Senior Product Compliance Engineer

Company Overview

ID.me is a high-growth enterprise software company that simplifies how people prove and share their identity online.  The company empowers people to control their data through a portable and trusted login, which means they don’t need to create a new password when visiting sites that have the ID.me button.  ID.me’s digital identity network has over 117 million registered members, and is used by fourteen federal agencies, agencies in 30 states and over 600 corporations for secure identity proofing and verification.

ID.me’s technology meets the federal standards for consumer authentication set by the Commerce Department and is approved as a NIST 800-63-3 IAL2 / AAL2 credential service provider by the Kantara Initiative. In addition to helping people control their credentials and data, the company’s “No Identity Left Behind” initiative strives to expand digital access and inclusion for all people. The company offers multiple pathways to identity verification – online self-serve, live video chat agents, and in person.  ID.me is passionate about building a robust identity network that does not compromise access for traditionally underserved groups.

ID.me has received numerous awards including Deloitte’s 2023 Technology Fast 500, Washington Business Journal’s Fastest Growing Companies, Entrepreneur Magazine’s 100 Brilliant Companies and Wall Street Journal’s Startup of the Year finalist.  In recent quarters, ID.me announced it raised $132 million in Series D funding, led by Viking Global Investors with participation from CapitalG, Morgan Stanley Counterpoint, FTV Capital, PSP Growth, Auctus Investment Group, Moonshots Capital, and Scout Ventures. ID.me’s most recent round brings the total investment in ID.me to over $275 million since its founding in 2010.

Role Overview

As we expand our reach into sectors requiring stringent regulatory adherence, we seek a seasoned Senior Product Compliance Engineer to enhance our team. This role is crucial in ensuring that our products not only meet but exceed the regulatory standards required by our clients and governing bodies.

As a Senior Product Compliance Engineer, you will be instrumental in embedding compliance and security into the fabric of our product development lifecycle. With a deep understanding of FedRAMP, NIST, and OWASP controls, you will support the integration of these standards into our engineering processes, ensuring that our SaaS products are secure, compliant, and trustworthy. Your expertise will not only involve technical implementations but also extend to creating comprehensive documentation and automated processes to support compliance activities.

 

Role Responsibilities

• Compliance Integration: Aid in design and implementation of FedRAMP, NIST, and OWASP controls into the product development lifecycle. Ensure that all product features meet the rigorous compliance standards necessary for highly regulated industries.
• Documentation: Create security and privacy control focused engineering specifications, user documentation, and other technical artifacts that convey compliant technical implementations. Ensure clarity and accessibility of documentation for both technical and non-technical stakeholders.
• Audit Support: Create and maintain compliance evidence for internal and external auditors. Develop processes to automate the generation of compliance evidence to streamline audit activities.
• Collaboration and Training: Work closely with product managers, developers, and quality assurance teams to convey compliance requirements and best practices. Provide training and support to ensure all teams are knowledgeable in security and privacy related practices.
• Continuous Improvement: Stay abreast of developments in regulatory standards and compliance best practices. Recommend and implement improvements to internal compliance frameworks and processes.
• Risk Assessment: Continuously assess risk as part of the product change management process. Prioritize and address potential compliance gaps in collaboration with risk management and security teams.

Required Skills / Abilities

• Working knowledge of compliance regulations, such as NIST, GDPR, and other federal and commercial regulations and compliance programs
• Experience running program and project management initiatives (e.g. organization-wide initiatives, large scale integration management)
• Experience communicating complex concepts and developing communications for a wide variety of both technical and non-technical audiences
• Demonstrated success collaborating with cross-functional teams to drive results
• Demonstrated experience orienting towards solutions in the context of competing perspectives
• Capability to analyze software development processes, identify compliance risks, and propose practical solutions to mitigate these risks while ensuring business objectives are met
• Experience conducting root cause analysis, developing corrective action plans based on findings, and influencing stakeholders to adopt solutions
• Experience creating compliance documentation, such as procedures, process flow diagrams, threat models, and risk assessments
• Demonstrated skills creating team-specific software development guidance to enable secure, rapid delivery of products and services

Ideal Qualifications

• 7+ years of experience in information security or equivalent in combination with 5+ years of experience in a product or application security team
• CISSP or equivalent
• Strong technical background, including experience in a variety of software development environments and methodologies
• Experience building system and mechanisms to detect change conditions to enable compliance procedures

Education and/or Experience

• Bachelors of Science, Bachelor of Computer Science, or equivalent

Physical Requirements

• Position located on-site in  Mclean, VA or Sunnyvale, CA

 

ID.me maintains a work environment free from discrimination, where employees are treated with dignity and respect. All ID.me employees share in the responsibility for fulfilling our commitment to equal employment opportunity. ID.me does not discriminate against any employee or applicant on the basis of age, ancestry, color, family or medical care leave, gender identity or expression, genetic information, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran status, race, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable laws, regulations and ordinances. ID.me adheres to these principles in all aspects of employment, including recruitment, hiring, training, compensation, promotion, benefits, social and recreational programs, and discipline. In addition, ID.me’s policy is to provide reasonable accommodation to qualified employees who have protected disabilities to the extent required by applicable laws, regulations and ordinances where a particular employee works. Upon request we will provide you with more information about such accommodations.

Please review our Privacy Policy, including our CCPA policy, at id.me/privacy. If you provide ID.me with any personally identifiable information you confirm that you have read and agree to be bound by the terms and conditions set out in our Privacy Policy.

ID.me participates in E-Verify.