Senior Security Engineer I – GRC FedRAMP (Remote Eligible)
FedRAMP and GovRAMP (formerly StateRAMP) are transforming how Smartsheet serves government and regulated customers. We need a FedRAMP and GovRAMP subject matter expert to lead these programs—someone with real hands-on experience obtaining and maintaining ATO authorizations, navigating 3PAO assessments, and managing continuous monitoring requirements. In this role, you'll own Smartsheet's FedRAMP and GovRAMP certifications, manage relationships with our 3PAOs, drive annual assessment preparation, manage POA&M processes, and ensure we maintain authorizations at the highest level. You'll understand the nuances of federal compliance, speak fluently with government agencies and authorized assessors, and translate complex regulatory requirements into clear roadmaps for engineering and operations teams. You'll be the voice of federal compliance at Smartsheet and the trusted advisor to government customers on our security posture.
You Will:
Own FedRAMP and GovRAMP (formerly StateRAMP) certifications and roadmaps: Lead the overall strategy for obtaining and maintaining federal authorizations, including package management, compliance timelines, and authority coordination.
Manage 3PAO relationships and assessments: Work with accredited third-party assessment organizations to conduct initial assessments and annual re-assessments. Coordinate scoping, evidence preparation, testing coordination, and results validation.
Lead continuous monitoring (ConMon) execution: Oversee the delivery of monthly, annual, and event-driven FedRAMP deliverables including vulnerability scans, penetration testing, system security plan updates, and compliance reporting.
Manage Plans of Action and Milestones (POA&M) processes: Own the identification, prioritization, tracking, and remediation of findings. Ensure timely closure of Critical (30 days), High (30 days), and Moderate (90 days) findings while coordinating with engineering and security teams.
Coordinate significant change requests and system modifications: Work with product and engineering to document, scope, assess, and obtain agency approval for system changes that impact security controls or compliance posture.
Engage with authorizing officials and federal agencies: Build and maintain relationships with government sponsors, CIOs, and agency decision-makers. Provide regular status updates, respond to questions, and demonstrate authorization compliance.
Prepare comprehensive assessment packages: Lead the development of System Security Plans (SSP), Security Assessment Plans (SAP), risk exposure tables, and supporting documentation required for audits.
Drive compliance automation and efficiency: Identify opportunities to automate evidence collection, simplify reporting, and reduce manual effort while maintaining rigor and auditability.
You Have:
5+ years of hands-on experience with FedRAMP and/or GovRAMP (StateRAMP) programs, including direct involvement in obtaining and maintaining ATOs.
Proven experience working with accredited 3PAOs: You've coordinated initial assessments, managed annual re-assessments, provided evidence packages, and worked through test results and findings.
A degree in Computer Science, Computer Engineering, Cybersecurity or a related field or equivalent practical experience.
Deep understanding of FedRAMP continuous monitoring requirements: Comprehensive knowledge of monthly deliverables, annual assessment cycles, POA&M management, vulnerability scan and penetration test requirements, and compliance reporting cadences.
Strong NIST 800-53 control knowledge: Fluency with control baselines, supplemental overlays (ITAR, CJIS, HIPAA, etc.), impact level determination, and control selection for various system types.
Project management and stakeholder coordination skills: Experience managing complex, multi-month compliance programs with multiple dependencies, stakeholders, and tight deadlines.
Technical foundation in cloud security and compliance: Working knowledge of AWS/GCP/Azure, cloud security controls, identity and access management, encryption, logging, and incident response—sufficient to understand system architecture and control implementations.
Excellent documentation and communication skills: Ability to write clear System Security Plans, coordinate across multiple stakeholders, and translate technical and compliance concepts for government audiences.
Understanding of federal procurement and contracting: Familiarity with how government agencies acquire and authorize cloud services, and the role of compliance in federal GTM.
US Person Status: Must be a U.S. Citizen, U.S. National to meet federal compliance requirements.
Nice to Have:
Professional certifications: CISSP, CISM, CISA, CRISC, or FedRAMP-specific credentials.
Experience with multiple impact levels: IL2 (Low), IL4 (Moderate), IL6 (High) systems and their specific requirements.
Background in government contracting, DoD CMMC, or other federal compliance frameworks.
Experience with SaaS FedRAMP authorization, particularly multi-tenant systems and JAB vs. Agency ATO pathways.
Current US Perks & Benefits:
Employer subsidized medical/vision and dental coverage for full-time employees
401k Match to help you save for your future (50% of your contribution up to the first 6% of your eligible pay)
Monthly stipend to support your work and productivity
Flexible Time Away Program, plus Sick Time Off
US employees are automatically covered under Smartsheet-sponsored life insurance, short-term, and long-term disability plans
US employees receive 12 paid holidays per year
Up to 24 weeks of Parental Leave
Personal paid Volunteer Day to support our community
Opportunities for professional growth and development including access to Udemy online courses
Company Funded Perks, including a counseling membership, local retail discounts, and your own personal Smartsheet account
Teleworking options from any registered location in the U.S. (role specific)
Smartsheet provides a competitive base salary range for roles that may be hired in different geographic areas we are licensed to operate our business from. Actual compensation is determined by several factors including, but not limited to, level of professional, educational experience, skills, and specific candidate location. In addition, this role will be eligible for a market competitive incentive opportunity.
US Base Salary Pay Range
$145,000—$210,000 USD