Drinking water systems will have to conduct risk and resiliency assessments and revise emergency response plans (ERPs) under the newly enacted America's Water Infrastructure Act (S. 3021; Public Law 115-270, enacted October 23, 2018.) Utilities must also review and, if necessary, revise these documents at least every five years.
Attached below are Section 2013 of the bill containing the new provisions, as well as the full text of America's Water Infrastructure Act.
The new law completely rewrites Section 1433 of the Safe Drinking Water Act, which Congress enacted in 2002 in the aftermath of 9/11. That law required all community water systems to complete a one-time vulnerability assessment (VA) examining risks posed by terror attacks, but in recent years some lawmakers have complained that it carried no mechanism to ensure the assessments remained up-to-date.
The new Section 1433 replaces the 2002 VA requirement with a new one that requires community water systems to complete an expanded “risk and resiliency assessment” that has considered physical risks posed by malicious actors and natural disasters, as well as risks from cyber threats. The assessments must consider possible impacts to treatment and distribution infrastructure, as well as intakes and source water. Systems are also required to assess their computer and automated systems, chemical use and storage, operations and maintenance, monitoring practices, and financial infrastructure.
Unlike VAs, the new assessments will not be forwarded to EPA for storage or review. Every five years, utilities would be required to certify to EPA that they have reviewed their assessment and made any necessary revisions. Systems serving 100,000 people or more must submit their initial certifications by March 31, 2020; systems serving 50,000 to 100,000 people, by December 31, 2020; and systems serving between 3,300 and 50,000 people, by June 30, 2021. No later than six months after completing their risk assessments, systems must also certify completion of emergency response plans that address how the system would respond to threats addressed in the assessment.
To help utilities identify threats to be considered in the assessments, the new law also directs EPA to produce baseline information about malicious acts that could substantially disrupt operations or otherwise present significant public health or economic concerns to the community served. EPA must provide the information by August 1, 2019.
EPA will also be providing compliance guidance to utilities, but the agency will not be promulgating regulations.
Also, the law allows EPA to identify acceptable third-party risk assessment tools and frameworks that utilities can use to conduct their assessments and be assured they are meeting the requirements of the law. This would likely include the AWWA J100-10 risk assessment standard. The law also requires EPA to provide guidance and technical assistance to utilities serving fewer than 3,300. And it authorizes $25 million in grants in 2020 and 2021 to help systems reduce vulnerabilities and develop their assessments and ERPs. Whether EPA is able to establish these grant programs will depend on Congressional appropriations.
Some aspects of the new law are not particularly clear; for instance, “monitoring practices” and “financial infrastructure” – required elements of an assessment – are not defined. The water sector is engaged with EPA to clarify these and other provisions.
WaterISAC will continue to update members on the requirements of the new law, as well as direct members to resources to help them produce and update assessments and response plans. WaterISAC’s Resource Center contains many analyses, reports and documents describing threats, threat actors and mitigation options.