CMMC Security Engineer (US Hybrid)

Benefits

Additional Information

Job Responsibilities Design and deploy CMMC-compliant enclave architectures in Azure: cloud-only (GCC/GCC High), hybrid (on-prem + GCC), and on-premises environments. Select and implement the appropriate topology (hub-spoke, segmented) based on client requirements. Provision and configure Microsoft 365 GCC and GCC High tenants including initial setup, domain verification, licensing assignment, and tenant hardening. Configure Microsoft Entra ID: user provisioning, Security Groups, Administrative Units, Conditional Access policies (MFA, device compliance, location-based, session controls), Privileged Identity Management (PIM), and Identity Protection risk policies. Deploy and configure Microsoft Intune: device enrollment, compliance policies, configuration profiles, security baselines (CIS/STIG), BitLocker encryption with FIPS 140-2 compliance, Windows Update for Business rings, and application management via Company Portal. Deploy and configure Microsoft Sentinel: Log Analytics workspace setup, data connector deployment (M365, Entra ID, Defender, Azure Activity, Firewall, NSG flow logs), KQL-based analytics rules, automation playbooks (Logic Apps), and CMMC compliance workbooks/dashboards. Deploy and configure Microsoft Defender for Endpoint: device onboarding, antivirus policies, Attack Surface Reduction (ASR) rules, endpoint DLP, network protection, web content filtering, and vulnerability management. Configure Microsoft Purview: sensitivity labels (CUI, FCI, Public), auto-labeling policies, DLP policies across Exchange, SharePoint, Teams, and endpoints, and information barriers where required. Design and implement Azure networking: Virtual Networks, subnets, NSGs, Azure Firewall, Azure Bastion, VPN Gateway (site-to-site and point-to-site), Private Endpoints, route tables, and DDoS Protection. For hybrid environments: configure Azure AD Connect (or Cloud Sync), hybrid device join, pass-through authentication or password hash sync, split DNS, and Azure Arc for on-premises server management. Configure encryption across the environment: BitLocker (XTS-AES 256), FIPS 140-2 compliance mode, TLS 1.2+ enforcement, VPN encryption (IKEv2/AES-256), and Purview encryption for CUI-labeled content. Execute remediation tasks from the CMMC Remediation Tracker as assigned by the GRC Consultant. Each task maps a specific NIST 800-171 control objective to an Azure/M365 configuration with step-by-step instructions. Capture and organize technical evidence for each implemented control: configuration screenshots, policy exports (JSON), audit log samples, compliance reports, and test results. Support incident response capability deployment: Sentinel playbook creation, automated notification workflows, and incident response procedure testing. Perform client environment migrations to GCC/GCC High (tenant-to-tenant migration using BitTitan, ShareGate, or native Microsoft tools). Work across 4-7 concurrent client environments at various stages of build and remediation. Job Qualifications Required Technical Experience Willing to work in a hybrid setup-remotely or on-site at client locations, as required. 3+ years hands-on experience administering Microsoft Azure and M365 environments in a professional capacity (not lab-only). Direct experience configuring Conditional Access policies, Entra ID PIM, and identity architecture (cloud-only and hybrid with Azure AD Connect). Direct experience deploying and managing Microsoft Intune for endpoint compliance, configuration profiles, security baselines, and BitLocker management. Direct experience deploying Microsoft Sentinel including data connectors, KQL query writing, analytics rules, and automation playbooks. Experience configuring Azure networking: VNets, NSGs, Azure Firewall or third-party NVA, VPN Gateway, and network security architecture. Experience deploying Microsoft Defender for Endpoint including device onboarding, ASR rules, and vulnerability management. Proficiency with PowerShell and Microsoft Graph API for automation and bulk configuration tasks. Understanding of NIST SP 800-171 controls and how they map to specific Azure/M365 technical implementations. Strongly Preferred Technical Experience Experience with Microsoft 365 GCC or GCC High environments (tenant provisioning, licensing nuances, feature differences from commercial M365). Experience with tenant-to-tenant migrations (commercial to GCC/GCC High) using BitTitan MigrationWiz, ShareGate, or native Microsoft tools. Experience configuring Microsoft Purview: sensitivity labels, auto-labeling, DLP policies across Exchange, SharePoint, Teams, and endpoints. Experience with FIPS 140-2 configuration and DISA STIG or CIS benchmark implementation via Intune or GPO. Experience supporting defense industrial base (DIB) or federal contractor IT environments. Experience with Azure Arc for hybrid server management and Azure Bastion for secure remote administration. Required Certifications (must hold at

Your Match

How well this role fits your profile.

Company Intel

What employees say

Worked at its? Share your experience