Boston Government Services is seeking a
Cloud Security Engineer to join our team in Oak Ridge, TN.
Key Responsibilities:Microsoft GCC High Tenant Management:- Serve as the primary administrator and technical owner of the Microsoft 365 GCC High tenant environment.
- Manage and optimize Exchange Online, SharePoint Online, Teams, and OneDrive within the GCC High boundary.
- Maintain tenant-level configurations, licensing, and service health monitoring.
- Plan and execute tenant-level changes, updates, and migrations with minimal disruption.
Identity & Access Management:- Design, implement, and maintain Microsoft Entra ID (Azure AD) configurations including Conditional Access policies, MFA enforcement, and Privileged Identity Management (PIM).
- Manage role-based access control (RBAC) across the GCC High environment.
- Enforce Zero Trust principles across identity, access, and data layers.
- Administer and monitor Entra ID Connect, hybrid identity configurations, and SSO integrations.
Endpoint Management (Microsoft Intune / Autopilot):- Own the design, deployment, and ongoing management of Microsoft Intune for device compliance, configuration profiles, and application management.
- Manage Windows Autopilot enrollment and deployment profiles for zero-touch provisioning.
- Develop and maintain Mobile Device Management (MDM) and Mobile Application Management (MAM) policies.
- Coordinate endpoint compliance reporting and remediation for non-compliant devices.
Azure Government Cloud Infrastructure:- Support and administer Azure Government (AzureGov) resources aligned to GCC High workloads.
- Manage Azure networking, storage, and compute resources within the government cloud boundary.
- Collaborate on architecture decisions for workloads requiring Azure Gov integration.
CMMC 2.0 Compliance & Security:- Actively participate in CMMC Level 2 assessment preparation, including evidence gathering, control documentation, and gap remediation.
- Maintain and update System Security Plans (SSP), Plans of Action & Milestones (POA&M), and related compliance artifacts.
- Monitor and enforce controls aligned to NIST SP 800-171 Rev 2/Rev 3 across the GCC High environment.
- Support assessors during third-party assessments (C3PAO) by providing technical documentation and system access walkthroughs.
- Stay current on CMMC rulemaking updates, DCSA guidance, and emerging DoD cybersecurity requirements.
Mentoring & Collaboration:- Provide informal technical guidance and knowledge transfer to IT staff on cloud security practices and GCC High platform capabilities.
- Develop internal documentation, runbooks, and training materials to elevate the team's cloud security proficiency.
- Partner with IT leadership to communicate security posture, compliance status, and risk to executive stakeholders.
Required Qualifications:- 5+ years of experience in cloud infrastructure, systems engineering, or cybersecurity roles.
- 3+ years of hands-on experience administering Microsoft 365 or Office 365 environments, with direct GCC High experience strongly preferred.
- Demonstrated experience with Microsoft Entra ID, Conditional Access, Intune, and Autopilot.
- Working knowledge of NIST SP 800-171 and CMMC Level 2 requirements.
- Experience supporting or participating in a federal cybersecurity assessment (CMMC, FedRAMP, FISMA, or similar).
- Proficiency with Microsoft Defender suite (Defender for Endpoint, Defender for Identity, Defender for Office 365).
- Strong understanding of Zero Trust architecture principles.
- US citizenship required (GCC High environment handles Controlled Unclassified Information).
- Must be able to pass a drug screening.
- Must be eligible to obtain and maintain a security clearance, if required.
Preferred Qualifications:- Microsoft certifications: MS-500 (Security Administrator), AZ-500 (Azure Security Engineer), SC-200, or SC-300.
- Experience with Microsoft Purview (Information Protection, Compliance Manager, eDiscovery).
- Familiarity with Microsoft Sentinel or equivalent SIEM platforms in a government cloud context.
- Experience with Jamf or other third-party MDM platforms alongside Intune.
- Prior experience in a defense contractor, government contractor, or DoD adjacent environment.
- Certified Information Systems Security Professional (CISSP) or CompTIA Security+ CE.
Location/Work Arrangement:- This position is in Oak Ridge, TN.
- Schedule is full time, Monday - Friday, 40-hour week.
Benefits:BGS offers a competitive total compensation package to eligible employees. Benefits include Health, Dental, Vision, Life Insurance, Paid Vacation, 401K, Long and Short-Term Disability.
