CMMC GRC Consultant (Hybrid)
Job Description
We are seeking a CMMC GRC Consultant to lead the compliance advisory side of our CMMC practice and serve as the primary point of contact for clients throughout their engagement.
Role Overview
In this role, you will own the client relationship from initial scoping through preparation for C3PAO assessments, guiding organizations through the full compliance lifecycle with clarity and structure. You will conduct detailed gap assessments across all 110 NIST SP 800-171 controls and their 320 objectives, develop and maintain System Security Plans and Plans of Action and Milestones, and oversee evidence collection to ensure audit readiness for CMMC Level 2 assessments.
Key Responsibilities
- Lead initial client scoping engagements: identify people, processes, and assets that interact with CUI and FCI. Build RACI accountability matrices and data flow diagrams.
- Determine enclave architecture recommendations (GCC, GCC High, hybrid, on-prem, full environment) in collaboration with Security Engineers based on where CUI/FCI resides in the client environment.
- Conduct comprehensive gap assessments against all 320 objectives across 110 controls of NIST SP 800-171 Rev 2. Score each objective as Met, Not Met, or Partially Met. Calculate and submit SPRS scores.
- Create detailed Plans of Action and Milestones (POA&Ms) from gap assessment findings. Prioritize remediation tasks and define milestones, resource requirements, and completion dates.
- Translate gap assessment findings into specific, actionable remediation tasks mapped to Azure/M365 components using the team’s Control-Task Tracker. Each task must include enough detail that a Security Engineer can execute without further interpretation.
- Develop and maintain System Security Plans (SSPs) documenting all 110 controls, implementation status, system boundaries, data flows, and organizational policies.
- Create and maintain the full CMMC compliance policy library: access control policy, incident response plan, configuration management policy.
Intelligent Technical Solutions
United States