Lead Compliance Analyst

Does This Sound Like You?

You are the kind of professional who takes responsibility seriously. You believe that precision matters, that trust is earned through consistency, and that your work should create measurable results. You see compliance not as bureaucracy, but as the framework that protects critical systems and enables lasting security.

Small and mid-sized businesses are the foundation of America’s industrial strength and innovation. Yet they are often the most vulnerable, underfunded, and underdefended organizations in the global threat landscape. At Corporate Information Technologies (CorpInfoTech), we are changing that. Through disciplined application of the Cybersecurity Maturity Model Certification (CMMC) framework, we help organizations meet regulatory requirements, mature their cybersecurity programs, and defend the Nation’s supply chain from those who seek to compromise it.

We are looking for an individual who shares this purpose to join CorpInfoTech as a Lead Compliance Analyst. As a CMMC Level 2 Certified External Service Provider (ESP) and Registered Provider Organization (RPO), we serve small and mid-sized businesses across the Defense Industrial Base, DIB-adjacent industries, and other regulated sectors. Your expertise will help American enterprises achieve and sustain compliance maturity, strengthen their cybersecurity posture, and make it more difficult for adversaries to harm our Nation’s economic and security interests.

Founded in 1998, Corporate Information Technologies (CorpInfoTech) is a nationally recognized Managed Services Provider and Cybersecurity firm. We are a CMMC Level 2 certified External Service Provider (ESP) and a Registered Provider Organization (RPO) under the Cyber AB. Our firm is also an accredited assessor for the Center for Internet Security (CIS) Controls, providing structured, standards-based security evaluations and advisory services.

CorpInfoTech serves regulated and security-sensitive organizations in the small to mid-market sector. Our clients include members of the Defense Industrial Base (DIB) and DIB-adjacent commercial businesses, as well as organizations that handle sensitive information, regulated data, or operate under heightened reputational or compliance risk. We deliver measurable improvements in security maturity and help clients maintain continuous compliance with federal, state, and industry requirements.

Our approach combines technical depth, operational discipline, and a strong governance foundation. By aligning technology management with recognized cybersecurity frameworks, we help clients sustain reliable, defensible, and audit-ready IT environments that meet their contractual and regulatory obligations.

The Lead Compliance Analyst plays a central role in strengthening the cybersecurity posture of organizations that support the defense and regulated commercial sectors. The position’s primary focus is guiding clients through the Cybersecurity Maturity Model Certification (CMMC) framework, from readiness through sustained compliance operations.

This role manages multiple concurrent client engagements, performing ongoing compliance analysis, evaluating technical and procedural controls, and advising on risk remediation. The analyst applies deep knowledge of CMMC practices and assessment methods to achieve measurable, repeatable, and defensible outcomes. Familiarity with the CIS Controls framework is also required to support secondary assessments and provide structured improvement paths for clients operating outside the CMMC ecosystem.

The Lead Compliance Analyst works closely with CorpInfoTech’s technical teams, ensuring that prescribed controls and configuration changes are implemented correctly across diverse environments, including Azure and Microsoft 365. The position also collaborates with both internal and external compliance professionals, auditors, and project stakeholders to maintain alignment between engineering execution and compliance evidence.

The role engages directly with client leadership, technology staff, and partner organizations to ensure that every compliance program advances both operational resilience and national security interests. The analyst’s work contributes to making it more difficult for the Nation’s adversaries to exploit vulnerabilities in U.S. infrastructure, while helping businesses protect sensitive information and maintain trust in the digital economy.

Key Responsibilities

• Compliance Leadership – Lead and manage multiple client compliance initiatives concurrently, maintaining focus on the Cybersecurity Maturity Model Certification (CMMC) framework as the primary standard of reference.
• Readiness and Analysis – Perform consultative readiness activities to prepare clients for formal CMMC assessments. Analyze existing systems, processes, and policies to identify control gaps, misalignments, or risks that may affect compliance or operational resilience.
• Advisory and Coordination – Work with internal technical teams to translate compliance requirements into actionable engineering changes. Collaborate with external assessors, partners, and client representatives to ensure evidence and configurations meet framework expectations.
• CIS Controls Application – Conduct complementary reviews using the CIS Controls framework to benchmark security maturity and recommend prioritized improvements for non-CMMC or mixed-framework environments.
• Documentation and Reporting – Develop, review, and maintain compliance documentation including System Security Plans (SSPs), Plans of Action and Milestones (POA&Ms), policies, and procedures. Ensure all deliverables are accurate, consistent, and audit-ready.
• Stakeholder Engagement – Communicate effectively with internal and external stakeholders including executives, compliance professionals, auditors, and technical staff. Facilitate workshops, briefings, and progress reviews that align compliance activities with business and regulatory goals.
• Continuous Improvement – Monitor changes to DoD, CMMC, and CIS requirements. Recommend and implement updates to internal compliance methodologies and client delivery processes to ensure consistency and quality.
• National and Organizational Impact – Strengthen the cybersecurity resilience of U.S. businesses by helping them protect sensitive and regulated information. Support CorpInfoTech’s participation in information-sharing partnerships with threat intelligence organizations (ISAOs and ISACs) and relevant government bodies. Contribute to collective defense by helping make it more difficult for adversaries to exploit American systems and data.

Required Technical Competencies

· Expert-level competence in the Cybersecurity Maturity Model Certification (CMMC) framework and NIST SP 800-171, including control interpretation, evidence validation, and alignment with assessment objectives.

· Comprehensive understanding of networking principles including TCP/IP, VLAN segmentation, routing, firewall configuration, VPN design, and zero trust network architecture consistent with NIST SP 800-207.

· Proficiency with Microsoft Windows Server and client operating systems, including Active Directory, Group Policy management, system hardening, patch management, and event auditing consistent with CIS Benchmarks and DISA STIGs.

· Familiarity with Linux operating systems for configuration review, privilege management, log analysis, and system hardening aligned with CIS Benchmarks.

· Proficiency with Governance, Risk, and Compliance (GRC) platforms for managing control frameworks, risk registers, evidence repositories, and workflow automation.

· Understanding of NIST SP 800-60 and ISO/IEC 27001 principles for information sensitivity and classification and their application to access control, data handling, and retention.

· Ability to interpret and apply secure configuration baselines and align technical controls with organizational risk management and compliance objectives.

· Expert competence in personal and team schedule management, task prioritization, and professional written and verbal communication in English across technical and executive audiences.

Desired Experience

· Prior experience participating in or supporting a Certified Third-Party Assessor Organization (C3PAO) assessment team.

· At least three years of hands-on experience advising or supporting organizations subject to CMMC, NIST SP 800-171, NIST CSF, NIST RMF or comparable regulatory frameworks.

· Demonstrated ability to bridge technical and compliance disciplines by translating regulatory requirements into operational and engineering actions.

· Experience supporting environments subject to ITAR, EAR, or other export-control or sensitive-information handling requirements.

· Former military or federal civilian service in cybersecurity, intelligence, or compliance roles.

· Experience contributing to or collaborating with Information Sharing and Analysis Centers (ISACs), Information Sharing and Analysis Organizations (ISAOs), or other recognized threat-intelligence communities.

· Experience working with or within Managed Service Providers (MSPs), consulting firms, or similarly compliance-driven service organizations.

· Familiarity with FedRAMP Moderate, NIST SP 800-53, and ISO/IEC 27001 frameworks for cross-mapping and integration of controls.

· Advanced certifications such as CISA, CRISC, CGRC, or CISSP demonstrating proficiency across risk, audit, and governance domains.

· Proficiency with project-management methods or credentials (PMP, PRINCE2, or equivalent) supporting scheduling, coordination, and deliverable tracking across multiple clients.

· Experience mentoring or leading small teams in cybersecurity or compliance program delivery.

· Familiarity with the CIS Controls v8 framework, particularly Implementation Group 3, preferred but not required.

· SANS GIAC GCCC Certification desired.

· Education meeting or exceeding DoDI 8140 standards for cybersecurity work roles, typically a bachelor’s degree in cybersecurity, computer science, information systems, or a related field; equivalent experience may substitute where professional certifications demonstrate comparable competency.

Minimum Requirements

· Minimum of five years in cybersecurity, compliance, or risk management roles.

· Active Cybersecurity Assessor (CCA) credential in good standing with the Cyber AB.

· Certified CMMC Professional (CCP) prerequisite satisfied.

· Must meet DoD 8140.03 baseline for Work Role 612 (Security , CySA , CGRC, CISM, CISA, or CISSP).

· SANS GIAC GCCC Certification attained within first 2 years of employment.

· Favorable adjudication for DoD Tier III background investigation required within first 12 months; active Tier III (required within first 12 months) or higher clearance preferred.

· U.S. Person status required under 22 CFR § 120.15 due to access to ITAR-controlled information.

Professional Attributes

· Exceptional written and verbal communication skills suitable for both executive and technical audiences.

· Strong analytical, organizational, and documentation skills that support accurate, evidence-based decision making.

· Proven ability to manage personal and team schedules effectively in a distributed, client-driven environment.

· Demonstrated professionalism and discretion when handling sensitive, regulated, or export-controlled information.

· Consistent record of reliability, accountability, and independent performance in deadline-driven environments.

· Ability to build and sustain trust across internal and external teams through transparency, clarity, and professional conduct.

· Commitment to professional development through continuing education and annual CPE attainment of at least 40 hours in cybersecurity, compliance, or risk management disciplines.

1. CMMC Readiness and Gap Analysis – 50%
Conduct consultative readiness engagements and detailed gap analyses to prepare clients for formal CMMC assessments. Evaluate existing systems, policies, and processes to identify deficiencies and define remediation priorities.

2. Client Coaching and Advisory – 20%
Provide guidance to client executives, compliance professionals, and technical teams on interpreting CMMC requirements and implementing effective corrective actions. Serve as a trusted advisor throughout the compliance lifecycle.

3. Sales Support and Advisement – 10%
Support business development efforts by contributing technical and compliance expertise during proposal preparation, scoping discussions, and client briefings. Ensure service offerings align with CMMC and CIS compliance capabilities.

4. Audit and Deliverable Validation – 10%
Review, validate, and approve compliance documentation, including System Security Plans (SSPs), Plans of Action and Milestones (POA&Ms), and supporting artifacts to ensure accuracy, completeness, and audit readiness.

5. Internal Knowledge Sharing and Standards Monitoring – 5%
Maintain awareness of evolving CMMC, NIST, and CIS requirements. Share insights, updates, and best practices within the organization to strengthen internal capabilities and service consistency.

6. Other Duties as Assigned – 5%
Perform related duties that support CorpInfoTech’s mission, continuous improvement objectives, and client satisfaction.

Travel Requirement:

This position requires up to 20% travel for on-site assessments, workshops, client meetings, and industry events.

Working Conditions:

· Must be able to view video display terminal images for extended periods of time.

· Ability to operate a computer keyboard, mouse, and telephone.

· Ability to speak without electronic assistance to English-speaking end-users, auditors, and assessors.

· Ability to sit, stand and/or kneel for extended periods of time.

· Up to 20% travel for client site assessments and other related engagements.

· U.S. Citizenship required, as defined under 22 CFR § 120.15

· Must provide DoD 8140.03 suitability documentation and either hold an active Top Secret (TS) or TS/SCI clearance, or successfully complete a DoD Tier III background investigation within the first 12 months of employment; Tier III adjudication must remain favorable and unrevoked.

· Must maintain continuous qualification and good standing as a Cybersecurity Assessor (CCA) under the Cyber AB, including adherence to all continuing education, code-of-professional-conduct, and ecosystem participation requirements.

· Excellent professional communication skills in English, both written and verbal, suitable for executive and technical audiences.

· Strong leadership and mentoring ability in cybersecurity, compliance, and risk-management programs.

· Demonstrated capability to interpret and apply complex regulatory and security frameworks to practical technical and procedural controls.

· Self-motivated, organized, and capable of managing multiple concurrent projects with minimal supervision.

· Proven reliability in attendance, punctuality, and performance consistency.

Job Type: Full-time

Base Pay: $85,000.00 - $120,000.00 per year

Benefits:

• Dental insurance
• Health insurance
• Life insurance
• Paid time off
• Professional development assistance
• Retirement plan
• Vision insurance

Application Question(s):

• Do you currently hold an active CMMC Certified Assessor (CCA) Certification?
• You’re in Tony Stark’s lab, and J.A.R.V.I.S. reports that the System Security Plan has been deleted. What do you do first, and which CMMC practice or practices support that decision?

Security clearance:

• Secret (Preferred)

Work Location: Hybrid remote in Charlotte, NC 28262

Salary : $85,000 - $120,000