Director, FedRAMP Program

Job Description

We are seeking an experienced Director, FedRAMP Program, to lead our federal compliance and authorization program for our SaaS cloud service offerings. This role reports directly to the Chief Information Security Officer and owns the end-to-end FedRAMP journey, from readiness and authorization planning through 3PAO assessment, agency sponsor coordination, Authorization to Operate (ATO), and post-authorization continuous monitoring.

The ideal candidate has personally led or played a senior leadership role in bringing a SaaS company through FedRAMP Moderate authorization, with FedRAMP High experience strongly preferred. This is a cross-functional leadership role requiring deep knowledge of FedRAMP, NIST SP 800-53, cloud security, SaaS engineering operations, SSDLC, DevSecOps, audit readiness, executive communication, risk management, and federal customer expectations.

This role will serve as the primary program leader connecting Security, Engineering, Product, IT, Legal, GRC, Sales, Customer Success, external advisors, 3PAOs, and federal agency stakeholders. Success requires more than managing checklists. This person must be able to drive real control implementation, unblock engineering dependencies, manage risk tradeoffs, and keep executives aligned on timeline, scope, cost, and residual risk.

Key Responsibilities:

FedRAMP Program Leadership

• Own and lead the company’s FedRAMP program from readiness (FW has completed RADD for Moderate) through ATO and continuous monitoring.
• Develop the overall FedRAMP ATO strategy, roadmap, execution plan, work breakdown structure, milestone plan, and executive reporting model.
• Lead the company through FedRAMP Moderate authorization, with a path to FedRAMP High for future ATO.
• Define and manage the FedRAMP authorization boundary for the cloud service offering.
• Partner with Security, Engineering, Product, IT, Legal, Privacy, Compliance, and GTM teams to align FedRAMP requirements with business and customer needs.
• Translate FedRAMP requirements into clear workstreams, owners, deliverables, deadlines, and measurable outcomes.
• Maintain executive-level visibility into program status, risks, decisions, blockers, and funding needs.

Authorization Package Ownership

• Own the development, maintenance, and quality of the FedRAMP authorization package, including the SSP, SAP, SAR, POA&M, control implementation narratives, policies, standards, procedures, control inheritance documentation, architecture diagrams, data flow diagrams, boundary documentation, and supporting operational evidence.
• Ensure documentation accurately reflects the real operating environment, not aspirational controls.
• Build a durable evidence repository and repeatable evidence collection process.
• Establish documentation quality standards to reduce rework during 3PAO and agency review.

3PAO, Advisor, and Agency Coordination

• Serve as the primary internal program owner for external FedRAMP partners, including advisors, consultants, 3PAOs, and agency stakeholders.
• Coordinate readiness assessments, gap assessments, formal assessments, evidence requests, control interviews, penetration testing, and remediation validation.
• Manage 3PAO engagement timelines, dependencies, artifacts, and issue resolution.
• Support agency sponsor conversations and help prepare materials needed for agency authorization review.
• Ensure the SAR findings are translated into clear remediation plans and risk decisions.

POA&M and Risk Management

• Own the POA&M process for FedRAMP-related findings, vulnerabilities, control gaps, and residual risks.
• Drive timely remediation of POA&M items across Engineering, Cloud Infrastructure, Cybersecurity, IT, and Product teams.
• Establish clear ownership, due dates, severity, risk rationale, evidence requirements, and closure criteria for each POA&M item.
• Escalate overdue or high-risk items to appropriate leadership forums.
• Partner with business and technical owners to determine when remediation, mitigation, compensating controls, or formal risk acceptance is appropriate.
• Maintain a clear view of residual risk for executives and authorizing stakeholders.

Control Implementation and Engineering Alignment

• Partner with Engineering, Cloud Infrastructure, and Cybersecurity teams to implement FedRAMP-required security controls in a SaaS cloud environment.
• Drive control maturity across identity and access management, privileged access management, vulnerability management, secure configuration management, logging, monitoring, alerting, incident response, encryption, key management, change management, backup and recovery, contingency planning, asset inventory, boundary protection, software supply chain security, and secure SDLC.
• Help engineering teams understand not just what is required, but why it matters and how to implement it sustainably.
• Identify control implementation gaps early and drive resolution before they become audit blockers.

Continuous Monitoring and Post-ATO Operations

• Assist in building and operating the FedRAMP continuous monitoring program after authorization.
• Own recurring ConMon deliverables, evidence collection, vulnerability reporting, POA&M updates, significant change analysis, incident reporting coordination, and ongoing agency reporting.
• Partner with Security Operations, Cybersecurity, Engineering, and Compliance to maintain authorization posture.
• Establish operational processes to prevent control drift after ATO.
• Track changes to FedRAMP guidance, NIST requirements, agency expectations, and federal cybersecurity directives.
• Prepare the organization for annual assessments and ongoing authorization maintenance.
• Keep abreast of FedRAMP program changes, like 20XX, and how they might impact our FedRAMP program. 

Executive and Cross-Functional Communication

• Provide clear, concise program updates to executives, steering committees, and board-level stakeholders.
• Communicate program health, milestone status, material risks, funding needs, staffing constraints, and decision points.
• Create executive-ready reporting that connects FedRAMP work to customer trust, federal revenue opportunities, risk reduction, and operational maturity.
• Facilitate cross-functional decision-making when security requirements conflict with product timelines, engineering capacity, or customer commitments.
• Serve as the internal FedRAMP translator: able to explain complex requirements in business, technical, and executive terms.

Federal GTM and Customer Support

• Partner with Sales, Legal, Customer Success, and Cybersecurity GTM teams to support federal customer conversations.
• Help develop accurate FedRAMP-related customer messaging, RFP responses, trust center content, and security collateral.
• Ensure external claims about FedRAMP status, roadmap, and control maturity are accurate and legally defensible.
• Support customer security reviews and federal procurement diligence related to FedRAMP.

Qualifications

• 10+ years of experience in cybersecurity, compliance, GRC, cloud security, audit, risk management, or security program leadership.
• Direct experience leading or materially contributing to a FedRAMP Moderate ATO for a SaaS or cloud service provider.
• Strong working knowledge of the FedRAMP authorization lifecycle, NIST SP 800-53, FedRAMP Rev. 5 requirements, SSP, SAP, SAR, POA&M, continuous monitoring, the 3PAO assessment process, and agency authorization processes.
• Demonstrated ability to manage complex, cross-functional security programs involving Engineering, Product, Cloud Infrastructure, Cybersecurity, Legal, GRC, and executive stakeholders.
• Experience building and maintaining audit evidence repositories and compliance operating models.
• Strong knowledge of SaaS/cloud architecture, preferably AWS, Azure, or multi-cloud environments.
• Strong understanding of technical security domains, including IAM, vulnerability management, logging/monitoring, encryption, incident response, secure SDLC, change management, and cloud infrastructure security.
• Proven ability to drive remediation across teams that do not directly report to you.
• Excellent written and verbal communication skills.
• Ability to communicate clearly with both technical teams and executive stakeholders.
• Strong project/program management discipline, including milestone planning, dependency tracking, risk management, and executive reporting.

Preferred Qualifications

• Experience leading or supporting FedRAMP High authorization.
• Experience with both agency authorization and legacy JAB-style authorization expectations.
• Experience working directly with FedRAMP advisors, 3PAOs, agency sponsors, and federal customer security teams.
• Experience with SaaS products serving enterprise and/or public sector customers.
• Experience with AWS GovCloud, Azure Government, or other government cloud environments.
• Experience with adjacent and additive frameworks such as CMMC, ITAR, SOC 2, ISO 27001, ISO 42001, HIPAA, PCI DSS, StateRAMP, IRAP, or ISMAP.
• Experience supporting federal go-to-market, RFP responses, security questionnaires, and customer trust programs.
• Certifications such as CISSP, CISM, CISA, CRISC, PMP, CCSP, or equivalent experience.
• Experience in standing up a new FedRAMP program from scratch.

Additional Information

The annual base salary range for this position is $205,000 - $255,000. This role is also eligible for a target bonus.

Compensation is based on a variety of factors including but not limited to location, experience, job-related skills, and level. Freshworks offers multiple options for dental, medical, vision, disability and life insurances. Equity + ESPP, flexible PTO, flexible spending, commuter benefits and wellness benefits are also offered. Freshworks also offers adoption and parental leave benefits.

At Freshworks, we have fostered an environment that enables everyone to find their true potential, purpose, and passion, welcoming colleagues of all backgrounds, genders, sexual orientations, religions, and ethnicities. We are committed to providing equal opportunity and believe that diversity in the workplace creates a more vibrant, richer environment that boosts the goals of our employees, communities, and business. Fresh vision. Real impact. Come build it with us.