Director, Security & Compliance

Snowcap is building superconducting digital computing systems on Josephson-junction logic and NbTiN thin-film fabrication. Our Florida test facility will house cryogenic measurement infrastructure, CUI-bearing engineering workstations, and the program management spine for a critical chip measurement campaign scheduled for late 2026. Because our customer roadmap includes the U.S. government — and because the underlying IP sits under export-control regimes — the security posture has to do four things at once: pass a third-party assessment against NIST SP 800-171 Rev 2, protect a sensitive physical facility, run a credible threat intelligence function, and carry the federal and law-enforcement relationships that come with operating in this space.
You will own all of it. The compliance program — System Security Plan, POA&M, SPRS score, CMMC L2 readiness — is the immediate urgency on a tight timeline. The longer arc is the program at scale: physical security of the Florida facility and the manufacturing build-out that follows; a working threat intelligence and risk function; an incident response capability that has been exercised, not just documented; and the relationships with federal law enforcement, the intelligence community, and partner agencies that a program like ours has to maintain. You will work directly with operations, engineering, fab technology, and legal in a flat, matrixed organization.
This role is contract-to-FTE by design. In months 1–3 you run gap assessment, draft the SSP, build the POA&M, and finalize the physical security design. In months 4–6 you drive control implementation, evidence collection, 3PAO selection, and a pre-assessment dry run. From month 6 you convert to FTE as Director, Security & Compliance and carry the program through assessment, into sustainment, and into the broader security mandate that follows.

- Own Snowcap's preparation for a 3PAO / C3PAO assessment against NIST SP 800-171 Rev 2 — every control, every family — including the System Security Plan, the POA&M, and the Basic Assessment score in SPRS.
- Drive parallel readiness for CMMC Level 2 and advise leadership on the timing and scope of Rev 3 control uplift.
- Maintain and extend Snowcap's security policy framework, mapping controls across NIST 800-171, CMMC, and — aspirationally — ISO 27001.
- Coordinate DFARS 252.204-7012 incident reporting obligations, subcontractor flow-downs, and CUI handling across the supply chain.
- Design, commission, and operate the physical security posture of the Florida cryogenic test facility — and the manufacturing build-out that follows. Controlled access zones, visitor management, CCTV, intrusion detection, tailgating mitigation, asset tracking, CUI-rated workspaces, and the SOPs that make them work after hours.
- Stand up Snowcap's threat intelligence function — strategic and tactical — covering physical threats to facilities and personnel, insider risk, supply chain compromise, and threat actor interest in superconducting and government-aligned technology.
- Own executive and traveling-personnel threat management, particularly around fab-partner travel, government engagements, and ITAR-controlled environments.
- Own IAM across Snowcap's cloud and engineering platforms: least privilege, MFA, privileged access management, and joiner-mover-leaver workflows. Harden endpoints, network boundaries, remote access, and cloud posture against 800-171 §3.13 baselines.
- Drive vulnerability management, patch cadence, and secure SDLC integration with the engineering organization.
- Stand up a recurring risk assessment cadence per 800-171 §3.11, maintain the enterprise risk register, and own third-party and supply-chain risk — with particular attention to fab partners, cryogenic equipment vendors, and the software supply chain.
- Build and exercise the incident response plan — tabletop exercises no less than twice per year — and stand up the security awareness and role-based training program for CUI handlers and privileged users.
- Partner with legal and operations on ITAR / EAR classification for Snowcap's NbTiN process and superconducting IP, and shape how engineering data is segmented against the access boundaries those regimes require.
- Own Snowcap's relationships with federal law enforcement, the intelligence community, and partner agencies — the liaison work that a program in this domain has to maintain — and serve as the company's senior representative in those forums.
- Chair a monthly Security Council with senior engineering and operations leadership, and build out the security team as the program scales past assessment.

- 15+ years of senior security leadership across some combination of: a Defense Industrial Base contractor that has been through a NIST SP 800-171 assessment under DFARS 7012; federal law enforcement; the intelligence community; or comparable government-aligned senior security roles where the program had national-scale stakes and a budget you owned.
- Direct accountability for getting an organization through a NIST 800-171 / DFARS 7012 assessment — authoring or commissioning the SSP and POA&M, defending a score in SPRS, and managing a 3PAO engagement. If you have not personally led this, you have a credible plan for how to acquire and direct the talent that can.
- Physical security experience standing up a facility from bare walls to operational — not solely managing a preexisting footprint. Sensitive, controlled, or high-value facility experience expected.
- Demonstrated strength in at least two of: cyber compliance / governance, physical security at scale, threat intelligence and risk management, executive protection, or inter-agency liaison. The role spans all of them; you do not need to start as expert in every one, but you have to be elite in some.
- CISSP, CISM, equivalent senior security credential, or an equivalent senior federal security background. CMMC-AB Registered Practitioner, CCP, or CCA is a strong plus.
- U.S. person, clearance-eligible. Successful background investigation will be required.
- Startup operating tempo: you write your own policies, negotiate with vendors directly, and know when "good enough to pass" beats "perfect and late."

- Senior leadership background at a federal agency in the law enforcement or intelligence community — ATF, FBI, CIA, NSA, DHS, DOJ, or comparable — with budget, personnel, and program ownership at scale.
- Track record of building or running a national-scale program with a defensible budget, multi-site operations, and presentation experience at the senior government level (executive branch, Congressional, or interagency).
- Existing relationships across federal law enforcement and the intelligence community that translate into faster response, cleaner liaison work, and credible threat intelligence at Snowcap.
- Active Top-Secret or Secret clearance, or a prior favorable investigation. The Jacksonville metro — NAS Jax, Mayport, Kings Bay — has an unusually deep bench of cleared talent.
- Strategic intelligence depth: threat management, executive protection program design, insider risk, and proactive intelligence operations against threats to facilities, personnel, and IP.
- Semiconductor, photonics, or specialty hardware manufacturing background where compliance and CUI boundaries intersected with active engineering work.
- Hands-on experience administering ITAR / EAR technical data controls in a live engineering environment, not just classifying after the fact.
- Background standing up facilities that later pursued an FCL under the NISPOM.
- Working fluency with cloud-native compliance tooling and government-cloud architectures used for CUI-rated environments.
- Advanced credentials in strategic security, intelligence, or related fields — PhD, executive fellowships, or equivalent — that reflect serious investment in the discipline.

Snowcap is a small, technically elite team building a facility, a process, and a compliance program in parallel. There is no inherited security organization to step into, no prior assessment to copy from, and no in-house compliance bench to delegate to. You will be the program — and then, after assessment, you will build the team that scales it.
We are a flat, matrixed organization. You will work daily with engineering, operations, fab technology, and legal — directly, without layers. When a control gap and an engineering decision conflict, that conversation happens in the room that day, with the people who can act on it.
Primary base is the Florida test facility, with regular travel to Snowcap HQ and periodic travel to fab and measurement partners. Heavy on-site presence is expected during Phase 1. Remote work is acceptable for non-facility-anchored activities once steady-state operations are established. If you need a mature compliance organization with established policy libraries and a senior CISO above you, this is not the right fit. If you have wanted to take an organization from no SSP to a passed assessment and then run the program, you are in the right place.

Snowcap builds superconducting compute. (Edit in admin.)

Phase 1 (months 1–3): gap assessment, SSP drafting, POA&M construction, physical security design finalized — heavy on-site presence. Phase 2 (months 4–6): control implementation, evidence collection, 3PAO selection, pre-assessment dry run. Phase 3 (month 6+): conversion to FTE as Director, Security & Compliance — full medical, dental, and vision · 401(k) · relocation assistance available for candidates outside the area.
Base/contract range is shown in USD on an annualized basis, reflective of the Jacksonville Metro market for sub-CISO security leadership with federal compliance (NIST 800-171 / CMMC L2) scope. Actual offer depends on experience, scope, and engagement structure, and is exclusive of equity at FTE conversion. Florida has no state income tax — relocating candidates should factor that into offer comparisons.
Based in Jacksonville Metro, FL · On-Site · Contract-to-FTE. Employment is contingent on verification of U.S. person status and successful background investigation.

Snowcap is an equal opportunity employer. We do not discriminate on the basis of race, color, religion, sex, national origin, age, disability, veteran status, or any other protected characteristic. (Edit in admin.)