CMMC GRC Consultant (Hybrid)

Job Description

We are seeking a CMMC GRC Consultant to lead the compliance advisory side of our CMMC practice and serve as the primary point of contact for clients throughout their engagement. In this role, you will own the client relationship from initial scoping through preparation for C3PAO assessments, guiding organizations through the full compliance lifecycle with clarity and structure. You will conduct detailed gap assessments across all 110 NIST SP 800-171 controls and their 320 objectives, develop and maintain System Security Plans and Plans of Action and Milestones, and oversee evidence collection to ensure audit readiness for CMMC Level 2 assessments. This position is focused on governance, risk, and compliance rather than technical implementation, requiring you to translate assessment findings into clearly defined and actionable remediation tasks that Security Engineers can execute using established SOPs and runbooks. The ideal candidate brings strong experience with CMMC or NIST SP 800-171, is confident managing client relationships, and has the ability to simplify complex compliance requirements into practical, outcome-driven guidance.

Job Responsibilities

• Lead initial client scoping engagements: identify people, processes, and assets that interact with CUI and FCI. Build RACI accountability matrices and data flow diagrams.
• Determine enclave architecture recommendations (GCC, GCC High, hybrid, on-prem, full environment) in collaboration with Security Engineers based on where CUI/FCI resides in the client environment.
• Conduct comprehensive gap assessments against all 320 objectives across 110 controls of NIST SP 800-171 Rev 2. Score each objective as Met, Not Met, or Partially Met. Calculate and submit SPRS scores.
• Create detailed Plans of Action and Milestones (POA&Ms) from gap assessment findings. Prioritize remediation tasks and define milestones, resource requirements, and completion dates.
• Translate gap assessment findings into specific, actionable remediation tasks mapped to Azure/M365 components using the team’s Control-Task Tracker. Each task must include enough detail that a Security Engineer can execute without further interpretation.
• Develop and maintain System Security Plans (SSPs) documenting all 110 controls, implementation status, system boundaries, data flows, and organizational policies.
• Create and maintain the full CMMC compliance policy library: access control policy, incident response plan, configuration management policy, audit policy, media protection policy, and all other required policy and procedure documents.
• Manage the evidence collection process. Define what evidence is needed per control, coordinate with Security Engineers to capture technical evidence, and organize the evidence repository.
• Conduct internal readiness reviews and mock assessments prior to C3PAO engagement. Identify remaining gaps and drive remediation to closure.
• Support clients during C3PAO Level 2 assessments: answer assessor questions, locate evidence, provide clarifications, and coordinate responses to findings.
• Manage 4-7 concurrent client engagements at various stages of the CMMC lifecycle.
• Train client staff on security policies, acceptable use, CUI handling procedures, and incident reporting obligations.

Job Qualifications

• 3+ years of experience in cybersecurity compliance, GRC, or IT audit roles.
• Direct experience with NIST SP 800-171 and/or the CMMC framework. Must be able to discuss the 14 control families and their requirements without relying on reference materials.
• Experience writing System Security Plans (SSPs), POA&Ms, and compliance documentation for federal contractors or defense industrial base (DIB) organizations.
• Experience conducting gap assessments or security assessments against a recognized framework (NIST 800-171, NIST 800-53, FedRAMP, ISO 27001, or similar).
• Working knowledge of Microsoft 365 and Azure at a conceptual level. Does not need to configure Sentinel or Conditional Access, but must understand what these tools do and which CMMC controls they satisfy. 

Preferred Experience

• Experience supporting C3PAO assessments (either as the assessed organization or as a consultant).
• Familiarity with DFARS 7012, ITAR, and EAR requirements and how they affect CUI scope.
• Experience with GRC platforms (e.g., RegScale, CORA, Totem, PreVeil, or similar).