TroutTrout
Back to Blog
UtilitiesWaterComplianceNew York

New York DOH Part 5: The Water Cybersecurity Requirements, Explained

Trout Team7 min read

New York is the first state to require cybersecurity for public water systems. The requirements were added to 10 NYCRR Part 5, the state's drinking water regulation, as a new Appendix 5-E. If your system serves more than 3,300 people, they apply to you, and the main operational technology (OT) requirements take effect January 1, 2027.

This post explains what the rules require, who they cover, and how to prepare.

Preparing for the deadline? Trout runs live sessions on New York's Part 5 and Part 6 rules with the operators and engineers doing the work. See the schedule on the NY Part 5 & 6 NYCRR webinar page.

What is 10 NYCRR Part 5?

10 NYCRR Part 5 is the part of the New York State Sanitary Code that governs drinking water. Subpart 5-1 covers public water systems: water quality standards, monitoring, operator certification, and how treatment and distribution are run. DOH already uses it to regulate your system.

The cybersecurity requirements were added to this same regulation, as Appendix 5-E, published in the New York State Register on July 16, 2025. Because they sit inside Part 5, cybersecurity is now part of operating a public water system, checked through the same sanitary surveys and inspections that already review your system.

Wastewater is covered separately by the Department of Environmental Conservation (DEC). DOH and DEC wrote the two sets of rules together and aligned them with federal EPA and CISA guidance. A utility that runs both drinking water and wastewater can follow one program.

Who must comply, and by when?

The rules apply based on how many people your system serves.

Your system servesWhat applies
Fewer than 3,300 peopleThe full program is not required. Basic security still matters, and grant-funded help is available.
More than 3,300 peopleThe full Appendix 5-E program applies. This covers about 318 systems statewide, most serving 3,300 to 50,000 people.
More than 50,000 peopleEverything above, plus a designated cybersecurity lead and continuous monitoring.

There are three separate deadlines:

RequirementEffective date
Incident reporting and operator trainingOn adoption (now)
Information technology rules (Public Service Commission)January 1, 2026
Core operational technology rules (Appendix 5-E)January 1, 2027

The OT requirements take the longest to meet. Building an asset inventory, adding authentication in front of older controllers, and setting up network monitoring across pump stations takes months, and the work has to be scheduled around plant operations. Starting in mid-2026 is late.

What does Appendix 5-E require?

Appendix 5-E follows the six functions of NIST CSF 2.0: Govern, Identify, Protect, Detect, Respond, and Recover. Here is what each one asks for.

NIST CSF 2.0 functionWhat Part 5 requires
GovernA documented cybersecurity program. Systems above 50,000 must name a designated cybersecurity lead responsible for it.
IdentifyA cyber asset inventory covering the OT that runs treatment and distribution. Annual vulnerability assessments, updated within 30 days of any major infrastructure change.
ProtectAuthentication and access management for systems and devices. Cybersecurity training for certified operators.
DetectNetwork monitoring and logging. Continuous monitoring for systems above 50,000.
RespondA tested incident response plan. Incident reporting to DOH within 24 hours of detection, vulnerability reporting within 48 hours.
RecoverDocumented, tested recovery so a compromised system can be returned to safe operation.

You do not need to replace your SCADA. You need to know what is on your network, control who can reach it, monitor it, and keep records that show you did.

The requirements that are hardest for small systems

Three requirements take the most time in practice.

The OT asset inventory. You cannot protect or monitor a device you have not listed. Most utilities have documented their HMIs and historian, but not the RTU at a remote booster station, the vendor's cellular modem, or the laptop that connects to the PLC network. Appendix 5-E expects the inventory to cover the equipment that runs the process, which is the equipment that is hardest to see. Start here. The assessment, the monitoring, and the incident response plan all depend on it.

Authentication for equipment that cannot authenticate. An older PLC has no user accounts, no password policy, and no MFA. The rule still expects access to it to be controlled and tied to a named person. The practical way to do this is to add authentication at the network instead of on the device. You put a control point in front of the PLC, so every connection is tied to a person and protected by MFA, without changing the PLC itself. We explain how this works in How to Implement MFA in Legacy OT Environments Without Breaking Operations.

The 24-hour reporting window. You have to report an incident to DOH within 24 hours of detecting it. That is hard to do without logs that connect a change on a controller to a session and a person. Network monitoring and a tamper-evident record give you the timeline you need to report on time. These are the same controls the Detect and Respond functions already require.

The operator field guide covers the asset inventory method and the air-gap exemption in more detail.

How Part 5 fits with EPA, DEC, and CISA

Part 5 builds on federal rules and sits next to the state wastewater rule. Knowing how they connect keeps you from doing the same work twice.

  • Federal (EPA / AWIA): Under Safe Drinking Water Act section 1433, systems serving more than 3,300 people already have to complete a Risk and Resilience Assessment and an Emergency Response Plan that cover cybersecurity. Part 5 turns that into a state program with specific controls. If you are due for AWIA recertification, do it alongside your Part 5 assessment so the same work counts for both.
  • State wastewater (DEC): DEC's rules apply the same approach to wastewater. A combined utility should run one program.
  • CISA: The controls follow CISA's guidance for the water sector, so meeting Part 5 also addresses the issues CISA advisories raise.

The New York DOH and DEC compliance hub shows the full picture, including how each requirement maps to an on-premise access layer.

How to pay for it: the SECURE grant

New York funded this. The state set up a grant program through the Environmental Facilities Corporation, with free technical assistance, to help systems meet the requirements. For a small utility, the grant can cover much of the assessment and the first set of controls. You can find eligibility and how to apply on the SECURE grant resource page. Line up the funding before you scope the work.

A practical order of work

If you are starting from scratch, this order avoids rework:

  1. Inventory the OT. List every device that touches treatment and distribution, including remote sites and vendor connections.
  2. Run the vulnerability assessment, using the inventory. The same assessment counts for AWIA recertification.
  3. Control access. Add an MFA-protected control point in front of equipment that cannot protect itself, and tie every session to a person.
  4. Turn on monitoring and logging across sites, with a tamper-evident record that supports 24-hour reporting.
  5. Write and test the incident response plan. A plan you have never tested will not hold up during a real event or an inspection.
  6. Train your certified operators, using training that qualifies under the DOH and DEC criteria.

Other states are writing similar rules, so a real program now will serve you beyond New York. Start with the inventory, use the SECURE grant to fund it, and work through the details with the field guide.

FAQ

Frequently Asked Questions

What is New York DOH Part 5 for water cybersecurity?
It is an amendment to 10 NYCRR Subpart 5-1, the state regulation for public water systems. The New York State Department of Health (DOH) added cybersecurity requirements, listed in a new Appendix 5-E, for community water systems serving more than 3,300 people. The main operational technology requirements take effect January 1, 2027.
Who has to comply with the DOH Part 5 cybersecurity rules?
Community water systems serving more than 3,300 people. That is about 318 public water systems in New York, most serving 3,300 to 50,000 people. Systems serving more than 50,000 people have extra obligations, including a designated cybersecurity lead and continuous monitoring.
When is the DOH Part 5 compliance deadline?
The Appendix 5-E operational technology requirements must be met by January 1, 2027. Incident reporting and operator training apply on adoption, and the separate information technology rules under the Public Service Commission took effect January 1, 2026.
What does Appendix 5-E require?
A cybersecurity program aligned with the six functions of NIST CSF 2.0, annual vulnerability assessments, a cyber asset inventory with authentication and access management, network monitoring and logging, incident reporting to DOH within 24 hours, vulnerability reporting within 48 hours, a tested incident response plan, and cybersecurity training for certified operators.
Is there funding to help pay for DOH Part 5 compliance?
Yes. New York created a grant program through the Environmental Facilities Corporation, with free technical assistance, to help systems meet the requirements. Trout tracks the details on the SECURE grant resource page.