CMMC GRC Consultant (Hybrid)

• →Lead initial client scoping engagements: identify people, processes, and assets that interact with CUI and FCI. Build RACI accountability matrices and data flow diagrams.
• →Determine enclave architecture recommendations (GCC, GCC High, hybrid, on-prem, full environment) in collaboration with Security Engineers based on where CUI/FCI resides in the client environment.
• →Conduct comprehensive gap assessments against all 320 objectives across 110 controls of NIST SP 800-171 Rev 2. Score each objective as Met, Not Met, or Partially Met. Calculate and submit SPRS scores.
• →Create detailed Plans of Action and Milestones (POA&Ms) from gap assessment findings. Prioritize remediation tasks and define milestones, resource requirements, and completion dates.
• →Translate gap assessment findings into specific, actionable remediation tasks mapped to Azure/M365 components using the team’s Control-Task Tracker. Each task must include enough detail that a Security Engineer can execute without further interpretation.
• →Develop and maintain System Security Plans (SSPs) documenting all 110 controls, implementation status, system boundaries, data flows, and organizational policies.
• →Create and maintain the full CMMC compliance policy library: access control policy, incident response plan, configuration management policy, audit policy, media protection policy, and all other required policy and procedure documents.
• →Manage the evidence collection process. Define what evidence is needed per control, coordinate with Security Engineers to capture technical evidence, and organize the evidence repository.
• →Conduct internal readiness reviews and mock assessments prior to C3PAO engagement. Identify remaining gaps and drive remediation to closure.
• →Support clients during C3PAO Level 2 assessments: answer assessor questions, locate evidence, provide clarifications, and coordinate responses to findings.
• →Manage 4-7 concurrent client engagements at various stages of the CMMC lifecycle.
• →Train client staff on security policies, acceptable use, CUI handling procedures, and incident reporting obligations.

• 3+ years of experience in cybersecurity compliance, GRC, or IT audit roles.
• Direct experience with NIST SP 800-171 and/or the CMMC framework. Must be able to discuss the 14 control families and their requirements without relying on reference materials.
• Experience writing System Security Plans (SSPs), POA&Ms, and compliance documentation for federal contractors or defense industrial base (DIB) organizations.
• Experience conducting gap assessments or security assessments against a recognized framework (NIST 800-171, NIST 800-53, FedRAMP, ISO 27001, or similar).
• Working knowledge of Microsoft 365 and Azure at a conceptual level. Does not need to configure Sentinel or Conditional Access, but must understand what these tools do and which CMMC controls they satisfy. 

• Experience supporting C3PAO assessments (either as the assessed organization or as a consultant).
• Familiarity with DFARS 7012, ITAR, and EAR requirements and how they affect CUI scope.
• Experience with GRC platforms (e.g., RegScale, CORA, Totem, PreVeil, or similar).
• Prior MSP or consulting experience managing multiple concurrent clients.
• Experience with Microsoft Compliance Manager and Purview for compliance tracking and evidence.

(at least one; additional required within timeline): 

• CMMC Certified Professional (CCP) - Required. Must hold at hire or obtain within 6 months.
• CMMC Certified Assessor (CCA) - Strongly preferred at hire. Required within 12 months of hire.
• CMMC Registered Practitioner (RP) - Accepted as starting credential if pursuing CCP/CCA on defined timeline.

(any combination adds value): 

• CompTIA Security+ (SY0-701)
• Certified Information Systems Security Professional (CISSP)
• Certified Information Security Manager (CISM)
• Certified Information Systems Auditor (CISA)
• NIST Risk Management Framework (RMF) training or certification
• CompTIA CySA+

• Exceptional technical writing: SSPs, policies, and compliance documents must be clear, thorough, and assessment-ready.
• Strong client communication: ability to explain complex compliance requirements to non-technical business owners and executives in plain language.
• Task decomposition: ability to take a high-level control gap (e.g., "AC.L2-3.1.3 Not Met") and break it into 5-10 specific, actionable remediation tasks with enough detail for a technician to execute.
• Project management: manage multiple clients, track deadlines, escalate blockers, and maintain visibility across all active engagements.
• Attention to detail: CMMC assessments are evidence-based. Missing or incomplete evidence can fail a control regardless of implementation quality.
• Ability to work independently while coordinating with Security Engineers, client stakeholders, and firm leadership.