Among the requirements under Executive Order 13636 on cybersecurity, certain federal agencies must determine whether new regulations would be needed to improve critical infrastructure cybersecurity in their respective sectors. To this end, EPA's Office of Groundwater and Drinking Water (OGWDW) reported to the White House in May that its partnership with the water sector to create tools and promote voluntary implementation of the NIST Cybersecurity Framework should be sufficient.
However, in his letter to the White House, OGWDW Director Dr. Peter Grevatt held the door open to regulation, if necessary. "If the voluntary partnership model is not successful in achieving widespread implementation of the Cybersecurity Framework or, if warranted by a changing cybersecurity risk profile, the EPA can revisit the option of using general statutory authority to regulate cybersecurity in the Water and Wastewater Systems sector," wrote Grevatt. The letter does not elaborate on which authorities EPA could base new regulations.
The White House appears to have accepted Dr. Gravatt's assessment. According to White House Cybersecurity Coordinator Michael Daniels, "At this time...the Administration has determined that existing regulatory requirements [if any], when complemented with strong voluntary partnerships, are capable of mitigating cyber risks to our critical systems and information."