TroutTrout
Back to Blog
UtilitiesWaterComplianceEPA

EPA Cybersecurity Requirements for Water and Wastewater Systems

Trout Team7 min read

The single most common misconception about water utility cybersecurity is that there is no federal requirement. There is. It does not look like a dedicated cybersecurity rule, which is why people miss it, but it is enforceable, EPA is actively enforcing it, and the penalties are real. This post lays out exactly what federal law requires, what it does not, and how the picture changed between 2023 and today.

The short answer: it lives in the Safe Drinking Water Act

There is no standalone EPA cybersecurity regulation for water utilities. The enforceable federal requirement lives in Section 1433 of the Safe Drinking Water Act, which was rewritten by America's Water Infrastructure Act (AWIA) in 2018. It requires every community water system serving more than 3,300 people to do two things and certify both to EPA:

  1. Complete a Risk and Resilience Assessment (RRA).
  2. Prepare an Emergency Response Plan (ERP) based on that assessment.

Cybersecurity is not optional inside these documents. The statute requires the RRA to evaluate the system's electronic, computer, and other automated systems, which is cybersecurity by another name. The ERP must then include the strategies and resources to detect, respond to, and recover from a cyber incident. So while nobody hands you a checklist labeled "EPA cybersecurity rule," the law already obligates you to assess your cyber risk and plan your cyber response, and to attest that you did.

Why people think the rule was cancelled

The confusion is understandable, because EPA did try to create something more prescriptive and then had to pull it back.

In March 2023, EPA issued an interpretive memorandum telling states they must evaluate the cybersecurity of operational technology when conducting sanitary surveys, the periodic on-site inspections every public water system receives. It would have made cyber a graded part of routine state audits. Industry groups and several states objected that EPA had effectively created a new rule without going through formal rulemaking. Missouri, Arkansas, and Iowa sued. The 8th Circuit Court of Appeals stayed the memorandum in July 2023, and on October 11, 2023, EPA withdrew it.

Here is the part that gets lost: only the sanitary survey memo went away. The underlying AWIA requirements never did. Section 1433 is statute, not a discretionary memo, and it remains fully in force. Withdrawing the memo removed one enforcement mechanism. It did not remove the obligation to assess cyber risk and plan for a cyber incident.

EPA is enforcing, and the compliance rate is poor

If the withdrawal left any impression that water cybersecurity had gone quiet at the federal level, EPA's May 20, 2024 enforcement alert ended it. The alert reported that, based on recent inspections, more than 70 percent of water systems inspected were not fully compliant with Safe Drinking Water Act Section 1433, and that some had critical cybersecurity vulnerabilities, specifically calling out default passwords that were never changed and single shared logins that are trivial to compromise.

EPA's stated response was to increase inspections and to pursue civil and criminal enforcement where warranted, using its existing Section 1433 authority. The message to operators is direct: the requirement is not new, most systems are not meeting it, and the agency is now looking. A missing or stale RRA or ERP, or an assessment that never seriously examined the OT network, is now an enforcement exposure, not just a paperwork gap.

The deadlines you are actually on the hook for

AWIA compliance runs on a five-year cycle, so the systems that certified in 2020 and 2021 are now in their recertification round. The current deadlines are set by population served:

Population servedRecertification deadline
100,000 or moreMarch 31, 2025
50,000 to 99,999December 31, 2025
3,301 to 49,999June 30, 2026

Both documents are certified to EPA separately: EPA Form 8170-1 for the Risk and Resilience Assessment and EPA Form 8170-2 for the Emergency Response Plan. If your first-round assessment treated cybersecurity as a paragraph rather than a real evaluation of your control systems, recertification is the moment to fix it, before an inspector does it for you.

What a credible RRA and ERP look like on the cyber side

EPA and its partners publish tooling for this, including the Vulnerability Self-Assessment Tool (VSAT), the Baseline Information on Malevolent Acts reference, the Small System Risk and Resilience Assessment Checklist, and an ERP template. The tools are useful, but they only produce a credible result if the underlying controls exist. In practice, an assessment that survives scrutiny can answer three questions with evidence rather than assertion:

  • Do you know your OT assets? A Risk and Resilience Assessment that has never enumerated the RTUs, PLCs, engineering laptops, and vendor modems on the control network is assessing a system it cannot see. The inventory is the foundation.
  • Is access to control systems attributable? Default passwords and shared logins are the exact failures EPA named. The fix is not a stronger password policy on equipment that barely supports one, it is an identity-bound access layer in front of the OT, so every connection maps to a named person and is protected by MFA. We cover the mechanics in How to Implement MFA in Legacy OT Environments Without Breaking Operations.
  • Can you prove response and recovery? The ERP requirement is not satisfied by a document. EPA's emphasis has shifted toward evidence: you do it, you can prove it, and you have tested recovery. A tamper-evident audit trail and a rehearsed incident response plan are what turn a written ERP into a defensible one.

For the full architecture that ties these controls together for a utility OT network, see our reference whitepaper, Zero Trust for Utility OT.

Where federal meets state: New York went further

The federal floor is AWIA. Some states are now building above it. New York became the first state to make cybersecurity an enforceable, control-specific requirement for public water systems, through its DOH Part 5 and DEC Part 6 rules, with the core operational technology requirements taking effect January 1, 2027. New York's program is deliberately aligned with the federal baseline, so the assessment work you do for AWIA feeds directly into state compliance, and vice versa.

If you operate in New York, treat AWIA and Part 5 as one program, not two. Our New York water cybersecurity hub maps the state requirements in detail, and the DOH Part 5 deep dive walks through exactly what the state adds on top of the federal floor.

The bottom line

Federal water cybersecurity is often described as unregulated. It is not. AWIA Section 1433 requires every community water system over 3,300 people to assess its cyber risk and plan its cyber response, the 2025 to 2026 recertification deadlines are active now, and EPA has said plainly that it is inspecting and enforcing against systems that fall short. The withdrawn 2023 memo changed one enforcement path, not the obligation. Build a real OT asset inventory, put attributable and MFA-protected access in front of your control systems, and keep evidence you can show an inspector. That satisfies the federal requirement, prepares you for whatever your state adopts next, and, more to the point, actually protects the water.

FAQ

Frequently Asked Questions

Is there a federal cybersecurity regulation for water utilities?
There is no standalone EPA cybersecurity rule. The enforceable federal requirement lives in Safe Drinking Water Act section 1433, added by America's Water Infrastructure Act (AWIA) in 2018. It requires community water systems serving more than 3,300 people to complete a Risk and Resilience Assessment and an Emergency Response Plan that both address cybersecurity.
What happened to the EPA cybersecurity sanitary survey rule?
In March 2023, EPA issued a memorandum requiring states to evaluate operational technology cybersecurity during sanitary surveys. Missouri, Arkansas, and Iowa challenged it, the 8th Circuit stayed it in July 2023, and EPA withdrew the memorandum on October 11, 2023. The AWIA risk assessment and emergency response plan requirements remain fully in force.
Does AWIA require water utilities to address cybersecurity?
Yes. A Risk and Resilience Assessment under AWIA must evaluate the utility's electronic, computer, and other automated systems, which is cybersecurity. The Emergency Response Plan must include strategies and resources to respond to a cyber incident. Both must be certified to EPA.
When are the AWIA recertification deadlines?
Systems serving 100,000 or more recertified by March 31, 2025. Systems serving 50,000 to 99,999 by December 31, 2025. Systems serving 3,301 to 49,999 by June 30, 2026. Recertification runs on a five-year cycle.
Is EPA actually enforcing water cybersecurity?
Yes. In a May 2024 enforcement alert, EPA reported that more than 70 percent of inspected systems were not fully compliant with Safe Drinking Water Act section 1433, some with critical vulnerabilities such as default passwords. EPA said it would increase inspections and pursue civil and criminal enforcement where warranted.