Senior Cybersecurity Analyst – CMMC & DoD Compliance

• Drive the overall governance for government programs
• Execute annual self-assessments (Continuous Monitoring) on CMMC/NIST controls and document findings
• Coordinate internal teams (IAM, cloud, infrastructure, SOC, endpoint, vulnerability management, application owners) to validate control implementation and operational effectiveness
• Identify compliance gaps, manage security exceptions (POA&Ms), and drive remediation prior to audit or customer assessments
• Lead CMMC readiness and sustainment activities for GM Defense programs, aligned to NIST SP 800‑171 and DoD expectations for CUI protection
• Build and maintain assessment‑ready evidence packages (policies, procedures, configurations, logs, tickets, reports) aligned to CMMC and DFARS requirements

• Bachelor’s degree in Cybersecurity, Information Systems, Computer Science, or equivalent practical experience
• 5+ years of cybersecurity experience in regulated or government‑contract environments
• Experience supporting federally regulated cybersecurity requirements
• Experience preparing for third‑party or government assessments
• Ability to translate and communicate DoD cybersecurity requirements for application teams
• Knowledge in the following areas: Identity & Access Management (IAM): RBAC, least privilege, privileged access workflows, MFA, service accounts, access reviews, joiner/mover/leaver processes
• Windows & Linux security: GPO/Intune or equivalent, local admin controls, secure baselines (e.g., CIS-aligned), logging configuration, patch management, hardening validation
• Network security: segmentation concepts, firewall rulesets, VPN/ZTNA, secure remote administration, network device logging, NAC fundamentals, DNS security basics
• Endpoint security: EDR capabilities, alert triage/validation, policy enforcement, device encryption, removable media controls
• Vulnerability management: scan coverage, risk-based prioritization, remediation workflows, exception handling, validation reporting
• SIEM/logging: ability to define log requirements, validate ingestion/retention, produce audit-ready log evidence, and explain detections and response workflows
• Practical experience with the following: Working knowledge of FAR and DFARS cybersecurity clauses, including contractor responsibilities for safeguarding CUI and incident reporting
• Understanding of government system authorization concepts, shared responsibility models, and secure enclave design
• Experience supporting cybersecurity requirements within defense programs, manufacturing, engineering, or supply‑chain environments
• Experience with secure enclave design, CUI boundary segmentation, or regulated environments in automotive/manufacturing/supply chain contexts

• Cloud Security (AWS/Azure/GCP—at least one strongly preferred)
• Cloud IAM: conditional access concepts, identity federation, role assignments, privileged identity workflows (e.g., JIT/PIM), access key hygiene
• Cloud security posture: policy-as-code fundamentals, CSPM findings interpretation, configuration drift awareness, secure landing zone concepts
• Cloud logging & monitoring: CloudTrail / Activity Logs, log routing to SIEM, retention/immutability considerations, alerting and response integration
• Data protection: encryption at rest/in transit, key management (KMS/Key Vault), secret management, secure storage access patterns
• Network controls in cloud: security groups/NSGs, route tables, private endpoints, egress controls, segmentation principles

This job may be eligible for relocation benefits