Senior Cybersecurity Analyst - CMMC & DoD Compliance

Description

The Role:

The Cybersecurity Analyst will help lead the CMMC compliance efforts to enable pursuit of new GM Defense and other U.S. Government-regulated programs. This role works with cross-functional teams to execute and assess control implementation, collect and validate audit-ready evidence, and prepare artifacts for external assessments. The analyst works with the GMD GRC team and leads IT, program management, cloud, and engineering teams to ensure compliance with CMMC, NIST SP 800-171, DFARS, FAR, and DoD cybersecurity requirements supporting government contracts.

The ideal candidate combines strong understanding of security frameworks combined with technical security depth (on-prem + cloud) to manage evidence collection and remediation across multiple internal teams and is capable of obtaining security clearance.

What You'll Do:

• Drive the overall governance for government programs.
• Execute annual self-assessments (Continuous Monitoring) on CMMC/NIST controls and document findings.
• Coordinate internal teams (IAM, cloud, infrastructure, SOC, endpoint, vulnerability management, application owners) to validate control implementation and operational effectiveness.
• Identify compliance gaps, manage security exceptions (POA&Ms), and drive remediation prior to audit or customer assessments.
• Lead CMMC readiness and sustainment activities for GM Defense programs, aligned to NIST SP 800-171 and DoD expectations for CUI protection.
• Build and maintain assessment-ready evidence packages (policies, procedures, configurations, logs, tickets, reports) aligned to CMMC and DFARS requirements.

• Bachelor's degree in Cybersecurity, Information Systems, Computer Science, or equivalent practical experience.
• 5+ years of cybersecurity experience in regulated or government-contract environments.
• Experience supporting federally regulated cybersecurity requirements.
• Experience preparing for third-party or government assessments.
• Ability to translate and communicate DoD cybersecurity requirements for application teams.

• Identity & Access Management (IAM): RBAC, least privilege, privileged access workflows, MFA, service accounts, access reviews, joiner/mover/leaver processes.
• Windows & Linux security: GPO/Intune or equivalent, local admin controls, secure baselines (e.g., CIS-aligned), logging configuration, patch management, hardening validation.
• Network security: segmentation concepts, firewall rulesets, VPN/ZTNA, secure remote administration, network device logging, NAC fundamentals, DNS security basics.
• Endpoint security: EDR capabilities, alert triage/validation, policy enforcement, device encryption, removable media controls.
• Vulnerability management: scan coverage, risk-based prioritization, remediation workflows, exception handling, validation reporting.
• SIEM/logging: ability to define log requirements, validate ingestion/retention, produce audit-ready log evidence, and explain detections and response workflows.

• Working knowledge of FAR and DFARS cybersecurity clauses, including contractor responsibilities for safeguarding CUI and incident reporting.
• Understanding of government system authorization concepts, shared responsibility models, and secure enclave design.
• Experience supporting cybersecurity requirements within defense programs, manufacturing, engineering, or supply-chain environments.
• Experience with secure enclave design, CUI boundary segmentation, or regulated environments in automotive/manufacturing/supply chain contexts.

• Cloud Security (AWS/Azure/GCP-at least one strongly preferred)
• Cloud IAM: conditional access concepts, identity federation, role assignments, privileged identity workflows (e.g., JIT/PIM), access key hygiene.
• Cloud security posture: policy-as-code fundamentals, CSPM findings interpretation, configuration drift awareness, secure landing zone concepts.
• Cloud logging & monitoring: CloudTrail / Activity Logs, log routing to SIEM, retention/immutability considerations, alerting and response integration.
• Data protection: encryption at rest/in transit, key management (KMS/Key Vault), secret management, secure storage access patterns.
• Network controls in cloud: security groups/NSGs, route tables, private endpoints, egress controls, segmentation principles.