L

Cybersecurity Compliance Engineer

LEONARDO HELICOPTERS US CORPORATION · Philadelphia, Pennsylvania, United States

10 h ago
Mid (2-5 yrs) Full-time United States
Log in to apply, save this posting, or score it against your profile with AI.

About the role

Implement and operationalize technical cybersecurity controls to achieve compliance with NIST CSF, NIST SP 800-171, and CMMC Level 2. This role focuses on the technical execution and evidence production across Microsoft 365, Azure, and on-premises infrastructure.

What they look for

NIST SP 800-171 CMMC Level 2 Microsoft Entra ID Microsoft Intune Microsoft Purview Microsoft Defender Azure Security Windows Server Hardening Active Directory Security Vulnerability Management Network Segmentation CIS Benchmarks DISA STIG EDR/XDR Identity and Access Management Technical Documentation

Requirements

Requires a Bachelor's degree in a technical field and 3-6 years of experience in cybersecurity engineering with a focus on NIST implementation. Proficiency in the Microsoft Security stack and experience with federal compliance requirements are essential.

Full description

Job Title: Cybersecurity Compliance Engineer

Department: Digital Solutions

Reports to: Roy Knudson, Senior Manager Digital Solutions

Direct Reports: 0

Location(s): Leonardo AWPC, Philadelphia PA

__________________________________________________________________________________

  • Summary of Position: (Brief description of overall responsibilities and function)

The Security Compliance Engineer is responsible for implementing, validating, and operationalizing cybersecurity controls required to achieve and maintain compliance with the NIST Cybersecurity Framework (CSF), NIST SP 800-171, and Cybersecurity Maturity Model Certification (CMMC) Level 2. Working in close partnership with the Cybersecurity team—which retains ownership of compliance policy, risk assessment, and audit governance—this role translates compliance requirements into technical solutions across Microsoft 365, Azure, endpoint management, identity services, networking, and on-premises infrastructure.

This is an execution role, not an advisory one. The Cybersecurity team defines what compliance looks like; this engineer builds and sustains it. The ideal candidate is a hands-on practitioner who can read a NIST control, understand what it requires technically, implement the solution, and produce the evidence to prove it works—all without requiring direction at each step.

Reporting directly to the Head of Digital Solutions, this Individual Contributor will be a high-visibility contributor whose output directly supports CMMC Level 2 certification staging and the organization’s long-term security posture hardening objectives across the US region.

2. Essential Duties and Responsibilities: (Specifically describe the essential duties and responsibilities in order of estimated percentage of time that is spent on each).

Duties and Responsibilities:

% of

Time

1.

Microsoft Security Platform Ownership

  • Administer and secure the Microsoft 365, Entra ID, Intune, Defender, and Purview environments as the primary technical owner of security configuration and policy enforcement
  • Implement and maintain core identity and access controls:• Conditional Access policies, named locations, and sign-in risk rules
  • Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR)
  • Privileged Identity Management (PIM) and just-in-time access workflows
  • Entra ID role assignments, group lifecycle, and access reviews
  • Build and maintain Microsoft Purview data governance and protection controls:• Sensitivity labels and information protection policies for CUI and confidential data
  • Data Loss Prevention (DLP) policies across M365 workloads
  • Insider Risk Management configuration and alert review
  • Retention and compliance policies aligned to regulatory requirements
  • Manage Intune device compliance policies, configuration profiles, and enrollment workflows across Windows endpoints
  • Operate and tune the Microsoft Defender suite (Defender for Endpoint, Office 365, Identity, and Cloud Apps)—including alert triage, policy configuration, and integration with incident response processes
  • Document CUI data flows through M365 and Azure services in support of System Security Plan (SSP) development

25%

2.

Infrastructure Security Engineering

  • Implement and maintain security controls across the full on-premises and hybrid infrastructure stack:
  • Windows Server — hardening, patch compliance baselines, and audit logging
  • Active Directory — Group Policy security baselines, privileged account tiering, and stale object management
  • Network infrastructure — firewall policy review, segmentation validation, and NAC enforcement
  • Endpoints — EDR/XDR policy management, compliance baselines, and removable media controls
  • Virtualization platforms (VMware / Hyper-V) — snapshot, access, and audit controls
  • Cloud services — Azure RBAC, Defender for Cloud posture management, and security policy
  • Drive vulnerability remediation activities—prioritize, assign, track, and validate closure of findings from scan results, audit reports, and assessor reviews
  • Implement CIS benchmark configurations and DISA STIG settings across applicable platforms and document deviations through formal change management
  • Partner with the Manager of Security & Infrastructure on patching discipline, MDM lifecycle, and endpoint compliance enforcement
  • Contribute to the network and infrastructure hardening roadmap, prioritized against NIST 800-171 control families SC (System & Communications Protection), AC (Access Control), AU (Audit & Accountability), and CM (Configuration Management)

20%

3.

NIST Control Implementation & Remediation

  • Implement technical safeguards required by NIST SP 800-171 and CMMC Level 2 across all applicable control families
  • Remediate security control gaps identified through internal assessments, audits, POA&M entries, and compliance reviews—owning technical resolution from identification through evidence-confirmed closure
  • Partner with the Cybersecurity and Risk teams to translate NIST requirements into specific, operational controls with clear, auditable evidence paths
  • Validate effectiveness of implemented controls through testing, configuration review, and evidence collection—producing artifacts sufficient for C3PAO assessor review
  • Support SPRS (Supplier Performance Risk System) score improvement by systematically addressing scored deficiencies
  • Contribute technical implementation details to System Security Plans (SSPs) in coordination with the Cybersecurity Compliance team
  • Maintain a personal remediation queue aligned to the organizational Plan of Action & Milestones (POA&M), with regular status reporting to the Head of Digital Solutions

30%

4.

CMMC Technical Readiness

  • Implement technical safeguards supporting CMMC Level 2 certification across all 110 practices derived from NIST SP 800-171
  • Support SSP development by contributing architecture diagrams, data flow documentation, and system boundary definitions
  • Produce and maintain technical evidence artifacts for each assessed practice—configuration exports, screenshots, audit logs, and policy documentation
  • Validate security control effectiveness through technical testing prior to formal C3PAO assessment engagement
  • Participate in pre-assessment walkthroughs and respond to assessor technical inquiries with demonstrated, working controls
  • Coordinate with the Cybersecurity Compliance team on CUI environment scoping, boundary documentation, and formal assessment scheduling
  • Sustain CMMC technical readiness posture post-certification through ongoing monitoring, quarterly self-assessment, and control validation

15%

5.

Documentation, Reporting & Communication

  • Produce and maintain technical documentation as a natural byproduct of implementation work: architecture diagrams, configuration runbooks, control implementation records, and evidence packages
  • Deliver concise, regular status reporting to the Head of Digital Solutions covering remediation progress, POA&M milestone tracking, and CMMC readiness milestones
  • Contribute technical content to executive-level compliance dashboards and scorecards maintained by the Cybersecurity Compliance team
  • Develop role-based security configuration guides and internal knowledge base articles for Infrastructure, Helpdesk, and end-user staff
  • Communicate complex technical security requirements clearly to non-technical stakeholders across HR, Legal, Procurement, and Operations

10%

TOTAL:

100%

  • Qualifications for Position:

A. Education

  • Bachelor’s degree in Information Security, Computer Science, Information Systems, or a related discipline required
  • An equivalent combination of formal education and demonstrated, hands-on technical experience will be considered in lieu of degree

B. Experience

  • 3–6 years of progressive experience in cybersecurity engineering, security administration, or infrastructure security roles
  • Demonstrated hands-on experience implementing NIST SP 800-171 controls in enterprise environments—not solely assessing or documenting them
  • Proven experience securing Microsoft 365 and Azure environments at a technical configuration level, including Entra ID, Intune, Purview, and the Defender suite
  • Practical experience implementing controls supporting CMMC Level 2 certification or equivalent federal compliance requirements (DFARS, FedRAMP, FISMA)
  • Track record of remediating audit findings and compliance gaps through direct technical implementation—not documentation management alone
  • Hands-on experience with Windows Server hardening, Active Directory security, endpoint protection, and infrastructure vulnerability management
  • Ability to produce technical evidence artifacts—configuration exports, audit logs, test results, and screenshots—suitable for formal assessor review
  • Experience interfacing across multiple business functions (IT, Legal, Procurement, Operations) to gather evidence and drive compliance outcomes

C. Competencies & Attributes

1.

Takes full responsibility for implementation outcomes from initiation through evidence-confirmed closure. Does not require escalation to act. Treats compliance gaps as personal problems to solve, not items to hand back.

2.

Translates regulatory requirements into working, configured, testable controls. Comfortable operating in ambiguity and capable of self-directing the technical path from NIST requirement to implemented safeguard.

3.

Produces audit-ready documentation and evidence artifacts without prompting. Understands that in a compliance context, undocumented controls do not exist.

4.

Translates complex technical requirements for non-technical audiences. Produces executive-ready status reports and communicates proactively about delays, risks, and blockers before they become issues.

Proactively identifies opportunities to harden controls beyond minimum compliance requirements. Brings a security-first mindset rather than a check-the-box approach.

Handles sensitive compliance documentation, audit findings, and security configurations with strict discretion. Understands that access to this information carries professional and regulatory weight.

5.

Required Technical Skills:

  • Microsoft Entra ID (Azure AD)
  • Microsoft Intune — MDM & MAM
  • Microsoft Defender Suite (MDE, MDO, MDI, MDCA)
  • Microsoft Purview — DLP, Info Protection, IRM
  • Azure Security Center / Defender for Cloud
  • Conditional Access & PIM
  • Sensitivity Labels & CUI Classification
  • Microsoft Sentinel — working knowledge
  • Windows Server hardening & audit controls
  • Active Directory — GPO, tiering, privileged access
  • Endpoint Detection & Response (EDR/XDR)
  • Vulnerability Management (Tenable, Qualys, or equiv.)
  • Network Firewalls & Segmentation
  • CIS Benchmarks & DISA STIG implementation
  • Virtualization — VMware / Hyper-V security
  • NIST SP 800-171 technical control implementation

D. Licensure/Certification

CompTIA Security+

Strongly Preferred

Baseline cybersecurity knowledge; minimum threshold for government-adjacent compliance environments

Microsoft SC-401: Information Security Administrator

Strongly Preferred

Direct alignment to M365 Purview, DLP, and information protection ownership responsibilities

Microsoft SC-100: Cybersecurity Architect Expert

Strongly Preferred

Architecture-level Microsoft security design; NIST and Zero Trust framework alignment

Microsoft SC-200: Security Operations Analyst

Strongly Preferred

Defender suite operations, SIEM/SOAR, and security monitoring proficiency

CMMC Registered Practitioner (RP)

Strongly Preferred

Formal CMMC credentialing; signals DoD ecosystem knowledge and assessment process readiness

CISSP

Strong Differentiator

Breadth of security architecture and management knowledge; signals career depth and commitment

CISM

Strong Differentiator

Information security management focus; supports cross-functional compliance communication

CISA

Nice to Have

Audit methodology knowledge; useful but secondary to implementation credentials for this role

ISO 27001 Lead Implementer/Auditor

Nice to Have

Complementary for global coordination with international Digital Solutions teams

Equal Opportunity Employer/Vet/Disability