CMMC Security Engineer (Hybrid)

About the Job

Job Description

We are seeking a CMMC Security Engineer to design and build compliant Azure and Microsoft 365 environments for our CMMC consulting clients. This is a hands-on technical role. You will provision GCC and GCC High tenants, architect network security (Azure Firewall, VPN, NSGs), configure Entra ID with Conditional Access and Privileged Identity Management, deploy Intune for endpoint management, stand up Microsoft Sentinel for SIEM/SOAR, configure Purview for data protection, and deploy Defender for Endpoint across client environments. You will work from documented SOPs and a Control-Task Tracker that maps each NIST 800-171 control to specific Azure/M365 configurations. You will also capture technical evidence (screenshots, configuration exports, audit logs) to support the compliance documentation created by our GRC Consultants.

Job Responsibilities:

• Design and deploy CMMC-compliant enclave architectures in Azure: cloud-only (GCC/GCC High), hybrid (on-prem + GCC), and on-premises environments. Select and implement the appropriate topology (hub-spoke, segmented) based on client requirements.
• Provision and configure Microsoft 365 GCC and GCC High tenants including initial setup, domain verification, licensing assignment, and tenant hardening.
• Configure Microsoft Entra ID: user provisioning, Security Groups, Administrative Units, Conditional Access policies (MFA, device compliance, location-based, session controls), Privileged Identity Management (PIM), and Identity Protection risk policies.
• Deploy and configure Microsoft Intune: device enrollment, compliance policies, configuration profiles, security baselines (CIS/STIG), BitLocker encryption with FIPS 140-2 compliance, Windows Update for Business rings, and application management via Company Portal.
• Deploy and configure Microsoft Sentinel: Log Analytics workspace setup, data connector deployment (M365, Entra ID, Defender, Azure Activity, Firewall, NSG flow logs), KQL-based analytics rules, automation playbooks (Logic Apps), and CMMC compliance workbooks/dashboards.
• Deploy and configure Microsoft Defender for Endpoint: device onboarding, antivirus policies, Attack Surface Reduction (ASR) rules, endpoint DLP, network protection, web content filtering, and vulnerability management.
• Configure Microsoft Purview: sensitivity labels (CUI, FCI, Public), auto-labeling policies, DLP policies across Exchange, SharePoint, Teams, and endpoints, and information barriers where required.
• Design and implement Azure networking: Virtual Networks, subnets, NSGs, Azure Firewall, Azure Bastion, VPN Gateway (site-to-site and point-to-site), Private Endpoints, route tables, and DDoS Protection.
• For hybrid environments: configure Azure AD Connect (or Cloud Sync), hybrid device join, pass-through authentication or password hash sync, split DNS, and Azure Arc for on-premises server management.
• Configure encryption across the environment: BitLocker (XTS-AES 256), FIPS 140-2 compliance mode, TLS 1.2+ enforcement, VPN encryption (IKEv2/AES-256), and Purview encryption for CUI-labeled content.
• Execute remediation tasks from the CMMC Remediation Tracker as assigned by the GRC Consultant. Each task maps a specific NIST 800-171 control objective to an Azure/M365 configuration with step-by-step instructions.
• Capture and organize technical evidence for each implemented control: configuration screenshots, policy exports (JSON), audit log samples, compliance reports, and test results.
• Support incident response capability deployment: Sentinel playbook creation, automated notification workflows, and incident response procedure testing.
• Perform client environment migrations to GCC/GCC High (tenant-to-tenant migration using BitTitan, ShareGate, or native Microsoft tools).
• Work across 4-7 concurrent client environments at various stages of build and remediation.

Job Qualifications:

Required Technical Experience:

• Willing to work in a hybrid setup-remotely or on-site at client locations, as required.
• 3+ years hands-on experience administering Microsoft Azure and M365 environments in a professional capacity (not lab-only).
• Direct experience configuring Conditional Access policies, Entra ID PIM, and identity architecture (cloud-only and hybrid with Azure AD Connect).
• Direct experience deploying and managing Microsoft Intune for endpoint compliance, configuration profiles, security baselines, and BitLocker management.
• Direct experience deploying Microsoft Sentinel including data connectors, KQL query writing, analytics rules, and automation playbooks.
• Experience configuring Azure networking: VNets, NSGs, Azure Firewall or third-party NVA, VPN Gateway, and network security architecture.
• Experience deploying Microsoft Defender for Endpoint including device onboarding, ASR rules, and vulnerability management.
• Proficiency with PowerShell and Microsoft Graph API for automation and bulk configuration tasks.
• Understanding of NIST SP 800-171 controls and how they map to specific Azure/M365 technical implementations.

Strongly Preferred Technical Experience:

• Experience with Microsoft 365 GCC or GCC High environments (tenant provisioning, licensing nuances, feature differences from commercial M365).
• Experience with tenant-to-tenant migrations (commercial to GCC/GCC High) using BitTitan MigrationWiz, ShareGate, or native Microsoft tools.
• Experience configuring Microsoft Purview: sensitivity labels, auto-labeling, DLP policies across Exchange, SharePoint, Teams, and endpoints.
• Experience with FIPS 140-2 configuration and DISA STIG or CIS benchmark implementation via Intune or GPO.
• Experience supporting defense industrial base (DIB) or federal contractor IT environments.
• Experience with Azure Arc for hybrid server management and Azure Bastion for secure remote administration.

Required Certifications:

(must hold at least two from this list):

• Microsoft Certified: Azure Solutions Architect Expert (AZ-305) - Architecture design and decision-making.
• Microsoft Certified: Azure Administrator Associate (AZ-104) - Core Azure resource management.
• Microsoft Certified: Security Operations Analyst Associate (SC-200) - Sentinel, Defender, and security operations.
• Microsoft Certified: Identity and Access Administrator Associate (SC-300) - Entra ID, Conditional Access, PIM.
• Microsoft Certified: Information Protection and Compliance Administrator (SC-400) - Purview, DLP, sensitivity labels.
• Microsoft Certified: Endpoint Administrator Associate (MD-102) - Intune and device management.

Preferred Certifications:

(significant advantage):

• CompTIA Security+ (SY0-701).
• CMMC Registered Practitioner (RP) - Understanding of CMMC framework from technical perspective.
• Microsoft Certified: Cybersecurity Architect Expert (SC-100).
• Microsoft 365 Certified: Administrator Expert (MS-102).
• Certified Information Systems Security Professional (CISSP).
• GIAC certifications (GSEC, GCIA, GCIH) - Deep security operations knowledge.

Skills & Competencies:

• Execution-focused: ability to follow SOPs and runbooks precisely while identifying when something does not match documented steps and escalating appropriately.
• Multi-tenant management: comfortable switching between 4-7 different client Azure/M365 environments daily without cross-contaminating configurations.
• Documentation discipline: every configuration change is documented, every evidence artifact is captured, every deviation from the SOP is noted.
• Troubleshooting: when Conditional Access blocks legitimate users, when Sentinel data connectors go unhealthy, or when WDAC blocks a required application, you can diagnose and resolve without waiting for escalation.
• Security mindset: you understand why least privilege matters, why default-deny is the correct network posture, and why FIPS-validated encryption is required for CUI.
• Clear written communication: when you find something in the client environment that does not match what the GRC Consultant scoped, you can document it clearly so the team can make decisions.

Compensation:

Pay rate ranges from $120,000.00/annum up to $170,000.00/annum and may vary by experience and location.

Benefits:

• Benefits.
• Medical Insurance Plan.
• Dental & Vision.
• Life Insurance.
• Disability Coverage.
• Paid Time Off (starts at 15 days per year).
• Maternity/Paternity Leave.
• Paid US Holiday.
• Retirement Plan.
• Salary Advancement/Loan.
• Health & Wellness Program.
• Company-paid training and certification.
• Supplemental Life Insurance (Employee-paid).
• Supplemental Health Plans (Employee-paid).