Overview
Skills
Job Details
Comtech is seeking an experienced Cybersecurity Consultant / Subject Matter Expert (SME) to review
our organization s System Security Plan (SSP) and provide in-depth guidance throughout the
Cybersecurity Maturity Model Certification (CMMC) assessment and certification process. The
consultant will play a key advisory role in ensuring compliance, risk mitigation, and audit readiness
aligned with DoD contractor requirements and NIST SP 800-171/CMMC standards.
Duties include:
Review, assess, and refine the existing System Security Plan (SSP), POA&M (Plan of
Actions and Milestones), and related documentation.
Conduct gap analysis against CMMC 2.0 and NIST SP 800-171 controls.
Provide expert recommendations to close compliance gaps and strengthen overall
security posture.
Guide the internal team in preparing for CMMC Level 2 certification.
Assist in developing or updating cybersecurity policies, procedures, and technical control
documentation.
Support implementation of required security controls and evidence collection for
audit readiness.
Conduct internal mock assessments to simulate C3PAO (Certified Third-Party
Assessor Organization) audits.
Advise on best practices for risk management, incident response, and continuous
monitoring.
Collaborate with compliance teams to ensure traceability of controls and compliance
documentation.
Provide ongoing consultation on regulatory and compliance updates relevant to DoD,
DFARS, and CMMC frameworks.
Minimum Qualifications
Knowledge, Skills, and Abilities (KSA's) required to successfully perform the work:
Bachelor s degree in Cybersecurity, Information Assurance, Computer Science, or a related field
(Master s preferred).
5+ years of experience in GRC, compliance audits, and cybersecurity frameworks
implementation.
Deep knowledge of CMMC 2.0, NIST SP 800-171, NIST SP 800-53, and DFARS
requirements.
Experience conducting or preparing organizations for CMMC, ISO 27001, SOC 2, or FedRAMP
audits.
Familiarity with risk management frameworks (RMF) and control assessment methodologies.
Strong understanding of technical and administrative controls related to access control,
encryption, logging, and incident response.
Excellent written communication skills for policy and SSP documentation review.
Strong analytical and advisory skills for identifying gaps and providing actionable
recommendations.
Ability to work independently and coordinate remotely with cross-functional teams and time-
zones.
Additional Considerations (Preferred)
Proven track record of supporting organizations through CMMC or NIST-based compliance
programs.
Strategic mindset with hands-on expertise in control mapping and remediation guidance.
Strong understanding of cyber risk governance and regulatory compliance in defense or
government contracting environments.
Ability to communicate complex compliance concepts in clear, actionable terms for both
technical and non-technical stakeholders.
6. Required Skills & Qualifications: Required:
R1. Proven experience reviewing and remediating System Security Plans (SSP) and POA&Ms
for CMMC/NIST 800-171 compliance (5+YEARS)
R2. Hands-on experience in Governance, Risk & Compliance (GRC), including audit preparation
and evidence mapping (7+YEARS)
R3. Strong understanding of DoD, DFARS , and NIST SP 800-53/171
frameworks (5+YEARS)
R4. Demonstrated ability to conduct gap analyses and compliance assessments for CMMC
readiness (7+YEARS)
R5. Proven experience working with US-based defense contractors or C3PAOs
R6. Excellent written communication skills for reviewing and refining cybersecurity
documentation and policies (7+YEARS)
Desired:
D1. Experience leading CMMC pre-assessments or certification readiness programs
D2. Strong knowledge of Risk Management Framework (RMF) and control mapping
methodologies.
Nice To Have:
N1. CMMC-AB Registered Practitioner (RP) or Certified CMMC Professional (CCP)
certification
N2. CISSP, CISA, CISM, or CRISC certification
N3. Prior experience mentoring or training internal teams on cybersecurity compliance
frameworks
*Note: (US-based candidates only)