To establish a Water Risk and Resilience Organization to develop risk and resilience requirements for the water sector.
H.R. 2594 would create a Water Risk and Resilience Organization (WRRO) to develop and oversee cybersecurity risk and resilience requirements for larger water systems in the United States. The WRRO would be certified by the EPA Administrator and would have exclusive authority to propose and implement cybersecurity rules for “covered water systems” (community water systems or treatment works serving 3,300 or more people). The bill sets a formal rulemaking path, including an implementation schedule, public notice and due process, and a mechanism for resolving conflicts with existing rules or tariffs. It also establishes monitoring, reporting, and enforcement provisions (including penalties), and authorizes a dedicated funding stream to support WRRO activities. The approach centralizes cyber risk governance in a single, technically expert entity, with oversight by the EPA and input from water system owners/operators. Potential impact: - Defined, centralized framework for cyber risk and resilience in the water sector, targeting critical infrastructure. - Clear process for proposing, approving, and implementing cyber requirements with input from a specialized organization. - Enforcement and penalties tied to compliance, with penalties funding WRRO training and capabilities. - States retain authority for safety and resilience actions not inconsistent with WRRO rules, preserving some state role.
Key Points
- 1Establishment and certification of WRRO: The WRRO would be an organization certified by the EPA Administrator to develop and enforce cybersecurity risk and resilience requirements for covered water systems. Certification requires demonstrating technical expertise, experience with water systems, and governance safeguards (independence, balanced representation, transparent procedures, and fair cost allocation).
- 2Scope and definitions: “Covered water systems” include community water systems and treatment works serving 3,300+ people. “Cyber resilient” encompasses preparing for, withstanding, absorbing, adapting to, and recovering from cybersecurity incidents. The rules target cybersecurity risk and resilience in system operation and in planned additions or modifications.
- 3Rulemaking and implementation process: The WRRO must file proposed requirements and an implementation plan with the EPA Administrator. The Administrator approves if the proposal is just, reasonable, and not unduly discriminatory, but defers to WRRO technical expertise. If disapproved, the Administrator must issue specific recommendations within 90 days, and the WRRO has defined steps to respond.
- 4Timelines and rollout: Final rulemaking to establish the WRRO’s authority must occur within 270 days of enactment. The implementation schedule may support phased rollout to different water systems.
- 5Monitoring and reporting: The WRRO would monitor implementation and require annual self-attestations of compliance and formal assessments every 5 years. It must report annually to the Administrator with aggregated, anonymized data and no sensitive security information.
- 6Enforcement and penalties: The WRRO can impose penalties for violations of cybersecurity requirements, up to $25,000 per day, after due process (notice, consultation, and a hearing). Penalties are capped and proceeds go back to the WRRO to fund training and resources. The Administrator may review penalties, and expedited procedures apply for these reviews.
- 7Conflict resolution: The final rule must include processes to identify and resolve conflicts between WRRO requirements and other Administrator-approved rules, orders, tariffs, or agreements applicable to a covered water system. Compliance with those other authorities remains unless changed by the Administrator.
- 8Savings and state role: The act does not authorize binding cyber requirements beyond those it creates, and it preserves State authority to act on water safety and resilience so long as actions do not conflict with WRRO requirements.
- 9Status and funding: The WRRO would not be a U.S. government department or agency, but it would operate under a federal authorization. The bill authorizes $10 million in appropriations to remain available until expended.