Senior Cybersecurity Analyst - CMMC & DoD Compliance

Description
The Role:
The Cybersecurity Analyst will help lead the CMMC compliance efforts to enable pursuit of new GM Defense and other U.S. Government-regulated programs. This role works with cross-functional teams to execute and assess control implementation, collect and validate audit-ready evidence, and prepare artifacts for external assessments. The analyst works with the GMD GRC team and leads IT, program management, cloud, and engineering teams to ensure compliance with CMMC, NIST SP 800-171, DFARS, FAR, and DoD cybersecurity requirements supporting government contracts.
The ideal candidate combines strong understanding of security frameworks combined with technical security depth (on-prem + cloud) to manage evidence collection and remediation across multiple internal teams and is capable of obtaining security clearance.
What You'll Do:

• Drive the overall governance for government programs.
• Execute annual self-assessments (Continuous Monitoring) on CMMC/NIST controls and document findings.
• Coordinate internal teams (IAM, cloud, infrastructure, SOC, endpoint, vulnerability management, application owners) to validate control implementation and operational effectiveness.
• Identify compliance gaps, manage security exceptions (POA&Ms), and drive remediation prior to audit or customer assessments.
• Lead CMMC readiness and sustainment activities for GM Defense programs, aligned to NIST SP 800-171 and DoD expectations for CUI protection.
• Build and maintain assessment-ready evidence packages (policies, procedures, configurations, logs, tickets, reports) aligned to CMMC and DFARS requirements.

Your Skills & Abilities (Required Qualifications):

• Bachelor's degree in Cybersecurity, Information Systems, Computer Science, or equivalent practical experience.
• 5+ years of cybersecurity experience in regulated or government-contract environments.
• Experience supporting federally regulated cybersecurity requirements.
• Experience preparing for third-party or government assessments.
• Ability to translate and communicate DoD cybersecurity requirements for application teams.

Knowledge in the following areas:

• Identity & Access Management (IAM): RBAC, least privilege, privileged access workflows, MFA, service accounts, access reviews, joiner/mover/leaver processes.
• Windows & Linux security: GPO/Intune or equivalent, local admin controls, secure baselines (e.g., CIS-aligned), logging configuration, patch management, hardening validation.
• Network security: segmentation concepts, firewall rulesets, VPN/ZTNA, secure remote administration, network device logging, NAC fundamentals, DNS security basics.
• Endpoint security: EDR capabilities, alert triage/validation, policy enforcement, device encryption, removable media controls.
• Vulnerability management: scan coverage, risk-based prioritization, remediation workflows, exception handling, validation reporting.
• SIEM/logging: ability to define log requirements, validate ingestion/retention, produce audit-ready log evidence, and explain detections and response workflows.

Practical experience with the following:

• Working knowledge of FAR and DFARS cybersecurity clauses, including contractor responsibilities for safeguarding CUI and incident reporting.
• Understanding of government system authorization concepts, shared responsibility models, and secure enclave design.
• Experience supporting cybersecurity requirements within defense programs, manufacturing, engineering, or supply-chain environments.
• Experience with secure enclave design, CUI boundary segmentation, or regulated environments in automotive/manufacturing/supply chain contexts.

What Will Give You A Competitive Edge (Preferred Qualifications):

• Cloud Security (AWS/Azure/GCP-at least one strongly preferred)
• Cloud IAM: conditional access concepts, identity federation, role assignments, privileged identity workflows (e.g., JIT/PIM), access key hygiene.
• Cloud security posture: policy-as-code fundamentals, CSPM findings interpretation, configuration drift awareness, secure landing zone concepts.
• Cloud logging & monitoring: CloudTrail / Activity Logs, log routing to SIEM, retention/immutability considerations, alerting and response integration.
• Data protection: encryption at rest/in transit, key management (KMS/Key Vault), secret management, secure storage access patterns.
• Network controls in cloud: security groups/NSGs, route tables, private endpoints, egress controls, segmentation principles.

#LI-SB3
GM does not provide immigration-related sponsorship for this role. Do not apply for this role if you will need GM immigration sponsorship now or in the future. This includes direct company sponsorship, entry of GM as the immigration employer of record on a government form, and any work authorization requiring a written submission or other immigration support from the company (e.g., H1-B, OPT, STEM OPT, CPT, TN, J-1, etc.)
This role is categorized as hybrid. This means the selected candidate is expected to report to a specific location at least 3 times a week {or other frequency dictated by their manager}.
This job may be eligible for relocation benefits.
About GM
Our vision is a world with Zero Crashes, Zero Emissions and Zero Congestion and we embrace the responsibility to lead the change that will make our world better, safer and more equitable for all.
Why Join Us
We believe we all must make a choice every day - individually and collectively - to drive meaningful change through our words, our deeds and our culture. Every day, we want every employee to feel they belong to one General Motors team.
Total Rewards | Benefits Overview
From day one, we're looking out for your well-being-at work and at home-so you can focus on realizing your ambitions. Learn how GM supports a rewarding career that rewards you personally by visiting Total Rewards resources.
Non-Discrimination and Equal Employment Opportunities (U.S.)
General Motors is committed to being a workplace that is not only free of unlawful discrimination, but one that genuinely fosters inclusion and belonging. We strongly believe that providing an inclusive workplace creates an environment in which our employees can thrive and develop better products for our customers.
All employment decisions are made on a non-discriminatory basis without regard to sex, race, color, national origin, citizenship status, religion, age, disability, pregnancy or maternity status, sexual orientation, gender identity, status as a veteran or protected veteran, or any other similarly protected status in accordance with federal, state and local laws.
We encourage interested candidates to review the key responsibilities and qualifications for each role and apply for any positions that match their skills and capabilities. Applicants in the recruitment process may be required, where applicable, to successfully complete a role-related assessment(s) and/or a pre-employment screening prior to beginning employment. To learn more, visit How we Hire.
Accommodations
General Motors offers opportunities to all job seekers including individuals with disabilities. If you need a reasonable accommodation to assist with your job search or application for employment, email us [email protected] or call us at 1-800-865-7580. In your email, please include a description of the specific accommodation you are requesting as well as the job title and requisition number of the position for which you are applying.