The single most common misconception about water utility cybersecurity is that there is no federal requirement. There is. It does not look like a dedicated cybersecurity rule, which is why people miss it, but it is enforceable, EPA is actively enforcing it, and the penalties are real. This post lays out exactly what federal law requires, what it does not, and how the picture changed between 2023 and today.
The short answer: it lives in the Safe Drinking Water Act
There is no standalone EPA cybersecurity regulation for water utilities. The enforceable federal requirement lives in Section 1433 of the Safe Drinking Water Act, which was rewritten by America's Water Infrastructure Act (AWIA) in 2018. It requires every community water system serving more than 3,300 people to do two things and certify both to EPA:
- Complete a Risk and Resilience Assessment (RRA).
- Prepare an Emergency Response Plan (ERP) based on that assessment.
Cybersecurity is not optional inside these documents. The statute requires the RRA to evaluate the system's electronic, computer, and other automated systems, which is cybersecurity by another name. The ERP must then include the strategies and resources to detect, respond to, and recover from a cyber incident. So while nobody hands you a checklist labeled "EPA cybersecurity rule," the law already obligates you to assess your cyber risk and plan your cyber response, and to attest that you did.
Why people think the rule was cancelled
The confusion is understandable, because EPA did try to create something more prescriptive and then had to pull it back.
In March 2023, EPA issued an interpretive memorandum telling states they must evaluate the cybersecurity of operational technology when conducting sanitary surveys, the periodic on-site inspections every public water system receives. It would have made cyber a graded part of routine state audits. Industry groups and several states objected that EPA had effectively created a new rule without going through formal rulemaking. Missouri, Arkansas, and Iowa sued. The 8th Circuit Court of Appeals stayed the memorandum in July 2023, and on October 11, 2023, EPA withdrew it.
Here is the part that gets lost: only the sanitary survey memo went away. The underlying AWIA requirements never did. Section 1433 is statute, not a discretionary memo, and it remains fully in force. Withdrawing the memo removed one enforcement mechanism. It did not remove the obligation to assess cyber risk and plan for a cyber incident.
EPA is enforcing, and the compliance rate is poor
If the withdrawal left any impression that water cybersecurity had gone quiet at the federal level, EPA's May 20, 2024 enforcement alert ended it. The alert reported that, based on recent inspections, more than 70 percent of water systems inspected were not fully compliant with Safe Drinking Water Act Section 1433, and that some had critical cybersecurity vulnerabilities, specifically calling out default passwords that were never changed and single shared logins that are trivial to compromise.
EPA's stated response was to increase inspections and to pursue civil and criminal enforcement where warranted, using its existing Section 1433 authority. The message to operators is direct: the requirement is not new, most systems are not meeting it, and the agency is now looking. A missing or stale RRA or ERP, or an assessment that never seriously examined the OT network, is now an enforcement exposure, not just a paperwork gap.
The deadlines you are actually on the hook for
AWIA compliance runs on a five-year cycle, so the systems that certified in 2020 and 2021 are now in their recertification round. The current deadlines are set by population served:
| Population served | Recertification deadline |
|---|---|
| 100,000 or more | March 31, 2025 |
| 50,000 to 99,999 | December 31, 2025 |
| 3,301 to 49,999 | June 30, 2026 |
Both documents are certified to EPA separately: EPA Form 8170-1 for the Risk and Resilience Assessment and EPA Form 8170-2 for the Emergency Response Plan. If your first-round assessment treated cybersecurity as a paragraph rather than a real evaluation of your control systems, recertification is the moment to fix it, before an inspector does it for you.
What a credible RRA and ERP look like on the cyber side
EPA and its partners publish tooling for this, including the Vulnerability Self-Assessment Tool (VSAT), the Baseline Information on Malevolent Acts reference, the Small System Risk and Resilience Assessment Checklist, and an ERP template. The tools are useful, but they only produce a credible result if the underlying controls exist. In practice, an assessment that survives scrutiny can answer three questions with evidence rather than assertion:
- Do you know your OT assets? A Risk and Resilience Assessment that has never enumerated the RTUs, PLCs, engineering laptops, and vendor modems on the control network is assessing a system it cannot see. The inventory is the foundation.
- Is access to control systems attributable? Default passwords and shared logins are the exact failures EPA named. The fix is not a stronger password policy on equipment that barely supports one, it is an identity-bound access layer in front of the OT, so every connection maps to a named person and is protected by MFA. We cover the mechanics in How to Implement MFA in Legacy OT Environments Without Breaking Operations.
- Can you prove response and recovery? The ERP requirement is not satisfied by a document. EPA's emphasis has shifted toward evidence: you do it, you can prove it, and you have tested recovery. A tamper-evident audit trail and a rehearsed incident response plan are what turn a written ERP into a defensible one.
For the full architecture that ties these controls together for a utility OT network, see our reference whitepaper, Zero Trust for Utility OT.
Where federal meets state: New York went further
The federal floor is AWIA. Some states are now building above it. New York became the first state to make cybersecurity an enforceable, control-specific requirement for public water systems, through its DOH Part 5 and DEC Part 6 rules, with the core operational technology requirements taking effect January 1, 2027. New York's program is deliberately aligned with the federal baseline, so the assessment work you do for AWIA feeds directly into state compliance, and vice versa.
If you operate in New York, treat AWIA and Part 5 as one program, not two. Our New York water cybersecurity hub maps the state requirements in detail, and the DOH Part 5 deep dive walks through exactly what the state adds on top of the federal floor.
The bottom line
Federal water cybersecurity is often described as unregulated. It is not. AWIA Section 1433 requires every community water system over 3,300 people to assess its cyber risk and plan its cyber response, the 2025 to 2026 recertification deadlines are active now, and EPA has said plainly that it is inspecting and enforcing against systems that fall short. The withdrawn 2023 memo changed one enforcement path, not the obligation. Build a real OT asset inventory, put attributable and MFA-protected access in front of your control systems, and keep evidence you can show an inspector. That satisfies the federal requirement, prepares you for whatever your state adopts next, and, more to the point, actually protects the water.