management and Issue Resolution

• Maintain a program risk register spanning control gaps, architectural changes, data flows, vendor dependencies, and operational risks in payment services.
• Escalate issues with quantified impact; drive compensating controls or risk acceptance decisions in partnership with risk/compliance.

Required Qualifications

• 7+ years of program management in regulated cloud environments; 3+ years directly owning FedRAMP programs, artifacts, and Continuous Monitoring.
• Hands-on oversight,authorship, maintenance and response experience with SSP, POA&M, SAP/SAR; proven track record achieving/maintaining ATO for cloud services.
• Deep knowledge of NIST SP 800-53 control families, FedRAMP Moderate/High baselines, -ConMon processes, and 3PAO engagements.
• Strong familiarity with Azure Government or GCC High and core security capabilities: identity/access, logging/monitoring, encryption, policy enforcement, landing zone patterns.
• Demonstrated success orchestrating cross-functional teams (security, cloud/platform, payments, operations, compliance, legal) to deliver complex regulatory programs.
• Exceptional communication skills: executive reporting, control narratives, audit responses, and stakeholder management.
• Bachelor’s degree in Information Security, Computer Science, Information Systems, or related field; equivalent experience considered.

Preferred Qualifications

• Direct experience enabling government payment transactions on cloud platforms and aligning control implementations to transactional risk profiles.
• Azure-focused security experience (Defender for Cloud, Sentinel, Azure Policy/Blueprints, Key Vault, Private Link, Purview).
• Prior experience collaborating with federal agencies, sponsoring organizations, or authorizing officials for ATOs.
• Experience with security compliance to IRS 1075 requirements Certifications: PMP, CISSP, CCSP, CISM, Azure Security Engineer Associate, or equivalent.

Key Competencies

• Ownership and disciplined execution across multi-workstream, cross-functional programs.
• Ability to translate regulatory requirements into practical, testable technical and process controls.
• Risk-based decision-making with clear prioritization and measurable outcomes.
• Influencing and stakeholder leadership; driving alignment without formal authority.
• Documentation rigor and audit readiness; maintaining high-quality, current artifacts.
• Continuous improvement mindset; leveraging metrics to improve control posture and operational efficiency.

Work Arrangement and Location

• Flexible work arrangements may be available in accordance with BNY policies and applicable role requirements.
• Limited travel may be required for assessments, audits, or stakeholder workshops.

Program KPIs (example targets; customizable)

• POA&M closure: ≤ 30 calendar days average for High findings; ≤ 60 for Moderate.
• Continuous Monitoring: 100% monthly reporting completeness across in-scope services.
• Configuration drift: ≤ 5% variance from baseline across evaluated resources per month.
• Vulnerability remediation: Meet or exceed FedRAMP timelines by severity category.
• Audit readiness: “Green” status across evidence.
• completeness and control demonstration prior to 3PAO assessments.