CMMC GRC Consultant (Hybrid)

Job Description

We are seeking a CMMC GRC Consultant to lead the compliance advisory side of our CMMC practice and serve as the primary point of contact for clients throughout their engagement. In this role, you will own the client relationship from initial scoping through preparation for C3PAO assessments, guiding organizations through the full compliance lifecycle with clarity and structure. You will conduct detailed gap assessments across all 110 NIST SP 800-171 controls and their 320 objectives, develop and maintain System Security Plans and Plans of Action and Milestones, and oversee evidence collection to ensure audit readiness for CMMC Level 2 assessments. This position is focused on governance, risk, and compliance rather than technical implementation, requiring you to translate assessment findings into clearly defined and actionable remediation tasks that Security Engineers can execute using established SOPs and runbooks. The ideal candidate brings strong experience with CMMC or NIST SP 800-171, is confident managing client relationships, and has the ability to simplify complex compliance requirements into practical, outcome-driven guidance.

Job Responsibilities

• Lead initial client scoping engagements: identify people, processes, and assets that interact with CUI and FCI. Build RACI accountability matrices and data flow diagrams.
• Determine enclave architecture recommendations (GCC, GCC High, hybrid, on-prem, full environment) in collaboration with Security Engineers based on where CUI/FCI resides in the client environment.
• Conduct comprehensive gap assessments against all 320 objectives across 110 controls of NIST SP 800-171 Rev 2. Score each objective as Met, Not Met, or Partially Met. Calculate and submit SPRS scores.
• Create detailed Plans of Action and Milestones (POA&Ms) from gap assessment findings. Prioritize remediation tasks and define milestones, resource requirements, and completion dates.
• Translate gap assessment findings into specific, actionable remediation tasks mapped to Azure/M365 components using the team’s Control-Task Tracker. Each task must include enough detail that a Security Engineer can execute without further interpretation.
• Develop and maintain System Security Plans (SSPs) documenting all 110 controls, implementation status, system boundaries, data flows, and organizational policies.
• Create and maintain the full CMMC compliance policy library: access control policy, incident response plan, configuration management policy, audit policy, media protection policy, and all other required policy and procedure documents.
• Manage the evidence collection process. Define what evidence is needed per control, coordinate with Security Engineers to capture technical evidence, and organize the evidence repository.
• Conduct internal readiness reviews and mock assessments prior to C3PAO engagement. Identify remaining gaps and drive remediation to closure.
• Support clients during C3PAO Level 2 assessments: answer assessor questions, locate evidence, provide clarifications, and coordinate responses to findings.
• Manage 4-7 concurrent client engagements at various stages of the CMMC lifecycle.
• Train client staff on security policies, acceptable use, CUI handling procedures, and incident reporting obligations.

Job Qualifications

• 3+ years of experience in cybersecurity compliance, GRC, or IT audit roles.
• Direct experience with NIST SP 800-171 and/or the CMMC framework. Must be able to discuss the 14 control families and their requirements without relying on reference materials.
• Experience writing System Security Plans (SSPs), POA&Ms, and compliance documentation for federal contractors or defense industrial base (DIB) organizations.
• Experience conducting gap assessments or security assessments against a recognized framework (NIST 800-171, NIST 800-53, FedRAMP, ISO 27001, or similar).
• Working knowledge of Microsoft 365 and Azure at a conceptual level. Does not need to configure Sentinel or Conditional Access, but must understand what these tools do and which CMMC controls they satisfy. 

Preferred Experience

• Experience supporting C3PAO assessments (either as the assessed organization or as a consultant).
• Familiarity with DFARS 7012, ITAR, and EAR requirements and how they affect CUI scope.
• Experience with GRC platforms (e.g., RegScale, CORA, Totem, PreVeil, or similar).
• Prior MSP or consulting experience managing multiple concurrent clients.
• Experience with Microsoft Compliance Manager and Purview for compliance tracking and evidence.

Required Certification

(at least one; additional required within timeline): 

• CMMC Certified Professional (CCP) - Required. Must hold at hire or obtain within 6 months.
• CMMC Certified Assessor (CCA) - Strongly preferred at hire. Required within 12 months of hire.
• CMMC Registered Practitioner (RP) - Accepted as starting credential if pursuing CCP/CCA on defined timeline.

Preferred Certifications

(any combination adds value): 

• CompTIA Security+ (SY0-701)
• Certified Information Systems Security Professional (CISSP)
• Certified Information Security Manager (CISM)
• Certified Information Systems Auditor (CISA)
• NIST Risk Management Framework (RMF) training or certification
• CompTIA CySA+

Skills & Competencies

• Exceptional technical writing: SSPs, policies, and compliance documents must be clear, thorough, and assessment-ready.
• Strong client communication: ability to explain complex compliance requirements to non-technical business owners and executives in plain language.
• Task decomposition: ability to take a high-level control gap (e.g., "AC.L2-3.1.3 Not Met") and break it into 5-10 specific, actionable remediation tasks with enough detail for a technician to execute.
• Project management: manage multiple clients, track deadlines, escalate blockers, and maintain visibility across all active engagements.
• Attention to detail: CMMC assessments are evidence-based. Missing or incomplete evidence can fail a control regardless of implementation quality.
• Ability to work independently while coordinating with Security Engineers, client stakeholders, and firm leadership. 

Compensation

Pay rate ranges from $95,000.00/annum up to $145,000.00/annum and may vary by experience and location.

Benefits

• Medical Insurance Plan
• Dental & Vision
• Life Insurance
• Disability Coverage
• Paid Time Off (starts at 15 days per year)
• Maternity/Paternity Leave
• Paid US Holiday
• Retirement Plan
• Salary Advancement/Loan
• Health & Wellness Program
• Company-paid training and certification
• Supplemental Life Insurance (Employee-paid)
• Supplemental Health Plans (Employee-paid)