Water Utility
Cybersecurity Compliance
AWIA Section 2013 requires your system to assess cyber risks. We help you meet the requirement—and defend what you certify.
40 CFR § 19.4 — Effective January 8, 2025
Services
What We Deliver
Cyber Risk Assessment
Supports the electronic systems component of your Risk & Resilience Assessment.
- SCADA/OT inventory & architecture review
- Vulnerability identification
- Access control & remote access audit
- Documentation for RRA inclusion
ERP Cyber Section
Develops the cybersecurity response component of your Emergency Response Plan.
- Incident response procedures
- Ransomware playbook
- Communication protocols
- Recovery & backup verification
Remediation Support
Addresses gaps identified in assessment to strengthen your security posture.
- Network segmentation
- Patch management setup
- MFA implementation
- Policy development
The Requirement
AWIA Section 2013 / SDWA Section 1433
Community water systems serving 3,301+ people must conduct a Risk & Resilience Assessment that includes evaluation of "electronic, computer, or other automated systems (including the security of such systems)".
Systems serving 3,301–49,999 must certify their RRA by June 30, 2026 and their Emergency Response Plan by December 31, 2026.
This is a 5-year cycle. If you certified in 2020–2021, recertification is due now.
Certification Under Penalty of Law
"Whoever, in any matter within the jurisdiction of the United States government, knowingly and willfully provides a materially false, fictitious, or fraudulent statement or representation may be subject to fines or imprisonment. 18 U.S.C. § 1001."
— EPA RRA Certification Statement