IT Systems Engineer
Cincinnati, OH
Full Time
Experienced
Position Title: IT Systems Engineer
Reports to: Director of Finance with line into Compliance
Direct reports: 1 (IT Specialist)
Location: Cincinnati, OH (Hybrid option after introductory period)
Luxfer Magtech specializes in developing, manufacturing, and supplying a broad range of products that safeguard and protect, from infrared countermeasure flares that protect pilots from incoming missiles and chemical response kits designed to help safeguard life in chemical warfare attacks, to nutritious food and beverage options for militaries and first responders.
Summary:
We’re hiring a Systems Engineer to lead and execute our NIST 800-171 and CMMC Level 2 compliance initiatives. This role bridges hands-on IT engineering, security control implementation, and program management. You’ll own the technical roadmap, stand up and harden the environment (e.g., GCC High/M365, Entra ID/Intune/Defender), implement and validate controls, maintain documentation (SSP, POA&M, policies), as well support day-to-day IT operations.
Key Responsibilities:
Compliance & Security Engineering (40%)
- Lead technical implementation of NIST 800-171 and CMMC L2 controls across endpoints, identity, network, and SaaS.
- Stand up and administer compliant enclaves (e.g., Microsoft 365 GCC High), including Entra ID/Conditional Access, MFA, RBAC/least privilege, Intune device compliance, BitLocker, Defender for Endpoint/Office/Identity, and logging/retention.
- Engineer FIPS-validated encryption at rest/in transit; implement secure configuration baselines (CIS/NIST); enforce vulnerability management SLAs (scan, prioritize, remediate, verify).
- Build/maintain centralized logging and alerting (e.g., Microsoft Sentinel or equivalent SIEM), including detections for CUI handling and incident response playbooks.
- Implement secure backup & recovery (3-2-1, immutable/air-gapped copies, tested restores, RPO/RTO targets).
- Own the network compliance program plan with milestones, dependencies, and budget; drive cross-functional execution with IT, Security, Compliance, Operations, Legal and other key stakeholders.
- Maintain the SSP, POA&M, SPRS score, system boundary diagrams, data flows, and control evidence.
- Coordinate external partners (MSP/MSSP, auditors, assessors) and manage Statements of Work.
- Prepare for assessments (readiness reviews, objective evidence, control owner coaching).
- Draft, update, and enforce policies/standards/SOPs (access control, media protection, incident response, change mgmt, asset mgmt, BYOD, data retention, secure development, etc.).
- Establish configuration management and change control processes with complete audit trails.
- Train users on CUI handling, phishing, secure collaboration, and incident reporting.
- Oversee identity lifecycle, privileged access management, SSO, and conditional access.
- Administer Windows endpoints/servers, patching, GPO/Intune baselines, application packaging, and certificate management.
- Support network security (VLANs, firewalls, VPN/Zero Trust, DNS security) and SaaS governance (DLP, eDiscovery, sensitivity labels, data classification).
- Manage corporate hardware assets including PCs, laptops, tablets (iOS/Android), Zebra/industrial handhelds, scanners, and production-floor business hardware.
- Oversee configuration, deployment, inventory accuracy, preventative maintenance, and support for cameras and security camera systems (direct oversight and contractor coordination).
- Maintain lifecycle and warranty management processes for all IT hardware (procurement, imaging, deployment, repairs, replacements, and decommissioning).
- Manage and coach one direct report; set goals, delegate work, review performance, and develop necessary skills aligned to the future network system roadmap.
- Establish runbooks, escalation paths, and coverage plans.
- Perform other duties as assigned to support the IT, security, and compliance mission of the organization.
- 3–5+ years in systems engineering or security engineering within corporate IT, including hands-on M365/Entra ID/Intune administration.
- Demonstrated experience implementing NIST 800-171 or CMMC controls end-to-end (policy → tech control → evidence).
- Strong knowledge of DFARS 252.204-7012, incident reporting, CUI handling, and audit readiness.
- Proficiency with Windows client/server, Group Policy/Intune, Defender suite, SIEM (Sentinel preferred), vulnerability scanners (Defender TVM, Tenable, or Qualys), backup platforms, and PowerShell automation.
- Solid networking fundamentals: TCP/IP, DNS/DHCP, VLANs, VPN/Zero Trust, firewall rules, TLS/PKI.
- Hands-on experience supporting standard corporate endpoint hardware, including Windows PCs, laptops, and iOS/Android mobile devices, along with responsibility for routine hardware lifecycle processes (procurement, imaging, deployment, warranty coordination, and decommissioning).
- Proven project management ability (timelines, risks, budgets, vendors) and proficient documentation skills.
- Experience with GCC-High tenant builds/migrations and FedRAMP services.
- Prior work in defense/regulated manufacturing (ITAR/EAR awareness).
- Certifications: Security+ or CySA+, Microsoft (SC-200/SC-300/MD-102/AZ-500), CISSP, CCSP, or PMP.
- Exposure to—or direct experience with—industrial tablets, Zebra handheld scanners, and other ruggedized production-floor devices commonly used in manufacturing environments.
- Exposure to EDR/XDR tuning, DLP/sensitivity labels, eDiscovery, and data classification.
Benefits:
This position requires access to our export-controlled commodities, technical data, technology, and services. These items are restricted under the International Traffic in Arms Regulations (ITAR) to U.S. Citizens, Lawful Permanent Residents of the U.S., and properly licensed foreign persons. Therefore, employment is contingent on compliance with ITAR regulations and successfully obtaining and maintaining the necessary export authorization license from the U.S. Department of Commerce’s Bureau of Industry and Security, U.S. Department of State’s Office of Defense Trade Controls, or other applicable government agency. Candidates must be authorized to work in the US.
Luxfer is an Equal Employment Opportunity (EEO) employer and does not discriminate on the basis of race, color, national origin, religion, gender, age, veteran status, political affiliation, sexual orientation, marital status, or disability (in compliance with the Americans with Disabilities Act) with respect to employment opportunities. Women, minorities, and veterans are encouraged to apply.
- Medical, Vision, Dental *Start on the 1st day of the following month after being hired*
- 401k with Company match of up to 6%!
- 12 Company Paid Holidays
- Additional PTO
- Luxfer Group (NYSE: LXFR)
This position requires access to our export-controlled commodities, technical data, technology, and services. These items are restricted under the International Traffic in Arms Regulations (ITAR) to U.S. Citizens, Lawful Permanent Residents of the U.S., and properly licensed foreign persons. Therefore, employment is contingent on compliance with ITAR regulations and successfully obtaining and maintaining the necessary export authorization license from the U.S. Department of Commerce’s Bureau of Industry and Security, U.S. Department of State’s Office of Defense Trade Controls, or other applicable government agency. Candidates must be authorized to work in the US.
Luxfer is an Equal Employment Opportunity (EEO) employer and does not discriminate on the basis of race, color, national origin, religion, gender, age, veteran status, political affiliation, sexual orientation, marital status, or disability (in compliance with the Americans with Disabilities Act) with respect to employment opportunities. Women, minorities, and veterans are encouraged to apply.
Apply for this position
Required*