CMMC / NIST Consultant / Analyst

About the Role 

Hotman Group is a boutique cybersecurity and GRC consulting firm doing meaningful work for clients who need GRC done right across the Defense Industrial Base navigating CMMC, NIST 800-171, and federal compliance requirements. We are looking for a mid-level CMMC and NIST practitioner who can step into active client delivery work, produce strong documentation, and help move projects forward without a lot of hand-holding. 

This is a contract role that may be structured as part-time or full-time based on project needs and candidate availability. 

What You Will Do 

As a CMMC / NIST Consultant Analyst at Hotman Group you will contribute directly to active client engagements involving federal compliance frameworks. You will: 

• Support client engagements related to CMMC readiness, implementation, and documentation 
• Develop, update, and maintain System Security Plans 
• Assist with NIST SP 800-171, NIST SP 800-53, and FedRAMP documentation, control mapping, and related deliverables 
• Gather, organize, and review evidence supporting control implementation 
• Support CUI scoping discussions, boundary definition, and enclave design 
• Draft and refine control narratives, policies, procedures, and related compliance documentation 
• Identify gaps and support development of POA&Ms and remediation tracking 
• Work directly with client stakeholders to collect information, validate details, and keep deliverables moving 
• Contribute to readiness efforts tied to assessments, documentation, and ongoing compliance activities 
• Participate in peer review of deliverables before they go to clients — your work will be reviewed and you will review others 

This is hands-on delivery work in a remote consulting environment. You will be expected to step into active projects and contribute from day one. 

What You Bring 

• 3 to 5 years of relevant experience in GRC, cybersecurity compliance, or related consulting work 
• Hands-on experience with CMMC-related work -- this is required, not a nice to have 
• Direct experience developing or contributing to System Security Plans, evidence collection, remediation documentation, and compliance policies -- also required 
• Familiarity with NIST SP 800-171, NIST SP 800-53, and FedRAMP 
• Strong writing and documentation skills -- your deliverables are clear, accurate, and do not require heavy editing before they go to a client 
• The ability to work directly with client stakeholders, gather information, manage follow-through, and keep work moving 
• Strong organization and professionalism in a client-facing environment 
• Comfort stepping into projects that are already in motion and contributing independently with minimal ramp-up time 
• A default toward communication — you keep the team informed, you acknowledge quickly, and you do not go dark on a deliverable or a client 

Experience supporting CMMC Level 2 efforts, CUI scoping, enclaves, or boundary discussions is a strong plus. Familiarity with POA&Ms, assessment readiness, and control crosswalks is also valued. 

Active certifications such as CCP, CCA, CISSP, CISM, or CISA are preferred. If you do not currently hold a relevant certification, we expect you to be actively pursuing one. 

This role requires direct accountability for work product and outcomes. If your CMMC or NIST experience has been primarily observational or in a support capacity without ownership of documentation or deliverables, this role will be a significant adjustment. 

Requirements 

• Permanent authorization to work in the U.S. -- no sponsorship of any kind now or in the future 
• Able to pass a background check 
• Reliable high-speed internet and a secure, private remote workspace 

Our Hiring Process 

Our process is designed to be straightforward but rigorous. In addition to a written questionnaire and video responses, finalists will complete a practical skills assessment before advancing to a panel interview with our delivery team. The assessment reflects the type of work you will do on active client engagements. If you are confident in your CMMC and NIST expertise, this is your opportunity to show it. 

Why Hotman Group 

At Hotman Group we are not just another consulting firm. You will work alongside people who care about the craft and push each other to do better. No politics, no silos, no hierarchy between you and the people making decisions. 

You will touch more GRC frameworks, more industries, and more client situations in one year here than most practitioners see in five. You will grow because the work demands it. 

The clients you serve will actually notice your work. You are not a number on a headcount. Your name is on the deliverable. 

If you want to do real GRC work, get better at it every day, and work with a team that holds itself to a high standard — this is the place. 

No phone calls please.