Intelligent Technical Solutions - CMMC GRC Consultant (Hybrid)
Requirements
• 3+ years of experience in cybersecurity compliance, GRC, or IT audit roles. • Direct experience with NIST SP 800-171 and/or the CMMC framework. Must be able to discuss the 14 control families and their requirements without relying on reference materials. • Experience writing System Security Plans (SSPs), POA&Ms, and compliance documentation for federal contractors or defense industrial base (DIB) organizations. • Experience conducting gap assessments or security assessments against a recognized framework (NIST 800-171, NIST 800-53, FedRAMP, ISO 27001, or similar). • Working knowledge of Microsoft 365 and Azure at a conceptual level. Does not need to configure Sentinel or Conditional Access, but must understand what these tools do and which CMMC controls they satisfy. • Experience supporting C3PAO assessments (either as the assessed organization or as a consultant). • Familiarity with DFARS 7012, ITAR, and EAR requirements and how they affect CUI scope. • Experience with GRC platforms (e.g., RegScale, CORA, Totem, PreVeil, or similar). • Prior MSP or consulting experience managing multiple concurrent clients. • Experience with Microsoft Compliance Manager and Purview for compliance tracking and evidence. • (at least one; additional required within timeline): • CMMC Certified Professional (CCP) - Required. Must hold at hire or obtain within 6 months. • CMMC Certified Assessor (CCA) - Strongly preferred at hire. Required within 12 months of hire. • CMMC Registered Practitioner (RP) - Accepted as starting credential if pursuing CCP/CCA on defined timeline. • Preferred Certifications • (any combination adds value): • CompTIA Security+ (SY0-701) • Certified Information Systems Security Professional (CISSP) • Certified Information Security Manager (CISM) • Certified Information Systems Auditor (CISA) • NIST Risk Management Framework (RMF) training or certification • Exceptional technical writing: SSPs, policies, and compliance documents must be clear, thorough, and assessment-ready. • Strong client communication: ability to explain complex compliance requirements to non-technical business owners and executives in plain language. • Task decomposition: ability to take a high-level control gap (e.g., "AC.L2-3.1.3 Not Met") and break it into 5-10 specific, actionable remediation tasks with enough detail for a technician to execute. • Project management: manage multiple clients, track deadlines, escalate blockers, and maintain visibility across all active engagements. • Attention to detail: CMMC assessments are evidence-based. Missing or incomplete evidence can fail a control regardless of implementation quality. • Ability to work independently while coordinating with Security Engineers, client stakeholders, and firm leadership.
Responsibilities
• Lead initial client scoping engagements: identify people, processes, and assets that interact with CUI and FCI. Build RACI accountability matrices and data flow diagrams. • Determine enclave architecture recommendations (GCC, GCC High, hybrid, on-prem, full environment) in collaboration with Security Engineers based on where CUI/FCI resides in the client environment. • Conduct comprehensive gap assessments against all 320 objectives across 110 controls of NIST SP 800-171 Rev 2. Score each objective as Met, Not Met, or Partially Met. Calculate and submit SPRS scores. • Create detailed Plans of Action and Milestones (POA&Ms) from gap assessment findings. Prioritize remediation tasks and define milestones, resource requirements, and completion dates. • Translate gap assessment findings into specific, actionable remediation tasks mapped to Azure/M365 components using the team’s Control-Task Tracker. Each task must include enough detail that a Security Engineer can execute without further interpretation. • Develop and maintain System Security Plans (SSPs) documenting all 110 controls, implementation status, system boundaries, data flows, and organizational policies. • Create and maintain the full CMMC compliance policy library: access control policy, incident response plan, configuration management policy, audit policy, media protection policy, and all other required policy and procedure documents. • Manage the evidence collection process. Define what evidence is needed per control, coordinate with Security Engineers to capture technical evidence, and organize the evidence repository. • Conduct internal readiness reviews and mock assessments prior to C3PAO engagement. Identify remaining gaps and drive remediation to closure. • Support clients during C3PAO Level 2 assessments: answer assessor questions, locate evidence, provide clarifications, and coordinate responses to findings. • Manage 4-7 concurrent client engagements at various stages of the CMMC lifecycle. • Train client staff on security policies, acceptable use, CUI handling procedures, and incident reporting obligations.
Benefits
• Medical Insurance Plan • Dental & Vision • Disability Coverage • Paid Time Off (starts at 15 days per year) • Maternity/Paternity Leave • Paid US Holiday • Retirement Plan • Salary Advancement/Loan • Health & Wellness Program • Company-paid training and certification • Supplemental Life Insurance (Employee-paid) • Supplemental Health Plans (Employee-paid)
Apply in one click
Upload My Resume
Drop here or click to browse · Tap to choose · PDF, DOCX, DOC, RTF, TXT