Systems Security Manager

CEG•Pottstown, PA

12h•Hybrid

About The Position

CEDARVILLE ENGINEERING GROUP Systems Security Manager Own the Network. Protect the Contract. Keep Us in the Fight. About CEG Cedarville Engineering Group (CEG) delivers design-build civil infrastructure and environmental remediation projects for federal agencies, including work on active military installations. Our projects directly support national defense, environmental restoration, and resilient infrastructure. We are a 50-person firm with offices in Pottstown, PA and Tampa, FL. The Role We are seeking a Systems Security Manager who will take full ownership of our CMMC compliance program. This is a hands-on role in a lean firm where you are both the strategist and the implementer. This is federal contractor cybersecurity — not corporate IT: CMMC Level 2 compliance across all CUI systems NIST SP 800-171 practice implementation and monitoring System Security Plan (SSP) and POA&M ownership Third-party assessment (C3PAO) preparation and management Security operations across two offices: Pottstown, PA and Tampa, FL What This Role Really Is You are the authority on cybersecurity compliance. You ensure: Controlled Unclassified Information (CUI) is protected at all times Our CMMC program is assessment-ready, documented, and defensible Incidents are identified, contained, and reported correctly You are independent but embedded with the team. You don’t create bureaucracy — you build a program that lets the business keep winning federal work. You are inheriting an established program — the SSP, CUI enclave architecture, and core tooling are in place. Your job is to own it, mature it, and keep it assessment-ready.

Requirements

5+ years in IT/cybersecurity, with at least 2 years focused on federal compliance frameworks (NIST 800-171, CMMC, or FedRAMP)
Demonstrated experience developing or maintaining an SSP and POA&M for a federal contractor environment
Hands-on experience with endpoint protection (WebRoot or equivalent), RMM platforms (NinjaOne or equivalent), SIEM tools (Microsoft Sentinel or equivalent), and Active Directory
Active certification: CISSP, CISM, CompTIA Security+, or CMMC Registered Practitioner (RP) / Certified Professional (CP)
Ability to obtain and maintain a security clearance (Secret preferred)
Deep understanding of CUI scoping, enclave design, and CMMC assessment boundaries
Strong written communication — you can produce an SSP and brief an executive in the same day
Ability to operate without a team beneath you — this is a working manager role
Willingness to travel between Pottstown, PA and Tampa, FL as needed
Must be able to pass a federal background check
REAL ID required

Nice To Haves

Working with or preparing for a C3PAO assessment
Familiarity with DFARS clause 252.204-7012 and related cybersecurity contract requirements
Managing an MSSP vendor relationship
Background in a small business federal contractor environment (under 100 employees)

Responsibilities

Own and maintain the System Security Plan (SSP), Plan of Action & Milestones (POA&M), and all CMMC assessment artifacts
Lead preparation for and management of the C3PAO third-party assessment process
Implement and continuously improve all 110 NIST SP 800-171 security practices
Manage vulnerability scanning, patching cadence, and endpoint detection using WebRoot and NinjaOne RMM
Administer access control, MFA, and identity management in Active Directory
Configure and maintain Microsoft Sentinel for log management, audit, and incident detection
Interface directly with contracting officers on cybersecurity requirements
Manage flow-down compliance for subcontractors and third-party vendors
Respond to cybersecurity sections of RFPs and DFARS clause requirements
Conduct annual security awareness training and role-based training for all staff
Detect, respond to, and document security incidents
Execute required notifications to contracting officers per DFARS 252.204-7012
Manage relationships with MSSP or security tooling vendors as applicable