The Role: The Cybersecurity Analyst will help lead the CMMC compliance efforts to enable pursuit of new GM Defense and other U.S. Government–regulated programs. This role works with cross-functional teams to execute and assess control implementation, collect and validate audit-ready evidence, and prepare artifacts for external assessments. The analyst works with the GMD GRC team and leads IT, program management, cloud, and engineering teams to ensure compliance with CMMC, NIST SP 800-171, DFARS, FAR, and DoD cybersecurity requirements supporting government contracts. The ideal candidate combines strong understanding of security frameworks combined with technical security depth (on-prem cloud) to manage evidence collection and remediation across multiple internal teams and is capable of obtaining security clearance. What You’ll Do:Drive the overall governance for government programs. Execute annual self-assessments (Continuous Monitoring) on CMMC/ NIST controls and document findings. Coordinate internal teams (IAM, cloud, infrastructure, SOC, endpoint, vulnerability management, application owners) to validate control implementation and operational effectiveness. Identify compliance gaps, manage security exceptions (POA&Ms), and drive remediation prior to audit or customer assessments. Lead CMMC readiness and sustainment activities for GM Defense programs, aligned to NIST SP 800-171 and DoD expectations for CUI protection. Build and maintain assessment-ready evidence packages (policies, procedures, configurations, logs, tickets, reports) aligned to CMMC and DFARS requirements. Your Skills & Abilities (Required Qualifications):Bachelor’s degree in Cybersecurity, Information Systems, Computer Science, or equivalent practical experience . years of cybersecurity experience in regulated or government-contract environments. Experience supporting federally regulated cybersecurity requirements. Experience preparing for third-party or government assessments. Ability to translate and communicate DoD cybersecurity requirements for application teams. Knowledge in the following areas:Identity & Access Management (IAM): RBAC, least privilege, privileged access workflows, MFA, service accounts, access reviews, joiner/mover/leaver processes. Windows & Linux security: GPO/ Intune or equivalent, local admin controls, secure baselines (e.g., CIS-aligned), logging configuration, patch management, hardening validation.Network security: segmentation concepts, firewall rulesets, VPN/ ZTNA, secure remote administration, network device logging, NAC fundamentals, DNS security basics. Endpoint security: EDR capabilities, alert triage/validation, policy enforcement, device encryption, removable media controls. Vulnerability management: scan coverage, risk-based prioritization, remediation workflows, exception handling, validation reporting. SIEM/logging: ability to define log requirements, validate ingestion/retention, produce audit-ready log evidence, and explain detections and response workflows. Practical experience with the following:Working knowledge of FAR and DFARS cybersecurity clauses, including contractor responsibilities for safeguarding CUI and incident reporting. Understanding of government system authorization concepts, shared responsibility models, and secure enclave design. Experience supporting cybersecurity requirements within defense programs, manufacturing, engineering, or supply-chain environments. Experience with secure enclave design, CUI boundary segmentation, or regulated environments in automotive/manufacturing/supply chain contexts. What Will Give You A Competitive Edge (Preferred Qualifications):Cloud Security (AWS/ Azure/ GCP—at least one strongly preferred)Cloud IAM: conditional access concepts, identity federation, role assignments, privileged identity workflows (e.g., JIT/ PIM), access key hygiene. Cloud security posture: policy-as-code fundamentals, CSPM findings interpretation, configuration drift awareness, secure landing zone concepts. Cloud logging & monitoring: Cloud. Trail / Activity Logs, log routing to SIEM, retention/immutability considerations, alerting and response integration. Data protection: encryption at rest/in transit, key management (KMS/ Key Vault), secret management, secure storage access patterns.Network controls in cloud: security groups/ NS - Gs, route tables, private endpoints, egress controls, segmentation principles.#LI-SB 3 GM does not provide immigration-related sponsorship for this role. Do not apply for this role if you will need GM immigration sponsorship now or in the future. This includes direct company sponsorship, entry of GM as the immigration employer of record on a government form, and any work authorization requiring a written submission or other immigration support from the company (e.g., H 1-B, OPT, STEM OPT, CPT, TN, J-1, etc). This role is categorized as hybrid. This means the selected candidate is expected to report to a specific location at least 3 times a week {or other frequency dictated by their manager}. This job may be eligible for relocation benefits. About GM - Our vision is a world with Zero Crashes, Zero Emissions and Zero Congestion and we embrace the responsibility to lead the change that will make our world better, safer and more equitable for all. Why Join Us We believe we all must make a choice every day – individually and collectively – to drive meaningful change through our words, our deeds and our culture. Every day, we want every employee to feel they belong to one General Motors team.