Microsoft Cloud Security Architect

About the position Chevo is hiring a Microsoft Cloud Security Architect to serve as Key Personnel on the DOI Office of Wildland Fire (OWF) FireNet Enterprise Business Services contract. FireNet is a Microsoft 365/Azure-based interagency collaboration platform supporting federal, state, tribal, and local wildland fire operations across DOI, USDA Forest Service, and non-federal partners. In this role, you will own hands-on security engineering for the FireNet tenant, working directly within the Government's Change Advisory Board (CAB) approval process and serving as the on-call technical resource for Priority 1 security incidents.

Responsibilities

• Engineer, implement, and continuously improve the security posture of the FireNet Microsoft 365 and Azure environment.
• Configure and maintain Entra ID Conditional Access policies, Multi-Factor Authentication (MFA), and Privileged Identity Management (PIM) to enforce a zero-trust, least-privilege posture across all privileged and high-risk roles.
• Manage guest and external identity lifecycle including entitlement management, access packages, and periodic access reviews in coordination with Government ISSOs and program stakeholders.
• Will be solely accountable for Microsoft Secure Score and Identity Secure Score improvements, developing and executing a monthly action plan to achieve net-positive score improvements and remediating critical findings within 10 business days or an approved POA&M.
• Will build and maintain Microsoft Defender for Cloud and Microsoft Sentinel analytics rules, incident playbooks, KQL workbooks, and queries to detect and respond to threats across the tenant.
• Support Purview data loss prevention and sensitivity label implementation as authorized by the Government and ensure all logging and telemetry pipelines are configured for continuous monitoring IAW the DOI Continuous Monitoring Plan and FISMA requirements.
• Provide on-call coverage for Priority 1 security and platform incidents, with expectations to acknowledge within 30 minutes, begin triage within 1 hour, and restore or implement a workaround within 4 hours.
• Prepare CAB packets for security-scoped changes, coordinate with the Power Platform CoE Lead and Web Development team on security controls and DevOps pipeline guardrails and contribute to monthly Security Posture Reports and knowledge transfer documentation for Government ISSOs

Requirements

• Ability to obtain and maintain a Federal Public Trust (NACI) and be comfortable serving in an on-call capacity during national wildland fire preparedness seasons (National Preparedness Level 3–5).
• Demonstrated, hands-on experience engineering enterprise Microsoft 365 and Azure security environments, including deep proficiency with Entra ID (Azure Active Directory), Conditional Access, PIM, MFA, and zero-trust architecture principles.
• Experience with Microsoft Defender for Cloud, Microsoft Sentinel, and KQL for custom analytics rules and threat hunting is required.
• Familiarity with Microsoft Purview and data governance controls within a government environment.
• Experience operating in DOI, FISMA, FedRAMP, or NIST 800-53 compliance environments is strongly preferred.
• Familiarity with DOI or other Federal agency security operations and authorization-to-operate (ATO/A&A) documentation is a plus.
• Relevant Microsoft certifications such as SC-100 (Cybersecurity Architect), SC-200 (Security Operations Analyst), SC-300 (Identity and Access Administrator), or AZ-500 (Azure Security Engineer) are highly desirable and may substitute for certain experience requirements consistent with the GSA MAS pricelist.

Benefits

• Chevo offers a comprehensive benefits package including medical, dental and vision coverage, paid leave, observes all 11 federal government holidays, 401K plan with matching, monthly SMART card employer contribution for commuting expenses, tuition assistance and more!

Apply tot his job Apply To this Job