nuvioIT is a Norfolk, VA-based Managed Security Service Provider and CyberAB Registered Practitioner Organization (RPO) serving the Defense Industrial Base.
The Role
This is a hands-on engineering role with two halves
The first half is implementation: leading client projects end-to-end such as GCC High tenant builds and migrations, Microsoft security stack deployments, hardening engagements, network refresh and segmentation work, workstation lifecycle initiatives, and new-client onboardings. You will own these projects from kickoff through go-live and warranty period.
The second half is operations: maintaining what you and we have built. This incldues configuration drift audits, baseline tuning, vendor coordination, Tier 3 escalation, and the steady-state engineering work that keeps DIB-grade environments DIB-grade after the project closes. The president of the company does not see escalated tickets; you are the buck-stop.
Approximate workload mix (transparent expectations)
- Project implementation: ~20–30% GCC High migrations, stack deployments, hardening engagements
- Steady-state operations & Tier 3 escalation: ~25–30%
- Onsite work at client locations: ~10–15% endpoint deployment, network gear, in-person remediation
- Internal engineering & documentation: ~10–15% nuvioIT's own stack, runbooks, evidence artifacts
- Mentorship & cross-team collaboration: ~5–10% service desk Tier 2/3 development
What You'll Actually Do
Project Implementations
You will lead these project types independently from kickoff through transition to ongoing support. We are listing them at the level of specificity we expect you to be able to scope and deliver:
- Microsoft 365 Commercial to GCC High tenant migrations - identity cutover, mail and SharePoint/OneDrive data migration, endpoint re-enrollment, conditional access rollout, license reconciliation
- Greenfield Microsoft 365 GCC High tenant builds for CMMC-aligned DIB subcontractors - zero to user-ready, hardened to baseline
- Microsoft Defender stack deployments - Endpoint, Identity, Office 365, Cloud Apps — including rule tuning, ASR rules, alert workflow integration
- Microsoft Intune deployments - configuration profiles, compliance policies, app protection policies, Autopilot Hybrid and Cloud-native, Windows update rings
- Conditional Access policy stack design and rollout - named locations, device compliance, session controls, risk-based policies, break-glass coverage
- Microsoft Sentinel SIEM deployments - data connectors, baseline analytic rules, KQL tuning, workbook deployment
- Fortinet firewall deployments and refreshes - VLAN segmentation, site-to-site VPN configuration, SSL inspection where applicable, log forwarding to SIEM
- Endpoint lifecycle initiatives - workstation refresh, OS standardization, hardware procurement coordination, deployment via Autopilot
- New office build-outs and office moves - network gear procurement and configuration, endpoint enrollment, M365 baseline application, user onboarding
- Migration off non-compliant tooling
Ongoing Operations & Tier 3
- Quarterly configuration drift audits across client M365 tenants and network gear - identify deviations from baseline, remediate, document
- Microsoft Intune compliance and configuration policy maintenance - keeping baselines current as Microsoft features evolve
- Conditional Access policy reviews and tuning - quarterly review cadence per client
- Microsoft Defender alert triage - take escalations from Tier 1/2, drive root cause and remediation
- Tier 3 escalation - any technical issue the service desk cannot close
- Vendor coordination - Microsoft, SentinelOne, Huntress, Duo, Fortinet, ConnectWise for complex configuration, integration, and support issues
- Network operations across client environments - switch and firewall configuration changes, VLAN adjustments, troubleshooting
Onsite Work
This role includes periodic onsite work at client locations.
Typical onsite work includes:
- Endpoint deployment and remediation for clients without remote-only support options
- Network gear installation and rack work - switches, firewalls, access points, cabling
- Migration cutover support - being on-site for critical user-experience moments
- In-person client engagement at kickoff and major project milestones
A valid US driver's license is required. Mileage and travel are reimbursed.
Required Experience
Hard Requirements
- 4-6 years of professional IT/security engineering experience, with at least 3 years of recent, hands-on Microsoft 365 security stack work in production environments
- You can independently scope and deliver an M365 migration project
- You have personally configured Microsoft Defender (Endpoint, Identity, Office 365) in production. You can describe how you tuned a rule, triaged an alert, and closed a finding
- You have personally designed and deployed Microsoft Intune configuration profiles, compliance policies, and app protection policies. You can describe the difference between a configuration profile and a compliance policy without thinking about it.
- You have personally designed Conditional Access policy stacks in production. You can explain the trade-offs between named-location-based, device-compliance-based, session-control-based, and risk-based policies, and how you handle break-glass coverage.
- Working competence with Microsoft Sentinel - data connectors, basic KQL, rule tuning.
- Comfortable in PowerShell - Microsoft Graph SDK, Exchange Online, Entra, Intune.
- Hands-on networking competence - you can configure VLANs on a managed switch, build firewall rules from scratch, and troubleshoot a site-to-site VPN tunnel. Fortinet experience preferred but not required.
- Valid US driver's license. You will drive to client sites occasionally.
- US citizenship with no disqualifying factors for federal security clearance (clearance not required at hire, but candidate must be clearable).
- Strong written communication. Change records, runbooks, and client-facing project updates are part of every deliverable.
Strongly Preferred
- Direct hands-on experience with Microsoft 365 GCC High - tenant builds, migrations, or steady-state operations. Even one prior GCC High engagement is a meaningful differentiator.
- MSP / MSSP - you understand multi-tenant work, change windows, ticket-driven delivery, and client communication norms.
- Active or recent Microsoft certifications: SC-200, SC-300, SC-400, MS-102, AZ-500, or equivalent legacy credentials (MS-500, MCSE).
- Hands-on familiarity with CIS Benchmarks, DISA STIGs, or Microsoft Security Baselines applied to production environments.
- Experience with SentinelOne, Huntress, Cisco Duo, ConnectWise PSA/RMM, Fortinet.
- Working familiarity with CMMC Level 2, NIST SP 800-171, or DFARS 7012 from an implementation point of view. You do not need to be the policy author, you need to be able to read a control and configure to it.
Bonus Points
- Active or recent DoD security clearance (Secret or higher)
- Prior DIB contractor experience - inside a prime, sub, or on the MSP side serving DIB clients
- Hyper-V or VMware experience for server consolidation projects
- Hybrid identity experience - Entra Connect, ADFS, on-premises AD integration
- Azure infrastructure experience beyond M365 - networking, Key Vault, log analytics, Azure governance
- Scripting or automation beyond PowerShell - Python, Logic Apps, Power Automate
Pay: $75,000.00 - $85,000.00 per year
Benefits:
- Health insurance
- Paid time off
Work Location: Hybrid remote in Norfolk, VA 23510