About Responsive
Responsive, formerly RFPIO, is the market leader in a growing category of SaaS solutions called Strategic Response Management. More than 2,000 customers, including Google, Microsoft, Blackrock, T.Rowe Price, Adobe, Amazon, Visa and Zoom, are using the Responsive platform to manage business critical responses -including bids, questionnaires, assessments, and trust centers - that impact nearly half of a company's revenue. More than 35% of cloud SaaS leaders and more than 20 of the Fortune 100 standardize on Responsive, and the company has been voted "best in class" by G2 for 24 quarters straight. Customers have used Responsive to close more than $750B in transactions to-date. To learn more, visit responsive.io.
About the Role
Responsive is hiring a Principal Federal Compliance Lead (CMMC L2, FedRAMP Moderate) to take end-to-end accountability for two outcomes: CMMC Level 2 (C3PAO) readiness and certification for our CUI boundary, and a FedRAMP Ready designation at the Moderate baseline for our cloud service offering. This role is hands-on. You will author and maintain the SSP and supporting artifacts, map controls to technical implementations, build the evidence system, drive remediation through engineering and IT backlogs, and run the assessor-facing process.
You'll be the single point of accountability for federal compliance, coordinating across engineering, IT, security, legal, and product teams internally, and managing relationships with C3PAOs, 3PAOs, and other external assessors.
Essential Functions
What You'll Own
CMMC Level 2 Certification
-
You define and maintain the CMMC assessment scope and system boundary.
-
You run a gap assessment using NIST SP 800-171A assessment objectives.
-
You author and maintain the System Security Plan.
-
You write control implementation statements that map to deployed configurations.
-
You build and maintain a defensible POA&M with owners and dates.
-
You translate gaps into engineering and IT backlog items with acceptance criteria.
-
You validate remediation through testing and objective evidence.
-
You design the evidence repository taxonomy and retention rules.
-
You prepare internal teams for “interview, examine, test” assessment methods.
-
You select, manage, and hold the C3PAO accountable for quality and schedule.
-
You manage findings through conditional status and final status closeout.
FedRAMP Moderate Ready
-
You define the FedRAMP system boundary for the cloud service offering.
-
You map control responsibilities across product, platform, and corporate IT.
-
You extend the documentation set to FedRAMP Moderate expectations.
-
You drive the Readiness Assessment Report workflow with a FedRAMP-recognized 3PAO.
-
You coordinate readiness testing and evidence review before assessor fieldwork.
-
You run the PMO-facing process to achieve a FedRAMP Ready marketplace listing.
-
You establish the continuous monitoring cadence required after readiness.
Ongoing Federal Compliance Operations
-
You keep documentation current as systems, vendors, and processes change.
-
You maintain the evidence system so evidence collection becomes routine.
-
You track regulatory changes across CMMC, FedRAMP, and adjacent requirements.
-
You respond to federal-focused security questionnaires with consistent positions.
-
You advise product and engineering on compliance impact of architectural decisions.
-
You partner with Sales and Solutions on deal risks and customer expectations.
Education
Any Bachelor's Degree
Additional Information
Knowledge, Skills & Ability
Non-Negotiable
-
Have personally led a company through CMMC Level 2 or FedRAMP authorization
-
Deep expertise in NIST 800-171 and NIST 800-53 control frameworks
-
Hands-on documentation ability: you write SSPs and control implementation statements, not just review them
-
Experience preparing organizations for and managing third-party security assessments
-
Technical fluency: can engage meaningfully with engineers on cloud architecture, identity management, encryption, logging, and CI/CD security
Strongly Preferred
-
Experience with SaaS/cloud-native environments (AWS, Azure, or GCP)
-
Background in B2B enterprise software companies
-
Familiarity with adjacent frameworks: SOC 2, ISO 27001, StateRAMP
-
Understanding of CUI handling requirements and DFARS 252.204-7012 flow-down obligations
Certifications (Helpful, Not Required)
-
CISSP, CISM, or equivalent
-
Certified CMMC Professional (CCP) or Certified CMMC Assessor (CCA)
-
FedRAMP training or credentials