Title: Federal Security Program Manager Location: Remote (United States) About Rhymetec: Rhymetec was founded in New York City in 2015, growing steadily in the areas of compliance, cyber security and data privacy. Our mission is to ensure our clients are compliant faster, so they can focus on their core business and less on the complexities of building effective and compliant infosec programs. Job Responsibilities - Lead technical federal compliance programs from scoping to delivery at scale for Rhymetec’s customers with a focus on government contractor and federal agency requirements including CMMC, FedRAMP, and NIST 800-171. - Manage a small team of Security Analysts, driving performance through structured coaching, clear accountability measures, and consistent delivery of high-quality customer outcomes. - Build information security programs for Rhymetec’s clients. This includes conducting gap assessments against federal and commercial cyber security frameworks, conducting risk assessments, and building strategy for creating and enhancing cyber security programs aligned to NIST 800-53, CMMC, and FedRAMP baselines. - Achieve and maintain compliance for cyber security frameworks selected by Rhymetec’s customers. - Participate and manage CMMC, FedRamp, GovRamp, and other external audits on behalf of customers, and provide evidence to CPA’s and/or QSA’s. - Lead project management for Rhymetec’s customers and create tasks and milestones to achieve required objectives. - Ensure customers achieve the required security objectives such as compliance frameworks on time. - Monitor and enforce SLAs for responding to customer requests. - Develop methods of tracking project progress and performance. Analyze results to determine potential issues, risks, and enhancements. - Improve and maintain customer retention by serving as a trusted federal compliance advisor, guiding clients through the complexity of government security requirements and positioning Rhymetec as a long-term strategic partner. Qualifications - 4+ years working in a federal cybersecurity and GRC space - Demonstrated ability to function in a fast-paced, multi-program environment with changing priorities - Previous experience in managing waterfall, hybrid, and agile delivery teams - Good leadership skills include the ability to influence and gain consensus in the absence of direct authority - Ability to anticipate potential problems and proactively troubleshoot to resolve issues - Understanding of cloud architecture and modern cloud systems - Project management and people management delegation skills - Federal certifications preferred (CCP highly preferred) - U.S. Citizenship or Permanent Residency is required - Availability to travel up to 2 weeks out of the year Benefits: Rhymetec offers a robust employee package, including: - No cost medical coverage for employees - Dental and Vision Benefits - PTO and Sick Time, including 11 paid Holidays - 401K retirement option - Company paid Life Insurance - Summer Friday's! - Annual career growth stipend - we want to see you thrive - Annual Subscription to TalkSpace (online counseling & therapy service) Rhymetec is committed to creating a diverse environment and is proud to be an equal-opportunity employer. All qualified applicants will receive consideration for employment regardless of race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetic, disability, age, or veteran status.

• Act as the bridge between architectural intent and operational reality; mediate conflicts between security requirements and feasible implementation, propose compensating controls where gaps exist and help register, track and remediate residual risks. • Implement preventive, default-on security controls across cloud and enterprise environments, codified as policy- and infrastructure-as-code so security is enforced by design, including controls that govern how AI tools and models may be used. • Implement and enforce identity and access controls to an agreed standard, including access boundaries for AI systems and non-human/agent identities by partnering with Platform Engineering and IT to align tooling and policy to the architecture. • Assist in maintaining the InfoSec risk register; track emerging threats and translate them into actionable guidance for engineering teams. • Support third-party and vendor risk assessments, with a focus on vendors who process data through AI pipelines. • Automate repetitive security workflows (evidence collection, access reviews, alert enrichment) and build or operate AI-assisted security agents — with human-in-the-loop approval gates, least-privilege credentials, and explicit attention to each agent's own blast radius. • Integrate security tooling (SIEM, CSPM, DAST/SAST, vulnerability scanners) with LLM layers to surface actionable insight and automated responses. • Define and enforce security requirements for AI-powered features: model access controls, prompt-injection mitigations, output validation, and data-handling boundaries. • Conduct threat modelling on agentic and LLM-based systems, accounting for novel attack surfaces such as tool misuse, indirect prompt injection, and supply chain risk.

• Reviewing the current information risk program, including improvements to processes that identify, measure, track, and remediate risks with business owners. • Working collaboratively with other information security risk personnel across Instructure to help identify enterprise-level risks for the CISO and work on finding enterprise-level solutions. • Assisting in annual audits for industry-specific reports, such as ISO27001, PCI, SOC 1 and SOC 2 Type I and Type II reports where risk controls are affected. • Developing and executing information security for internal control testing across the enterprise. • Work with product Engineering teams to secure solutions and ensure that Instructure procedures comply with regulatory framework requirements. • Partner with engineering teams to design and implement technical solutions to mitigate security risks • Collaborate with internal teams to establish metrics and dashboards that effectively measure the success of security programs. • Coordinate between external auditors and internal controls owners, ensuring smooth communication and efficient evidence gathering. • Documenting findings and assessing risk where deviations exist resulting from internal and external testing. • Evaluating third-party vendors to ensure compliance with established standards and risk tolerance levels. • Presenting results and findings of audits to peers and leadership when necessary. • Writing and editing policies and reports to maintain an industry-leading risk program. • Communicating the value of GRC and information risk management at Instructure. • Acting as an information security risk leader for Instructure, ensuring a world-class security posture. • Reviewing new tools for security risks during the procurement process.

• Design, implement, and maintain DLP controls across email, endpoint, cloud, web, and collaboration platforms • Engineer and tune custom DLP detections using regex, Exact Data Matching (EDM), Indexed Document Matching (IDM), classifiers, and contextual telemetry • Own the full DLP policy lifecycle, including policy creation, normalization, testing, deployment, tuning, version control, and change management • Analyze and triage DLP and insider risk alerts, conduct root cause analysis, and recommend mitigation strategies to improve control effectiveness • Partner with Security Operations, Incident Response, Risk, Legal, Compliance, and Information Protection teams to investigate potential data exfiltration and insider risk events • Build and enhance automation workflows, dashboards, and reporting to improve visibility into data movement, user behavior, and program performance • Serve as a technical subject matter expert for DLP platforms and data protection capabilities across the enterprise • Translate regulatory requirements, business needs, and risk scenarios into practical, enforceable technical controls • Continuously improve detection quality, operational processes, and reporting to advance program maturity and business alignment • Contribute to the evaluation and responsible use of AI-enabled security capabilities that improve detection, analysis, and operational efficiency within data protection workflows