CMMC GRC Consultant (Hybrid)

<h2>Job Responsibilities</h2> <ul> <li>Lead initial client scoping engagements: identify people, processes, and assets that interact with CUI and FCI. Build RACI accountability matrices and data flow diagrams.</li> <li>Determine enclave architecture recommendations (GCC, GCC High, hybrid, on-prem, full environment) in collaboration with Security Engineers based on where CUI/FCI resides in the client environment.</li> <li>Conduct comprehensive gap assessments against all 320 objectives across 110 controls of NIST SP 800-171 Rev 2. Score each objective as Met, Not Met, or Partially Met. Calculate and submit SPRS scores.</li> <li>Create detailed Plans of Action and Milestones (POA&amp;Ms) from gap assessment findings. Prioritize remediation tasks and define milestones, resource requirements, and completion dates.</li> <li>Translate gap assessment findings into specific, actionable remediation tasks mapped to Azure/M365 components using the team’s Control-Task Tracker. Each task must include enough detail that a Security Engineer can execute without further interpretation.</li> <li>Develop and maintain System Security Plans (SSPs) documenting all 110 controls, implementation status, system boundaries, data flows, and organizational policies.</li> <li>Create and maintain the full CMMC compliance policy library: access control policy, incident response plan, configuration management policy, audit policy, media protection policy, and all other required policy and procedure documents.</li> <li>Manage the evidence collection process. Define what evidence is needed per control, coordinate with Security Engineers to capture technical evidence, and organize the evidence repository.</li> <li>Conduct internal readiness reviews and mock assessments prior to C3PAO engagement. Identify remaining gaps and drive remediation to closure.</li> <li>Support clients during C3PAO Level 2 assessments: answer assessor questions, locate evidence, provide clarifications, and coordinate responses to findings.</li> <li>Manage 4-7 concurrent client engagements at various stages of the CMMC lifecycle.</li> <li>Train client staff on security policies, acceptable use, CUI handling procedures, and incident reporting obligations.</li> </ul> <h2>Job Qualifications</h2> <ul> <li>3+ years of experience in cybersecurity compliance, GRC, or IT audit roles.</li> <li>Direct experience with NIST SP 800-171 and/or the CMMC framework. Must be able to discuss the 14 control families and their requirements without relying on reference materials.</li> <li>Experience writing System Security Plans (SSPs), POA&amp;Ms, and compliance documentation for federal contractors or defense industrial base (DIB) organizations.</li> <li>Experience conducting gap assessments or security assessments against a recognized framework (NIST 800-171, NIST 800-53, FedRAMP, ISO 27001, or similar).</li> <li>Working knowledge of Microsoft 365 and Azure at a conceptual level. Does not need to configure Sentinel or Conditional Access, but must understand what these tools do and which CMMC controls they satisfy.&nbsp;</li> </ul> <p><strong>Preferred Experience</strong></p> <ul> <li>Experience supporting C3PAO assessments (either as the assessed organization or as a consultant).</li> <li>Familiarity with DFARS 7012, ITAR, and EAR requirements and how they affect CUI scope.</li> <li>Experience with GRC platforms (e.g., RegScale, CORA, Totem, PreVeil, or similar).</li> <li>Prior MSP or consulting experience managing multiple concurrent clients.</li> <li>Experience with Microsoft Compliance Manager and Purview for compliance tracking and evidence.</li> </ul> <p><strong>Required Certification</strong></p> <p>(at least one; additional required within timeline):&nbsp;</p> <ul> <li>CMMC Certified Professional (CCP) - Required. Must hold at hire or obtain within 6 months.</li> <li>CMMC Certified Assessor (CCA) - Strongly preferred at hire. Required within 12 months of hire.</li> <li>CMMC Registered Practitioner (RP) - Accepted as starting credential if pursuing CCP/CCA on defined timeline.</li> </ul> <p><strong>Preferred Certifications</strong></p> <p>(any combination adds value):&nbsp;</p> <ul> <li>CompTIA Security+ (SY0-701)</li> <li>Certified Information Systems Security Professional (CISSP)</li> <li>Certified Information Security Manager (CISM)</li> <li>Certified Information Systems Auditor (CISA)</li> <li>NIST Risk Management Framework (RMF) training or certification</li> <li>CompTIA CySA+</li> </ul> <p>&nbsp;</p> <p><strong>Skills &amp; Competencies</strong></p> <ul> <li>Exceptional technical writing: SSPs, policies, and compliance documents must be clear, thorough, and assessment-ready.</li> <li>Strong client communication: ability to explain complex compliance requirements to non-technical business owners and executives in plain language.</li> <li>Task decomposition: ability to take a high-level control gap (e.g., "AC.L2-3.1.3 Not Met") and break it into 5-10 specific, actionable remediation tasks with enough detail for a technician to execute.</li> <li>Project management: manage multiple clients, track deadlines, escalate blockers, and maintain visibility across all active engagements.</li> <li>Attention to detail: CMMC assessments are evidence-based. Missing or incomplete evidence can fail a control regardless of implementation quality.</li> <li>Ability to work independently while coordinating with Security Engineers, client stakeholders, and firm leadership.&nbsp;</li> </ul> <h2>Benefits</h2> <ul> <li>Medical Insurance Plan</li> <li>Dental &amp; Vision</li> <li>Life Insurance</li> <li>Disability Coverage</li> <li>Paid Time Off (starts at 15 days per year)</li> <li>Maternity/Paternity Leave</li> <li>Paid US Holiday</li> <li>Retirement Plan</li> <li>Salary Advancement/Loan</li> <li>Health &amp; Wellness Program</li> <li>Company-paid training and certification</li> <li>Supplemental Life Insurance (Employee-paid)</li> <li>Supplemental Health Plans (Employee-paid)</li> </ul> <p>&nbsp;</p>