✦ Luna Orbit — Cybersecurity

CMMC Security Engineer (Hybrid)

at Intelligent Technical Solutions

📍 Remote, US Remote 💰 $120K – $170K USD / year Posted April 14, 2026
Apply Now → ← Browse All Jobs

Position Details

Salary $120K – $170K USD / year
Type Not Specified
Experience mid
Exp. Years Not specified
Education Not specified
Category Cybersecurity

About this role

Intelligent Technical Solutions is seeking a CMMC Security Engineer to design and build compliant Azure and Microsoft 365 environments for CMMC consulting clients. The role includes provisioning GCC/GCC High tenants, configuring identity, endpoint management, SIEM/SOAR, and data protection controls, along with capturing evidence for compliance documentation.

Key Responsibilities

  • Design and deploy CMMC-compliant enclave architectures in Azure
  • Provision and harden Microsoft 365 GCC and GCC High tenants
  • Configure Microsoft Entra ID (Conditional Access, PIM) and deploy Intune endpoint management
  • Stand up monitoring and automation with Microsoft Sentinel and Logic Apps
  • Configure Defender for Endpoint and Purview data protection, and capture evidence for NIST 800-171 compliance

Technical Overview

You will architect and deploy CMMC enclave environments across cloud-only (GCC/GCC High), hybrid, and on-prem scenarios in Azure, including network segmentation and secure connectivity. The stack includes Microsoft Entra ID (Conditional Access, PIM), Microsoft Intune (device compliance and baselines), Microsoft Sentinel (Log Analytics, connectors, KQL analytics, Logic Apps playbooks), Microsoft Defender for Endpoint, and Microsoft Purview for labeling and DLP, aligned to NIST 800-171 controls.

Ideal Candidate

The ideal candidate is a hands-on CMMC Security Engineer who has built CMMC-compliant enclave architectures in Microsoft Azure using GCC and GCC High, and configured Microsoft 365 GCC/GCC High tenants. They should be strong in identity and endpoint controls (Microsoft Entra ID Conditional Access and PIM, Microsoft Intune, Defender for Endpoint) and in security monitoring and data protection (Microsoft Sentinel with KQL, Microsoft Purview sensitivity labels and DLP).

Must-Have Skills

Provision and configure Microsoft 365 GCC and GCC High tenants including initial setupdomain verificationlicensing assignmentand tenant hardeningConfigure Microsoft Entra ID with Conditional Access policies (MFAdevice compliancelocation-basedsession controls) and Privileged Identity Management (PIM)Deploy and configure Microsoft Intune: device enrollmentcompliance policiesconfiguration profilessecurity baselines (CIS/STIG)BitLocker encryption with FIPS 140-2 complianceDeploy and configure Microsoft Sentinel: Log Analytics workspacedata connectors (M365Entra IDDefenderAzure ActivityFirewallNSG flow logs)KQL-based analytics rulesautomation playbooks (Logic Apps)Deploy and configure Microsoft Defender for Endpoint: device onboardingAttack Surface Reduction (ASR) rulesendpoint DLPnetwork protectionweb content filteringand vulnerability managementConfigure Microsoft Purview: sensitivity labels (CUIFCIPublic)auto-labeling policiesDLP policies across ExchangeSharePointTeamsDesign and implement Azure networking: Virtual NetworkssubnetsNSGsAzure FirewallAzure BastionVPN Gateway (site-to-site and point-to-site)Private Endpointsroute tablesand DDoS ProtectionDesign and deploy CMMC-compliant enclave architectures in Azure (GCC/GCC Highhybridand on-premises)

Tools & Platforms

Azure FirewallVirtual NetworksAzure BastionVPN GatewayPrivate EndpointsAzure AD ConnectMicrosoft Entra IDMicrosoft IntuneMicrosoft SentinelLog AnalyticsLogic AppsMicrosoft Defender for EndpointMicrosoft PurviewExchangeSharePointTeamsAzure Arc

Required Skills

CMMC Security EngineerCMMC-compliant enclave architecturesAzure networkingMicrosoft Entra IDConditional AccessPrivileged Identity Management (PIM)Microsoft IntuneCIS/STIGBitLockerFIPS 140-2Microsoft SentinelLog AnalyticsKQLLogic AppsMicrosoft Defender for EndpointAttack Surface Reduction (ASR) rulesendpoint DLPMicrosoft Purviewsensitivity labels (CUIFCIPublic)DLP policiesinformation barriersVPN GatewayAzure FirewallNSGsPrivate EndpointsAzure AD Connecthybrid device joinsplit DNSAzure ArcNIST 800-171

Hard Skills

CMMC-compliant enclave architecture design and deploymentAzureMicrosoft AzureGCCAzure GCCGCC HighMicrosoft 365 GCC and GCC High tenantstenant hardeningdomain verificationlicensing assignmentMicrosoft Entra IDEntra ID user provisioningSecurity GroupsAdministrative UnitsConditional Access policiesMFAMulti-Factor Authentication (MFA)device compliancelocation-based accesssession controlsPrivileged Identity Management (PIM)Identity Protection risk policiesMicrosoft Intunedevice enrollmentcompliance policiesconfiguration profilessecurity baselinesCIS/STIGBitLocker encryptionFIPS 140-2 complianceWindows Update for Business ringsapplication management via Company PortalMicrosoft SentinelLog Analytics workspace setupdata connectorsKQL-based analytics rulesautomation playbooksLogic AppsCMMC compliance workbooks/dashboardsMicrosoft Defender for Endpointdevice onboardingAttack Surface Reduction (ASR) rulesendpoint DLPnetwork protectionweb content filteringvulnerability managementMicrosoft Purviewsensitivity labelsCUIControlled Unclassified Information (CUI)FCIFederal Contract Information (FCI)DLP policiesExchangeSharePointTeamsinformation barriersAzure networkingVirtual NetworkssubnetsNSGsNetwork Security GroupsAzure FirewallAzure BastionVPN Gatewaysite-to-site VPNpoint-to-site VPNPrivate Endpointsroute tablesDDoS ProtectionAzure AD ConnectCloud Synchybrid device joinpass-through authenticationpassword hash syncsplit DNSAzure Arcon-premises server managementNIST 800-171 control mappingtechnical evidence captureconfiguration exportsaudit logsscreenshots

Soft Skills

hands-on technical problem solvingability to follow documented SOPsability to capture and package technical evidencecross-functional collaboration with GRC Consultantsaccuracy and attention to compliance documentation

Industry & Role

Industry Defense
Job Function Build and operationalize CMMC-compliant Azure and Microsoft 365 security controls
Role Subtype Security Engineer
Tech Domains Azure, Microsoft 365, Cybersecurity, Networking / TCP-IP, ITSM / ServiceNow

Keywords for Your Resume

CMMC Security EngineerCMMCNIST 800-171AzureMicrosoft AzureGCCGCC HighMicrosoft 365 GCC HighMicrosoft 365Microsoft Entra IDConditional AccessPrivileged Identity Management (PIM)Identity ProtectionMicrosoft IntuneMicrosoft SentinelLog Analytics workspaceKQLautomation playbooksLogic AppsMicrosoft Defender for EndpointAttack Surface Reduction (ASR) rulesendpoint DLPnetwork protectionweb content filteringvulnerability managementMicrosoft Purviewsensitivity labelsCUIControlled Unclassified Information (CUI)FCIFederal Contract Information (FCI)DLP policiesinformation barriersAzure FirewallNSGsNetwork Security GroupsAzure BastionVPN Gatewaysite-to-site VPNpoint-to-site VPNPrivate EndpointsDDoS ProtectionAzure AD ConnectCloud Synchybrid device joinpass-through authenticationpassword hash syncsplit DNSAzure ArcBitLockerFIPS 140-2CIS/STIGWindows Update for BusinessCompany Portal

Deal Breakers

Must be able to provision and configure GCC/GCC High tenants in Microsoft 365, Must have hands-on experience with Microsoft Entra ID Conditional Access and Privileged Identity Management (PIM), Must have hands-on deployment experience with Microsoft Intune, Microsoft Sentinel (KQL), and Microsoft Defender for Endpoint

Apply for this Position →

Get matched to jobs like this

Luna finds roles that fit your skills and career goals — no endless scrolling required.

Create a Free Profile