In October 2018, Congress passed the America's Water Infrastructure Act. Section 2013 of the law requires every community water system serving more than 3,300 people to conduct a Risk and Resilience Assessment, update or develop an Emergency Response Plan based on that assessment, and certify both to the EPA on a recurring five-year cycle. This is not a recommendation. It is a federal mandate with specific deadlines and reporting requirements.
The next recertification deadline for systems in the 3,301 to 49,999 population tier is June 30, 2026. That is weeks away. And based on what we see in the field, the majority of utilities in this tier have either never completed a compliant RRA or completed one five years ago that does not reflect their current infrastructure, threat landscape, or cybersecurity posture.
What AWIA actually requires
The law defines two core deliverables. The first is the Risk and Resilience Assessment. The second is the Emergency Response Plan. They are sequential. The RRA comes first and informs the ERP.
The Risk and Resilience Assessment must evaluate the risks to the system from both physical and cybersecurity threats. AWIA specifically requires that the assessment address:
- The physical security of the system, including the infrastructure, source water, and electronic, computer, or other automated systems utilized by the system
- The monitoring practices of the system
- The financial infrastructure of the system
- The use, storage, and handling of chemicals
- The operation and maintenance of the system
- The resilience of pipes, physical barriers, water treatment, and storage and distribution facilities
The cybersecurity component is not optional. AWIA explicitly names "electronic, computer, or other automated systems" as a required assessment area. For any utility operating SCADA, PLCs, RTUs, or networked control equipment, the RRA must document the cybersecurity posture of those systems. An RRA that covers only physical security is not compliant with the statute.
The Emergency Response Plan
After completing the RRA, the utility must develop or update its Emergency Response Plan. The ERP must incorporate the findings of the assessment. It must describe the actions, procedures, and equipment the utility will use to respond to incidents identified in the RRA. It must also address plans for alternative water supply in the event of a disruption.
The ERP is not a static document. It must reflect the actual risks identified in the assessment. If the RRA finds that SCADA systems are internet-exposed or running on default credentials, the ERP must address how the utility will respond to a cyber intrusion that disrupts those systems. A generic ERP that does not reference specific cybersecurity risks is not aligned with the statute's requirements.
The certification process
AWIA requires utilities to certify completion of both the RRA and the ERP to the EPA. The certification is submitted through the EPA's online portal. The utility self-certifies that the assessment was completed and that the ERP has been updated. The EPA does not review the actual documents at the time of certification. But the documents must exist, and the EPA has the authority to request them at any time.
Self-certification does not mean self-grading. The EPA can request your RRA and ERP. If they do not exist, or if they do not address the required areas, the utility is in violation.
What happens if you do not comply
AWIA authorizes the EPA to take enforcement action against utilities that fail to certify their RRA and ERP by the required deadlines. Penalties can include fines of up to $25,000 per day of violation under the Safe Drinking Water Act. Historically, the EPA has focused on compliance assistance rather than penalties for first-time non-compliance. But the enforcement posture is shifting.
The EPA issued an enforcement alert in March 2024 emphasizing that cybersecurity is a required component of SDWA sanitary surveys. State primacy agencies conducting sanitary surveys are now expected to evaluate whether utilities have addressed cybersecurity risks. A utility that cannot demonstrate it has assessed its SCADA and control system security may face findings during its next sanitary survey, regardless of whether it has formally certified its RRA.
Beyond enforcement, there is a practical liability question. If a utility suffers a cyber incident and it has not completed a compliant RRA that addresses cybersecurity, the utility's legal exposure increases significantly. The failure to assess known risks, when a federal law specifically requires the assessment, is difficult to defend.
What a compliant RRA looks like for cybersecurity
A compliant cybersecurity component of the RRA should include, at minimum:
- An inventory of all control system assets. Every PLC, RTU, HMI, SCADA server, and network device. Manufacturer, model, firmware version, network address, and physical location.
- An assessment of external exposure. Which devices are reachable from the public internet? What services are they running? What vulnerabilities are associated with their firmware versions? A passive vulnerability assessment answers all of these questions without touching the utility's network.
- An evaluation of access controls. Are default credentials still active? Is multi-factor authentication in place for remote access? Who has administrative access to control systems, and how is that access managed?
- A network architecture review. Is the OT network segmented from the IT network? Are there direct paths from the internet to control equipment? Where are the firewall boundaries?
- A threat assessment. What threat actors are targeting water utilities? What TTPs are they using? CISA advisories, KEV entries, and sector-specific alerts provide the source material for this section.
The RRA does not need to solve every problem it identifies. Its purpose is to document the risks so that the utility can prioritize remediation and update its ERP accordingly. But it does need to be specific. An RRA that says "cybersecurity should be improved" without identifying what is exposed, what vulnerabilities exist, and what the risk to operations is does not meet the intent of the statute.
The connection to funding
A properly documented RRA is also the foundation for grant applications. SLCGP funds, DWSRF set-asides, and state cybersecurity grants all require documentation of a specific cybersecurity need. The RRA provides that documentation. The assessment identifies the gaps. The remediation plan scopes the work. The grant application funds it. Without the assessment, there is nothing to apply for.
Sentinel OT provides passive vulnerability assessments that directly support the cybersecurity component of AWIA Risk and Resilience Assessments. Our reports document externally observable exposure, map findings to the National Vulnerability Database and CISA KEV catalog, and provide remediation recommendations that translate directly into ERP updates and grant applications. We also support the grant application process, helping utilities connect assessment findings to available funding.
The deadline is June 30, 2026. If your utility has not started its RRA, the time to act is now.