CMMC Security Engineer (US Hybrid)

CMMC Security Engineer (US Hybrid)

Job Description

We are seeking a CMMC Security Engineer to design and build compliant Azure and Microsoft 365 environments for our CMMC consulting clients. This is a hands-on technical role. You will provision GCC and GCC High tenants, architect network security (Azure Firewall, VPN, NSGs), configure Entra ID with Conditional Access and Privileged Identity Management, deploy Intune for endpoint management, stand up Microsoft Sentinel for SIEM/SOAR, configure Purview for data protection, and deploy Defender for Endpoint across client environments. You will work from documented SOPs and a Control-Task Tracker that maps each NIST 800-171 control to specific Azure/M365 configurations. You will also capture technical evidence (screenshots, configuration exports, audit logs) to support the compliance documentation created by our GRC Consultants.

Job Responsibilities

• Design and deploy CMMC-compliant enclave architectures in Azure: cloud-only (GCC/GCC High), hybrid (on-prem + GCC), and on-premises environments. Select and implement the appropriate topology (hub-spoke, segmented) based on client requirements.
• Provision and configure Microsoft 365 GCC and GCC High tenants including initial setup, domain verification, licensing assignment, and tenant hardening.
• Configure Microsoft Entra ID: user provisioning, Security Groups, Administrative Units, Conditional Access policies (MFA, device compliance, location-based, session controls), Privileged Identity Management (PIM), and Identity Protection risk policies.
• Deploy and configure Microsoft Intune: device enrollment, compliance policies, configuration profiles, security baselines (CIS/STIG), BitLocker encryption with FIPS 140-2 compliance, Windows Update for Business rings, and application management via Company Portal.
• Deploy and configure Microsoft Sentinel: Log Analytics workspace setup, data connector deployment (M365, Entra ID, Defender, Azure Activity, Firewall, NSG flow logs), KQL-based analytics rules, automation playbooks (Logic Apps), and CMMC compliance workbooks/dashboards.
• Deploy and configure Microsoft Defender for Endpoint: device onboarding, antivirus policies, Attack Surface Reduction (ASR) rules, endpoint DLP, network protection, web content filtering, and vulnerability management.
• Configure Microsoft Purview: sensitivity labels (CUI, FCI, Public), auto-labeling policies, DLP policies across Exchange, SharePoint, Teams, and endpoints, and information barriers where required.
• Design and implement