Cyber Security Specialist (CMMC Compliance)

About Canopy Aerospace & Defense

Canopy A&D is built to accelerate the future of advanced materials for space, defense, and maritime systems. Canopy delivers specialized materials and components that carry customers from concept through sustainment. Canopy A&D’s advanced signal attenuation technologies and production-scale manufacturing accelerate the fielding of platforms that are faster, cooler, and quieter. Our adaptive approach ensures solutions evolve at the pace of shifting challenges, keeping our customers ahead of the curve.

Summary: We are seeking a proactive and knowledgeable Cyber Security Specialist to lead our information security efforts, specifically focusing on achieving and maintaining CMMC 2.0 compliance (Level 1 and/or Level 2). This position acts as the bridge between technical IT security, manufacturing operations (OT), and contractual defense obligations. The ideal candidate understands the unique security challenges of the Aerospace & Defense industry, including the protection of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

Key Responsibilities

• Lead the implementation, assessment, and continuous improvement of security controls aligned with NIST SP 800-171 and CMMC 2.0, ensuring organizational readiness for Level 2 certification.
• Own and maintain the System Security Plan (SSP), Plans of Action and Milestones (POA&M), security policies, procedures, and compliance documentation.
• Map and protect Controlled Unclassified Information (CUI) throughout its lifecycle, including data flows across engineering design (CAD/CAM), procurement, quality, manufacturing, and external suppliers.
• Serve as the primary liaison for CMMC assessments, including coordination with C3PAOs, audit preparation, artifact management, and remediation tracking.
• Implement and monitor security controls across both IT and OT environments, including identity and access management, multi-factor authentication, encryption, endpoint detection and response (EDR), SIEM, firewalls, and network segmentation.
• Conduct vulnerability scanning, risk assessments, and gap analyses against NIST SP 800-171 controls, prioritizing mitigation efforts based on operational and contractual risk.
• Lead cyber incident response activities, including documentation and reporting of incidents impacting CUI within required DFARS timelines (e.g., 72-hour reporting).
• Partner cross-functionally with engineering, operations, quality, and leadership to embed cybersecurity into product development and manufacturing processes.
• Oversee relationships with managed service providers (MSPs), cloud providers, and external security vendors to ensure secure configurations and regulatory compliance.
• Develop and deliver practical cybersecurity training tailored to aerospace manufacturing personnel, including phishing awareness, secure technical data handling, and CUI best practices.
• Establish compliance dashboards and executive reporting mechanisms to provide visibility into security posture and remediation progress.
• Support and secure cloud environments, including Microsoft GCC High or Azure Government, where applicable.

Required Qualifications

• Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, or a related field.
• 3–5+ years of experience in IT or Cybersecurity, including direct experience supporting CMMC, NIST SP 800-171, or DFARS compliance within the Defense Industrial Base.
• Demonstrated hands-on experience implementing and assessing NIST SP 800-171 security controls.
• Strong understanding of DFARS 252.204-7012 requirements and CMMC 2.0 framework.
• Experience with Windows and/or Linux systems, Active Directory, identity and access management, firewalls, VPNs, endpoint protection platforms, and vulnerability management tools.
• Familiarity with hybrid IT/OT environments and protecting intellectual property within CAD/CAM or manufacturing systems.
• Ability to translate regulatory requirements into scalable technical and operational solutions.
• Strong documentation, communication, and cross-functional leadership skills.
• Must be a U.S. Person (U.S. Citizen or Permanent Resident) due to ITAR/EAR regulations.

Preferred Qualifications

• Experience with Microsoft GCC High (or Azure GovCloud).
• Experience with managed service providers (MSPs) in a manufacturing environment.
• Background in NIST 800-172 or Advanced Persistent Threat (APT) protection.
• CMMC Certified Professional (CCP or CCA), CISSP, CISM, Security+, or equivalent certification.

$130,000 - $150,000 a year

Job Details

· Type: Full-time

· Business Hours: Core

· Location: Remote, California

· Reports to Chief Information Officer, Canopy Aerospace & Defense

Your actual level and base salary will be determined on a case-by-case basis and may vary based on the following considerations: job-related knowledge and skills, education, and experience.

Total compensation will also include a comprehensive set of benefits including but not limited to: Company paid employee medical, dental and vision insurance. Retirement plan participation (eligibility required), paid sick leave, paid vacation, paid holidays and discretionary bonuses.

EXPORT CONTROL REQUIREMENTS:

To conform to US Government export regulations, the applicant must be a (i) US Citizen, (ii) lawful permanent resident of the U.S. (aka green card holder), (iii) protected individual as defined by U.S.C. 1324b(a)(3), or (iv) eligible to obtain the required authorizations from the U.S. Department of State.

Canopy A&D is an Equal Opportunity Employer, employment with Canopy A&D is governed on the basis of merit, competence and qualifications and will not be influenced in any manner by race, color, religion, gender, national origin/ethnicity, veteran status, disability status, age, sexual orientation, gender identity, marital status, mental or physical disability or any other legally protected status.

We may use artificial intelligence (AI) tools to support parts of the hiring process, such as reviewing applications, analyzing resumes, or assessing responses. These tools assist our recruitment team but do not replace human judgment. Final hiring decisions are ultimately made by humans. If you would like more information about how your data is processed, please contact us.