Sustainability and Security Report

Sustainability & Security Report

Drinking Water System Risk Assessments and Response Plans Required Under New Water Law

Drinking water systems will have to conduct risk and resiliency assessments and revise emergency response plans (ERPs) under the newly enacted America's Water Infrastructure Act (S. 3021). Utilities must also review and, if necessary, revise these documents at least every five years.

The new law completely rewrites Section 1433 of the Safe Drinking Water Act, which Congress enacted in 2002 in the aftermath of 9/11. That law required nearly 9,000 community water systems to complete a one-time vulnerability assessment (VA) examining risks posed by terror attacks, but in recent years some lawmakers have complained that it carried no mechanism to ensure the assessments remained up-to-date. 

The new Section 1433 replaces the 2002 VA requirement with a new one that requires community water systems to complete an expanded “risk and resiliency assessment” that has considered physical risks posed by malicious actors and natural disasters, as well as risks from cyber threats. The assessments must consider possible impacts to treatment and distribution infrastructure, as well as intakes and source water. Systems are also required to assess their computer and automated systems, chemical use and storage, operations and maintenance, monitoring practices, financial infrastructure.

Unlike VAs, the new assessments will not be forwarded to EPA for review.  Instead, utilities must certify to the agency that they have completed their assessments. And every five years thereafter utilities must certify that they have reviewed their assessments and made any necessary revisions.  Systems serving 100,000 people or more must submit their initial certifications by March 31, 2020; systems serving 50,000 to 100,000 people, by December 31, 2020; and systems serving between 3,300 and 50,000 people, by June 30, 2021.

No later than six months after completing their risk assessments, systems must also certify completion of emergency response plans that address the risks identified in their assessments. And if a utility subsequently revises its assessment, then its response plan must be updated as well.

To help utilities identify threats to be considered in the assessments, the new law also directs EPA to produce baseline information about malicious acts that could substantially disrupt operations or otherwise present significant public health or economic concerns to the community served. EPA must provide the information by August 1, 2019. EPA will also be providing compliance guidance to utilities, but the agency will not be promulgating regulations.

Some aspects of the new law are not particularly clear; for instance, “monitoring practices” and “financial infrastructure” – required elements of an assessment – are not defined. AMWA is engaged with EPA to clarify these and other provisions.