CMMC Security Engineer (US Hybrid)

Job Responsibilities

• Design and deploy CMMC-compliant enclave architectures in Azure: cloud-only (GCC/GCC High), hybrid (on-prem + GCC), and on-premises environments. Select and implement the appropriate topology (hub-spoke, segmented) based on client requirements.
• Provision and configure Microsoft 365 GCC and GCC High tenants including initial setup, domain verification, licensing assignment, and tenant hardening.
• Configure Microsoft Entra ID: user provisioning, Security Groups, Administrative Units, Conditional Access policies (MFA, device compliance, location-based, session controls), Privileged Identity Management (PIM), and Identity Protection risk policies.
• Deploy and configure Microsoft Intune: device enrollment, compliance policies, configuration profiles, security baselines (CIS/STIG), BitLocker encryption with FIPS 140-2 compliance, Windows Update for Business rings, and application management via Company Portal.
• Deploy and configure Microsoft Sentinel: Log Analytics workspace setup, data connector deployment (M365, Entra ID, Defender, Azure Activity, Firewall, NSG flow logs), KQL-based analytics rules, automation playbooks (Logic Apps), and CMMC compliance workbooks/dashboards.
• Deploy and configure Microsoft Defender for Endpoint: device onboarding, antivirus policies, Attack Surface Reduction (ASR) rules, endpoint DLP, network protection, web content filtering, and vulnerability management.
• Configure Microsoft Purview: sensitivity labels (CUI, FCI, Public), auto-labeling policies, DLP policies across Exchange, SharePoint, Teams, and endpoints, and information barriers where required.
• Design and implement Azure networking: Virtual Networks, subnets, NSGs, Azure Firewall, Azure Bastion, VPN Gateway (site-to-site and point-to-site), Private Endpoints, route tables, and DDoS Protection.
• For hybrid environments: configure Azure AD Connect (or Cloud Sync), hybrid device join, pass-through authentication or password hash sync, split DNS, and Azure Arc for on-premises server management.
• Configure encryption across the environment: BitLocker (XTS-AES 256), FIPS 140-2 compliance mode, TLS 1.2+ enforcement, VPN encryption (IKEv2/AES-256), and Purview encryption for CUI-labeled content.
• Execute remediation tasks from the CMMC Remediation Tracker as assigned by the GRC Consultant. Each task maps a specific NIST 800-171 control objective to an Azure/M365 configuration with step-by-step instructions.
• Capture and organize technical evidence for each implemented control: configuration screenshots, policy exports (JSON), audit log samples, compliance reports, and test results.
• Support incident response capability deployment: Sentinel playbook creation, automated notification workflows, and incident response procedure testing.
• Perform client environment migrations to GCC/GCC High (tenant-to-tenant migration using BitTitan, ShareGate, or native Microsoft tools).
• Work across 4-7 concurrent client environments at various stages of build and remediation.

Job Qualifications

• Willing to work in a hybrid setup—remotely or on-site at client locations, as required.
• 3+ years hands-on experience administering Microsoft Azure and M365 environments in a professional capacity (not lab-only).
• Direct experience configuring Conditional Access policies, Entra ID PIM, and identity architecture (cloud-only and hybrid with Azure AD Connect).
• Direct experience deploying and managing Microsoft Intune for endpoint compliance, configuration profiles, security baselines, and BitLocker management.
• Direct experience deploying Microsoft Sentinel including data connectors, KQL query writing, analytics rules