Director of Compliance
This is a new position. You will own company's entire compliance program, not just one framework, not just one environment. You will build and maintain an integrated compliance architecture that maps shared controls across every framework they operate under, communicate it clearly to internal and external stakeholders, and drive strategy across commercial, federal, and contractual obligations.
The centerpiece of the next 18 months is FedRAMP Moderate authorization and a hard contractual deadline with real consequences. But the job extends well beyond it. You are responsible for how client manages compliance as a business capability: efficiently, clearly, and in a way that becomes a competitive advantage as they grow.
You will coordinate across their GRC and SecOps vendor (Anitian), their 3PAO assessor (A-Lign, their federal sponsor, and internal engineering and legal functions.
Your job is to manage multiple frameworks as an integrated system, not as seven separate programs. Where a control satisfies multiple frameworks, that overlap should be documented, leveraged, and clearly communicated across the business.
- SOC 2 Type 2 – Commercial Environment – 140 controls – Active program- complete/ongoing
- GDPR – Commercial Customers with EU data exposure – Managed
- HIPAA – Applicable to financial data handling requirements – Managed
- GovRAMP/StateRAMP – State level emerging requirement – Monitoring
- FedRAMP Moderate - 323 NIST 800-53 controls. Federal ATO by Sep 30, 2027. Hard deadline – Active Build
- CJIS - Criminal Justice Information Services — law enforcement data handling – Monitoring
- ISO 27001 - Not yet pursued. Roadmap decision for this role to assess and recommend.
A core part of this role is building a control mapping that shows where requirements overlap across these frameworks—so the business understands what we get for free, what we still owe, and where investment is warranted.
FedRAMP Authorization Program- Master program timeline from today through Full ATO (September 30, 2027)
- Control tracking across all 323 federal controls — implementation status, evidence status, owner
- Coordination with Anitian (GRC/SecOps), A-Lign (3PAO), FedRAMP PMO, and the FTC Authorizing Official's office
- SSP documentation quality — reviewing sections before external review
- Evidence calendar and artifact collection ahead of the October 2026 RAR and Q1–2027 full assessment
- Biweekly program health reporting to CEO and CTO — RAG status, no noise
Integrated Compliance Architecture- Build and maintain a unified control framework that maps requirements across SOC 2, GDPR, HIPAA, FedRAMP, CJIS, and GovRAMP
- Identify and document control overlap so Valid8 is never doing compliance work twice when once is sufficient
- Own the compliance calendar across all frameworks — renewals, audits, assessments, and evidence windows
- Make the ISO 27001 roadmap recommendation: pursue, defer, or skip based on customer demand and resource cost
Contracts and Commercial Compliance- Own review and management of customer contracts for compliance-related terms — MSAs, DPAs, security addenda, and data handling requirements
- Own vendor contract compliance — ensuring Anitian, A-Lign, and other compliance-adjacent vendors are meeting their obligations
- Own federal contracting compliance tied to the FTC PWS and any FAR clause requirements
- Flag contract risk to the CEO before it becomes a program risk
Internal Communication and Strategy- Translate the compliance posture into language that works for the board, customers, prospects, and sales
- Build the internal reporting structure so engineering, product, and leadership all understand what compliance requires of them and when
- Be the point of escalation when compliance conflicts with product velocity—make the call or bring the right decision to the right person
Required- You have lived through a FedRAMP Moderate authorization at a vendor — not as a consultant or auditor. You were on the vendor side, and you know what it feels like when a milestone slips.
- You understand NIST 800-53 control families well enough to read an SSP section and know whether it is complete without being the one writing the policy.
- You have managed compliance programs across multiple frameworks simultaneously and built the control mapping to show where they overlap.
- You have reviewed and negotiated compliance-related contract language—DPAs, security addenda, and data handling provisions.
- You have built compliance processes from scratch in a resource-constrained environment. You did not inherit a mature program; you built one.
- You are effective at managing parties you have no authority over. Vendors, assessors, and engineering teams all move toward deadlines because of you, not despite you.
- You write clearly and communicate upwards. Board-level summaries, customer-facing compliance statements, and control narratives all come from you without heavy editing.
- You know when to escalate and what not to bring to the CEO.
Preferred- Experience with GRC platforms — Anitian, Drata, Vanta, or similar
- SOC 2 Type 2 program ownership
- Familiarity with AWS GovCloud environments
- Exposure to CJIS, GDPR, or HIPAA in a SaaS context
- Background in SaaS companies at the growth stage — not large enterprise compliance functions
- Existing network in the compliance and federal security space