The first compliance lead hire profile: mandate, ConMon cadence, staffing model, skills profile, and compensation band. Grounded in FedRAMP 20x LI-SaaS requirements. A format specification; content is populated once Stephanie and Tim confirm hiring constraints and ConMon tooling selection.
Without dedicated compliance ownership, ConMon fails. Engineering has feature deadlines. Compliance has no visible deadline until authorization expires.
The first compliance lead at NorthAI owns one outcome: keeping the FedRAMP 20x LI-SaaS authorization current. That means owning the ConMon cadence (quarterly Ongoing Authorization Reports, KSI validation, POA&M management), managing the relationship with the selected 3PAO, coordinating with engineering on security control implementation, and serving as the internal point of contact for any federal customer security inquiry.
FedRAMP 20x LI-SaaS has a continuous monitoring structure that differs from the old annual-only audit cycle. The cadence below reflects the current (2026) FedRAMP ConMon Playbook requirements for the Low Impact SaaS track.
| Activity | Frequency | Compliance lead effort | Output |
|---|---|---|---|
| KSI validation (machine-based resources) | Every 3-7 days (automated via OSCAL GRC tooling) | Review dashboard; escalate anomalies. < 2 hrs/week with GRC automation in place. | Automated KSI feed submitted to FedRAMP. Anomalies trigger engineering ticket. |
| Ongoing Authorization Report (OAR) | Quarterly (every 90 days) | 4-8 hrs per quarter to compile, review, and submit. 3PAO reviews and attests. | Structured OSCAL package submitted to FedRAMP program office and posted to Marketplace record. |
| POA&M management | Monthly review; continuous remediation | 2-4 hrs/month tracking open findings, validating closures, documenting remediation evidence. | Current POA&M submitted with each OAR. Open items do not disqualify authorization if mitigated within risk tolerance. |
| Quarterly attestation | Quarterly (aligned with OAR) | 1-2 hrs: executive sign-off on security posture attestation. | Signed attestation from authorized official (typically Tim or Stephanie at this stage). |
| Annual penetration test | Annual | Coordinate with 3PAO (or separate pen test firm). 8-16 hrs compliance lead coordination. | Pen test report submitted as part of annual 3PAO assessment. Findings drive POA&M updates. |
| Security incident response | As triggered (72-hour federal notification clock) | Owns the notification workflow. Must have draft templates prepared in advance. On-call posture required. | Formal federal agency notification within 72 hours of confirmed security event. Internal incident report. |
| Significant change review | As triggered by engineering (new features, integrations, data types) | 2-8 hrs per review depending on scope. Determines whether change crosses authorization boundary. | Boundary decision memo. Boundary-crossing changes trigger 3PAO assessment update ($30-75K, see path memo). |
Ch 7 identifies three staffing options for compliance: (A) full-time compliance lead ($3M+ ARR justified), (B) fractional 20-40 hours per month ($8K to $15K per month), (C) compliance-as-service ($10K to $20K per month). The FedRAMP 20x LI-SaaS ConMon cadence is less demanding than Moderate, which changes the math for an early-stage startup.
| Stage | Staffing model | Monthly cost | Rationale | ARR trigger to move up |
|---|---|---|---|---|
| Y1: Authorization through first paid contract | 0.5 FTE fractional compliance lead (20-25 hrs/month) | $6K to $10K/month (fractional, senior ISSO rate) | FedRAMP 20x LI ConMon cadence is manageable at half-time with OSCAL GRC tooling. 3PAO handles the quarterly attestation and annual assessment. Fractional lead owns the between-assessment monitoring and engineering escalation function. | $500K ARR (first 2-3 customers paying) or first significant change review that indicates boundary management is a full-time need |
| Y2: First 3 customers, Moderate track opens (conditional) | 1.0 FTE full-time compliance lead | $120K to $160K/year (fully loaded) | At $1M+ ARR and 3+ customers, the compliance function becomes a customer-facing asset (federal COs want to talk to the ISSO). The significant-change review volume increases as the product grows. If Moderate track opens, the control count doubles (323 vs 156) and fractional is no longer sufficient. | $1M+ ARR or Moderate track decision confirmed |
Note: This staffing recommendation is a format baseline. Stephanie and Tim should adjust the fractional rate and trigger thresholds based on their current burn rate, hiring constraints, and 3PAO relationship structure. The 0.5 FTE to 1.0 FTE arc is the HARBOR-grounded recommendation given the FedRAMP 20x LI-SaaS ConMon cadence and NorthAI's pre-Series A capital structure.
The compliance lead hire profile for a FedRAMP 20x LI-SaaS track is narrower than a Moderate or High compliance lead. The control count is smaller (156 vs 323), the ConMon cadence is lighter, and the OSCAL automation reduces manual documentation. The profile below reflects what is actually needed at the LI-SaaS level.
| Skill area | Requirement level | Why it matters for NorthAI |
|---|---|---|
| NIST 800-53 Rev 5 fluency | Required (working knowledge of Low baseline control families) | FedRAMP 20x is built on 800-53 Rev 5. The compliance lead must be able to read a control, understand what it requires in implementation, and assess whether the engineering implementation satisfies it. This is not deep auditor expertise. It is practical working knowledge. |
| Prior 3PAO engagement experience | Required (has worked with a 3PAO on at least one assessment) | The 3PAO relationship is the critical external dependency. A compliance lead who has never run an assessment with a 3PAO will spend the first two months learning the process, not running it. Prior experience as a CSP-side ISSO during an assessment is the minimum bar. |
| OSCAL / GRC tooling familiarity | Strong preference (hands-on with at least one platform: Secureframe, Vanta, Drata, or Paramify) | FedRAMP 20x requires machine-readable OSCAL submissions. Manual SSP management is expensive and error-prone. A compliance lead who can operate the GRC tooling without a separate implementation consultant reduces both cost and timeline risk. |
| POA&M management | Required | POA&M is the ongoing artifact that tracks open security findings and remediation status. Federal COs and 3PAOs review it at every assessment. A compliance lead who cannot manage a POA&M clearly and defensibly creates assessment risk. |
| Security incident response | Required (has executed at least one federal notification workflow) | The 72-hour federal agency notification window is non-negotiable. A compliance lead who has never run an incident response notification will not be fast enough when the clock starts. Prior IR experience in a FedRAMP-authorized environment is preferred. NIST 800-61 familiarity is baseline. |
| Cloud security architecture literacy | Strong preference (AWS GovCloud or Azure Government hands-on experience) | NorthAI's FedRAMP boundary will likely sit on AWS GovCloud or Azure Government. Understanding the inherited control structure (GovCloud provides approximately 85 inherited controls at Moderate; LI inherits a similar proportion) is what separates a compliance lead who accelerates the authorization from one who recreates work the CSP has already done. |
| Security clearance | Optional (nice-to-have, not required at LI-SaaS level) | FedRAMP 20x LI-SaaS does not require cleared personnel. If the IL2 track opens in Year 3, a cleared compliance lead becomes an advantage. Recruiting cleared personnel adds cost and timeline to the hire. Do not gate the Y1 hire on clearance eligibility. |
The ranges below are research-grounded estimates based on 3PAO marketplace compensation data and ISSO salary surveys (2025-2026). These are format-level ranges. Stephanie and Tim should validate against their current team compensation structure and geographic market (remote vs. DC metro vs. other).
| Structure | Compensation band | Notes |
|---|---|---|
| 0.5 FTE fractional (Y1) | $72/hr to $110/hr (20-25 hrs/month) = $72K to $110K annualized full-time equivalent |
Fractional ISSO rates in the DC metro market. Remote fractional (no clearance required) runs $65/hr to $90/hr. Cleared fractional adds $15/hr to $25/hr premium. |
| 1.0 FTE full-time (Y2) | $110K to $145K base + standard startup equity Fully loaded: $150K to $190K |
Federal compliance lead with FedRAMP authorization experience in the DC metro market. Remote roles run $95K to $130K base. Cleared roles add $15K to $25K premium. CISSP or CISA certification commands the upper quartile. |
| Compliance-as-service alternative (Y1 fallback) | $10K to $18K per month (retainer) | Firms like Fortreum, A-LIGN, and ControlCase offer managed ISSO services. Higher cost than fractional FTE but no hiring overhead and built-in 3PAO familiarity. Consider if the fractional hire market is tight or if NorthAI needs to accelerate authorization without a permanent hire in place. |
This section is a format baseline. Finalize compensation ranges with Stephanie and Tim once hiring constraints, budget, and geographic preferences are confirmed. The HARBOR engagement does not make binding compensation recommendations; these ranges are directional inputs for internal planning.