Position Information

Posted Range: $81,120/annually - $133,380/annually. 

The base salary range represents a good faith salary range for this position. This position is eligible for annual incentive pay and has the opportunity for continued salary growth. If you are hired at American Water your base salary compensation will be determined based on factors such as market, geography, skills, education and/or experience. At American Water, we are committed to pay equity. 

In addition to compensation, you will be offered a comprehensive benefits package including 401(k), Defined Contribution Plan, Employee Stock Purchase Plan, medical, prescription, dental and vision coverage, plus disability, paid time off, life insurance, voluntary benefits, health and wellness programs and much more! 

American Water is also proud to offer employees learning opportunities and work experiences to grow professionally!  

Primary Role

The Information System Security Officer (ISSO) is responsible for overseeing cybersecurity compliance and ensuring the protection of information systems that support the operation of water systems across 18 U.S. military installations. The ISSO will serve as the principal security compliance lead, ensuring adherence to federal cybersecurity requirements, industry best practices, and the company’s internal security policies. This role requires a hands-on understanding of Microsoft 365 security capabilities and configuration, as well as experience managing cybersecurity documentation, assessments, and audits in regulated environments.

• Serve as the designated ISSO for information systems supporting Department of Defense (DoD) and other federal contracts.
• Develop, maintain, and manage the System Security Plan (SSP), Plan of Action & Milestones (POA&M), and other artifacts required for compliance with NIST SP 800-171, NIST SP 800-53, and related DoD cybersecurity frameworks.
• Support continuous monitoring activities, ensuring timely updates to security documentation and controls.
• Coordinate and respond to security audits, assessments, and inspections by internal and external stakeholders.
• Track and report compliance metrics, vulnerabilities, and remediation progress to senior leadership.
• Coordinate with Compliance and Legals teams on flow down clauses for vendors working with American Water Military Services Group.

Key Accountabilities

Technical Security Oversight

• Manage and enforce security configurations and compliance baselines within the Microsoft 365 suite, including Azure AD, Exchange Online, SharePoint, OneDrive, Teams, and Defender for Cloud/Endpoint.

• Support implementation and monitoring of Data Loss Prevention (DLP), Information Rights Management (IRM), Conditional Access, and MFA policies.

• Hands on experience with Microsoft M365 Security Services (Defender, Azure Firewall, etc).

• Collaborate with IT and system administrators to ensure systems are securely configured, patched, and monitored in accordance with compliance requirements.

• Review and approve security change requests, security exceptions, and risk acceptance documentation.

  Risk Management & Incident Coordination

• Identify and assess risks to systems and data; recommend mitigation strategies and document residual risk.

• Participate in cybersecurity incident response activities, including root cause analysis and corrective action plans.

• Ensure all incidents and vulnerabilities are documented and tracked through resolution.

  Collaboration & Leadership

• Liaise with DoD cybersecurity representatives, internal engineering teams, and utility leadership to ensure mission assurance and compliance alignment.

• Provide cybersecurity awareness and compliance training to employees and contractors as required.

• Collaborate with Business Development teams on the bidding processes.

• Maintain a culture of cybersecurity accountability and compliance across all business units.

• Manage and enforce security configurations and compliance baselines within the Microsoft 365 suite, including Azure AD, Exchange Online, SharePoint, OneDrive, Teams, and Defender for Cloud/Endpoint.

• Support implementation and monitoring of Data Loss Prevention (DLP), Information Rights Management (IRM), Conditional Access, and MFA policies.

• Hands on experience with Microsoft M365 Security Services (Defender, Azure Firewall, etc).

• Collaborate with IT and system administrators to ensure systems are securely configured, patched, and monitored in accordance with compliance requirements.

• Review and approve security change requests, security exceptions, and risk acceptance documentation.

Risk Management & Incident Coordination

• Identify and assess risks to systems and data; recommend mitigation strategies and document residual risk.
• Participate in cybersecurity incident response activities, including root cause analysis and corrective action plans.
• Ensure all incidents and vulnerabilities are documented and tracked through resolution.

Collaboration & Leadership

• Liaise with DoD cybersecurity representatives, internal engineering teams, and utility leadership to ensure mission assurance and compliance alignment.
• Provide cybersecurity awareness and compliance training to employees and contractors as required.
• Collaborate with Business Development teams on the bidding processes.
• Maintain a culture of cybersecurity accountability and compliance across all business units.

Knowledge/Skills

• Active Top Secret Clearance or the ability to obtain DoD Top Secret Clearance
• Excellent decision-making ability, balancing what is right with what is realistic
• Flexibility to adjust to multiple demands, shifting priorities, ambiguity, and rapid change
• Demonstrated ability to lead through influence and to deliver results through others while overcoming obstacles to success
• Possesses a high energy level, sense of urgency, decisiveness, and an ability to work well under pressure
• Strong knowledge of IT infrastructure, networking, and security principles.
• Strong knowledge of cybersecurity principles, threat hunting, and incident response.
• Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, or a related field (or equivalent experience).
• Deep familiarity with NIST SP 800-171, NIST SP 800-53, and DFARS/CMMC requirements.
• Excellent written communication and documentation skills, especially in preparing compliance artifacts and audit responses.
• Experience developing and maintaining DLP policies. Familiarity with Cloud architectures and technologies.
• Familiarity with log analysis, data normalization, and event correlation

Experience/Education

• Bachelors' degree in Computer Science, Information Systems, relevant field of Engineering or similar technology field.
• 3-5+ years of experience in information security, with at least 2 years as an ISSO, compliance analyst, or equivalent role supporting federal or critical infrastructure programs.
• Hands-on experience with Microsoft 365 security administration and compliance tools (Defender, Purview, Azure AD Conditional Access, Compliance Manager).

Travel Requirements

• As necessary, up to 10%

Work Environment

• Primarily in an office environment

Competencies