CMMC Security Engineer (US Hybrid)

Job Description

We are seeking a CMMC Security Engineer to design and build compliant Azure and Microsoft 365 environments for our CMMC consulting clients. This is a hands-on technical role. You will provision GCC and GCC High tenants, architect network security (Azure Firewall, VPN, NSGs), configure Entra ID with Conditional Access and Privileged Identity Management, deploy Intune for endpoint management, stand up Microsoft Sentinel for SIEM/SOAR, configure Purview for data protection, and deploy Defender for Endpoint across client environments. You will work from documented SOPs and a Control-Task Tracker that maps each NIST 800-171 control to specific Azure/M365 configurations. You will also capture technical evidence (screenshots, configuration exports, audit logs) to support the compliance documentation created by our GRC Consultants. 

Job Responsibilities

• Design and deploy CMMC-compliant enclave architectures in Azure: cloud-only (GCC/GCC High), hybrid (on-prem + GCC), and on-premises environments. Select and implement the appropriate topology (hub-spoke, segmented) based on client requirements. 
• Provision and configure Microsoft 365 GCC and GCC High tenants including initial setup, domain verification, licensing assignment, and tenant hardening.
• Configure Microsoft Entra ID: user provisioning, Security Groups, Administrative Units, Conditional Access policies (MFA, device compliance, location-based, session controls), Privileged Identity Management (PIM), and Identity Protection risk policies.
• Deploy and configure Microsoft Intune: device enrollment, compliance policies, configuration profiles, security baselines (CIS/STIG), BitLocker encryption with FIPS 140-2 compliance, Windows Update for Business rings, and application management via Company Portal.
• Deploy and configure Microsoft Sentinel: Log Analytics workspace setup, data connector deployment (M365, Entra ID, Defender, Azure Activity, Firewall, NSG flow logs), KQL-based analytics rules, automation playbooks (Logic Apps), and CMMC compliance workbooks/dashboards. 
• Deploy and configure Microsoft Defender for Endpoint: device onboarding, antivirus policies, Attack Surface Reduction (ASR) rules, endpoint DLP, network protection, web content filtering, and vulnerability management. 
• Configure Microsoft Purview: sensitivity labels (CUI, FCI, Public), auto-labeling policies, DLP policies across Exchange, SharePoint, Teams, and endpoints, and information barriers where required. 
• Design and implement Azure networking: Virtual Networks, subnets, NSGs, Azure Firewall, Azure Bastion, VPN Gateway (site-to-site and point-to-site), Private Endpoints, route tables, and DDoS Protection. 
• For hybrid environments: configure Azure AD Connect (or Cloud Sync), hybrid device join, pass-through authentication or password hash sync, split DNS, and Azure Arc for on-premises server management. 
• Configure encryption across the environment: BitLocker (XTS-AES 256), FIPS 140-2 compliance mode, TLS 1.2+ enforcement, VPN encryption (IKEv2/AES-256), and Purview encryption for CUI-labeled content. 
• Execute remediation tasks from the CMMC Remediation Tracker as assigned by the GRC Consultant. Each task maps a specific NIST 800-171 control objective to an Azure/M365 configuration with step-by-step instructions. 
• Capture and organize technical evidence for each implemented control: configuration screenshots, policy exports (JSON), audit log samples, compliance reports, and test results. 
• Support incident response capability deployment: Sentinel playbook creation, automated notification workflows, and incident response procedure testing. 
• Perform client environment migrations to GCC/GCC High (tenant-to-tenant migration using BitTitan, ShareGate, or native Microsoft tools). 
• Work across 4-7 concurrent client environments at various stages of build and remediation. 

Job Qualifications
Required Technical Experience

• Willing to work in a hybrid setup—remotely or on-site at client locations, as required.
• 3+ years hands-on experience administering Microsoft Azure and M365 environments in a professional capacity (not lab-only). 
• Direct experience configuring Conditional Access policies, Entra ID PIM, and identity architecture (cloud-only and hybrid with Azure AD Co