IT Security & Compliance Manager

About The Position

Requirements

• Deep, practical knowledge of NIST SP 800-171, NIST SP 800-53, DFARS 252.204-7012, and CMMC Level 2 requirements.
• Proven experience writing, editing, and maintaining institutional IT policies, SSPs, and technical restoration playbooks.
• Experience navigating formal external IT audits or third-party assessments (C3PAO).
• Strong background managing enterprise firewalls and network segmentation.
• Hands-on experience with modern EDR platforms and centralized RMM tools for patch deployment and monitoring.
• Deep familiarity with Microsoft 365 GCC High tenant administration, including data classification and sensitivity labels.
• Familiarity with secure file migration, data backup architectures, and Disaster Recovery (DR) execution.
• Bachelor’s degree in Cybersecurity, Computer Science, IT Management, or a related technical field (equivalent practical experience considered).
• 5+ years of experience in IT systems administration or cybersecurity, with at least 2 years directly managing compliance frameworks within the DoD supply chain.
• Must be a U.S. Citizen (required for accessing/managing CUI/ITAR-regulated data).

Nice To Haves

• Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager (CISM).
• CMMC Certified Professional (CCP) or CMMC Certified Assessor (CCA).
• CompTIA Security+ or CySA+ (minimum baseline).

Responsibilities

• Own, update, and enforce the System Security Plan (SSP) and Plan of Action and Milestones (POA&M). Ensure all 110 practices of NIST SP 800-171 are fully implemented and auditable.
• Oversee the security posture of our technical stack, ensuring secure configurations across firewalls, Endpoint Detection and Response (EDR), Remote Monitoring and Management (RMM), and cloud environments.
• Manage data enclave boundaries and security policies, specifically optimizing and maintaining a Microsoft 365 GCC High environment to prevent CUI spillage.
• Map, audit, and control the flow of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) across all internal and external systems.
• Lead the incident response team. Ensure full compliance with DFARS 252.204-7012, including rapid reporting of cyber incidents to the DoD Cyber Crime Center (DC3) within 72 hours.
• Conduct regular internal audits, vulnerability scans, and risk assessments. Prioritize and remediate vulnerabilities across servers, endpoints, and network devices.
• Evaluate subcontractors and third-party vendors to ensure they meet mandatory DFARS flow-down requirements.