Cloud Security Engineer

Microsoft GCC High Tenant Management

• Serve as the primary administrator and technical owner of the Microsoft 365 GCC High tenant environment.
• Manage and optimize Exchange Online, SharePoint Online, Teams, and OneDrive within the GCC High boundary.
• Maintain tenant-level configurations, licensing, and service health monitoring.
• Plan and execute tenant-level changes, updates, and migrations with minimal disruption.

Identity & Access Management

• Design, implement, and maintain Microsoft Entra ID (Azure AD) configurations including Conditional Access policies, MFA enforcement, and Privileged Identity Management (PIM).
• Manage role-based access control (RBAC) across the GCC High environment.
• Enforce Zero Trust principles across identity, access, and data layers.
• Administer and monitor Entra ID Connect, hybrid identity configurations, and SSO integrations.

Endpoint Management (Microsoft Intune / Autopilot)

• Own the design, deployment, and ongoing management of Microsoft Intune for device compliance, configuration profiles, and application management.
• Manage Windows Autopilot enrollment and deployment profiles for zero-touch provisioning.
• Develop and maintain Mobile Device Management (MDM) and Mobile Application Management (MAM) policies.
• Coordinate endpoint compliance reporting and remediation for non-compliant devices.

Azure Government Cloud Infrastructure

• Support and administer Azure Government (AzureGov) resources aligned to GCC High workloads.
• Manage Azure networking, storage, and compute resources within the government cloud boundary.
• Collaborate on architecture decisions for workloads requiring Azure Gov integration.

CMMC 2.0 Compliance & Security

• Actively participate in CMMC Level 2 assessment preparation, including evidence gathering, control documentation, and gap remediation.
• Maintain and update System Security Plans (SSP), Plans of Action & Milestones (POA&M), and related compliance artifacts.
• Monitor and enforce controls aligned to NIST SP 800-171 Rev 2/Rev 3 across the GCC High environment.
• Support assessors during third-party assessments (C3PAO) by providing technical documentation and system access walkthroughs.
• Stay current on CMMC rulemaking updates, DCSA guidance, and emerging DoD cybersecurity requirements.

Mentoring & Collaboration

• Provide informal technical guidance and knowledge transfer to IT staff on cloud security practices and GCC High platform capabilities.
• Develop internal documentation, runbooks, and training materials to elevate the team's cloud security proficiency.
• Partner with IT leadership to communicate security posture, compliance status, and risk to executive stakeholders.

• 5+ years of experience in cloud infrastructure, systems engineering, or cybersecurity roles.
• 3+ years of hands-on experience administering Microsoft 365 or Office 365 environments, with direct GCC High experience strongly preferred.
• Demonstrated experience with Microsoft Entra ID, Conditional Access, Intune, and Autopilot.
• Working knowledge of NIST SP 800-171 and CMMC Level 2 requirements.
• Experience supporting or participating in a federal cybersecurity assessment (CMMC, FedRAMP, FISMA, or similar).
• Proficiency with Microsoft Defender suite (Defender for Endpoint, Defender for Identity, Defender for Office 365).
• Strong understanding of Zero Trust architecture principles.
• US citizenship required (GCC High environment handles Controlled Unclassified Information).
• Must be able to pass a drug screening.
• Must be eligible to obtain and maintain a security clearance, if required., * Microsoft certifications: MS-500 (Security Administrator), AZ-500 (Azure Security Engineer), SC-200, or SC-300.
• Experience with Microsoft Purview (Information Protection, Compliance Manager, eDiscovery).
• Familiarity with Microsoft Sentinel or equivalent SIEM platforms in a government cloud context.
• Experience with Jamf or other third-party MDM platforms alongside Intune.
• Prior experience in a defense contractor, government contractor, or DoD adjacent environment.
• Certified Information Systems Security Professional (CISSP) or CompTIA Security+ CE.

BGS offers a competitive total compensation package to eligible employees. Benefits include Health, Dental, Vision, Life Insurance, Paid Vacation, 401K, Long and Short-Term Disability.

Boston Government Services is seeking a Cloud Security Engineer to join our team in Oak Ridge, TN. BGS is an engineering, technology, and security firm helping to advance missions of national importance for government programs, national laboratories, national security facilities, nuclear operations, and complex commercial projects. We support clients at every stage, from strategic planning and program management to the execution of project management, procurement, supply chain management, quality, safety, security, nuclear and systems engineering and technical activities. We strive to attract and retain the best talent because it delivers the best results and "Delivery Certainty" for our clients. Our capabilities are based on our experience in complex, secure, and highly regulated environments. We leverage our expertise and capabilities to provide mission-driven integrated services, systems, and solutions tuned to our clients' mission needs, challenges, requirements, expected results, and strategic direction. Work that Matters. People that Matter More. At BGS, we believe meaningful work starts with great people. We foster a culture built on respect, collaboration, and accountability-where employees are empowered to contribute ideas, grow professionally, and make an impact. We care about our employees' well-being through competitive benefits, clear expectations, and an environment that values both excellence and connection.