CMMC Security Engineer (US Hybrid)

<p><strong>Job Responsibilities</strong></p> <ul> <li>Design and deploy CMMC-compliant enclave architectures in Azure: cloud-only (GCC/GCC High), hybrid (on-prem + GCC), and on-premises environments. Select and implement the appropriate topology (hub-spoke, segmented) based on client requirements.&nbsp;</li> <li>Provision and configure Microsoft 365 GCC and GCC High tenants including initial setup, domain verification, licensing assignment, and tenant hardening.</li> <li>Configure Microsoft Entra ID: user provisioning, Security Groups, Administrative Units, Conditional Access policies (MFA, device compliance, location-based, session controls), Privileged Identity Management (PIM), and Identity Protection risk policies.</li> <li>Deploy and configure Microsoft Intune: device enrollment, compliance policies, configuration profiles, security baselines (CIS/STIG), BitLocker encryption with FIPS 140-2 compliance, Windows Update for Business rings, and application management via Company Portal.</li> <li>Deploy and configure Microsoft Sentinel: Log Analytics workspace setup, data connector deployment (M365, Entra ID, Defender, Azure Activity, Firewall, NSG flow logs), KQL-based analytics rules, automation playbooks (Logic Apps), and CMMC compliance workbooks/dashboards.&nbsp;</li> <li>Deploy and configure Microsoft Defender for Endpoint: device onboarding, antivirus policies, Attack Surface Reduction (ASR) rules, endpoint DLP, network protection, web content filtering, and vulnerability management.&nbsp;</li> <li>Configure Microsoft Purview: sensitivity labels (CUI, FCI, Public), auto-labeling policies, DLP policies across Exchange, SharePoint, Teams, and endpoints, and information barriers where required.&nbsp;</li> <li>Design and implement Azure networking: Virtual Networks, subnets, NSGs, Azure Firewall, Azure Bastion, VPN Gateway (site-to-site and point-to-site), Private Endpoints, route tables, and DDoS Protection.&nbsp;</li> <li>For hybrid environments: configure Azure AD Connect (or Cloud Sync), hybrid device join, pass-through authentication or password hash sync, split DNS, and Azure Arc for on-premises server management.&nbsp;</li> <li>Configure encryption across the environment: BitLocker (XTS-AES 256), FIPS 140-2 compliance mode, TLS 1.2+ enforcement, VPN encryption (IKEv2/AES-256), and Purview encryption for CUI-labeled content.&nbsp;</li> <li>Execute remediation tasks from the CMMC Remediation Tracker as assigned by the GRC Consultant. Each task maps a specific NIST 800-171 control objective to an Azure/M365 configuration with step-by-step instructions.&nbsp;</li> <li>Capture and organize technical evidence for each implemented control: configuration screenshots, policy exports (JSON), audit log samples, compliance reports, and test results.&nbsp;</li> <li>Support incident response capability deployment: Sentinel playbook creation, automated notification workflows, and incident response procedure testing.&nbsp;</li> <li>Perform client environment migrations to GCC/GCC High (tenant-to-tenant migration using BitTitan, ShareGate, or native Microsoft tools).&nbsp;</li> <li>Work across 4-7 concurrent client environments at various stages of build and remediation.&nbsp;</li> </ul> <p><strong>Job Qualifications<br>Required Technical Experience</strong></p> <ul> <li>Willing to work in a hybrid setup—remotely or on-site at client locations, as required.</li> <li>3+ years hands-on experience administering Microsoft Azure and M365 environments in a professional capacity (not lab-only).&nbsp;</li> <li>Direct experience configuring Conditional Access policies, Entra ID PIM, and identity architecture (cloud-only and hybrid with Azure AD Connect).&nbsp;</li> <li>Direct experience deploying and managing Microsoft Intune for endpoint compliance, configuration profiles, security baselines, and BitLocker management.&nbsp;</li> <li>Direct experience deploying Microsoft Sentinel including data connectors, KQL query writing, analytics rules, and automation playbooks.&nbsp;</li> <li>Experience configuring Azure networking: VNets, NSGs, Azure Firewall or third-party NVA, VPN Gateway, and network security architecture.&nbsp;</li> <li>Experience deploying Microsoft Defender for Endpoint including device onboarding, ASR rules, and vulnerability management.&nbsp;</li> <li>Proficiency with PowerShell and Microsoft Graph API for automation and bulk configuration tasks.&nbsp;</li> <li>Understanding of NIST SP 800-171 controls and how they map to specific Azure/M365 technical implementations.&nbsp;</li> </ul> <p><strong>Strongly Preferred Technical Experience</strong></p> <ul> <li>Experience with Microsoft 365 GCC or GCC High environments (tenant provisioning, licensing nuances, feature differences from commercial M365).&nbsp;</li> <li>Experience with tenant-to-tenant migrations (commercial to GCC/GCC High) using BitTitan MigrationWiz, ShareGate, or native Microsoft tools.&nbsp;</li> <li>Experience configuring Microsoft Purview: sensitivity labels, auto-labeling, DLP policies across Exchange, SharePoint, Teams, and endpoints.&nbsp;</li> <li>Experience with FIPS 140-2 configuration and DISA STIG or CIS benchmark implementation via Intune or GPO.&nbsp;</li> <li>Experience supporting defense industrial base (DIB) or federal contractor IT environments.&nbsp;</li> <li>Experience with Azure Arc for hybrid server management and Azure Bastion for secure remote administration.</li> </ul> <p><strong>Required Certifications&nbsp;</strong></p> <p>(must hold at least two from this list):&nbsp;</p> <ul> <li>Microsoft Certified: Azure Solutions Architect Expert (AZ-305) - Architecture design and decision-making.&nbsp;</li> <li>Microsoft Certified: Azure Administrator Associate (AZ-104) - Core Azure resource management.&nbsp;</li> <li>Microsoft Certified: Security Operations Analyst Associate (SC-200) - Sentinel, Defender, and security operations.&nbsp;</li> <li>Microsoft Certified: Identity and Access Administrator Associate (SC-300) - Entra ID, Conditional Access, PIM.&nbsp;</li> <li>Microsoft Certified: Information Protection and Compliance Administrator (SC-400) - Purview, DLP, sensitivity labels.&nbsp;</li> <li>Microsoft Certified: Endpoint Administrator Associate (MD-102) - Intune and device management.&nbsp;</li> </ul> <p><strong>Preferred Certifications</strong></p> <p>(significant advantage):&nbsp;</p> <ul> <li>CompTIA Security+ (SY0-701)&nbsp;</li> <li>CMMC Registered Practitioner (RP) - Understanding of CMMC framework from technical perspective.&nbsp;</li> <li>Microsoft Certified: Cybersecurity Architect Expert (SC-100)&nbsp;</li> <li>Microsoft 365 Certified: Administrator Expert (MS-102)&nbsp;</li> <li>Certified Information Systems Security Professional (CISSP)&nbsp;</li> <li>GIAC certifications (GSEC, GCIA, GCIH) - Deep security operations knowledge.&nbsp;</li> </ul> <p><strong>Skills &amp; Competencies</strong></p> <ul> <li>Execution-focused: ability to follow SOPs and runbooks precisely while identifying when something does not match documented steps and escalating appropriately.&nbsp;</li> <li>Multi-tenant management: comfortable switching between 4-7 different client Azure/M365 environments daily without cross-contaminating configurations.&nbsp;</li> <li>Documentation discipline: every configuration change is documented, every evidence artifact is captured, every deviation from the SOP is noted.&nbsp;</li> <li>Troubleshooting: when Conditional Access blocks legitimate users, when Sentinel data connectors go unhealthy, or when WDAC blocks a required application, you can diagnose and resolve without waiting for escalation.&nbsp;</li> <li>Security mindset: you understand why least privilege matters, why default-deny is the correct network posture, and why FIPS-validated encryption is required for CUI.&nbsp;</li> <li>Clear written communication: when you find something in the client environment that does not match what the GRC Consultant scoped, you can document it clearly so the team can make decisions.&nbsp;</li> </ul> <p><strong>Benefits</strong></p> <ul> <li>Medical Insurance Plan</li> <li>Dental &amp; Vision</li> <li>Life Insurance</li> <li>Disability Coverage</li> <li>Paid Time Off (starts at 15 days per year)</li> <li>Maternity/Paternity Leave</li> <li>Paid US Holiday</li> <li>Retirement Plan</li> <li>Salary Advancement/Loan</li> <li>Health &amp; Wellness Program</li> <li>Company-paid training and certification</li> <li>Supplemental Life Insurance (Employee-paid)</li> <li>Supplemental Health Plans (Employee-paid)</li> </ul> <p>&nbsp;</p>