A Summary of America’s Water Infrastructure Act of 2018
These utilities must:
- Conduct a Risk and Resilience Assessment (RRA)
- Prepare or revise an Emergency Response Plan (ERP)
- Submit a certification letter upon completion to the U.S. Environmental Protection Agency (U.S. EPA) for each (RRA and ERP)
- Review, update, revise as necessary and submit a recertification for both at least every 5 years thereafter
- Maintain records (keep copies of RRA and ERP and any updates for 5 years after certification submittal)
AWIA Compliance Deadlines
What must the certification letter contain?
The Director or another leader of the utility must send a letter to EPA certifying compliance with AWIA by the above-specified dates. The letter should contain:
- Water system name and Public Water System Identification (PWSID) Number
- Date the RRA/ERP was completed (certification date)
- Statement that the utility has conducted, reviewed, or revised, as applicable, their RRA and ERP
What happens if a certification letter is not submitted?
There are consequences if a utility does not certify that they have complied with the AIWA. EPA can initiate enforcement action and assess a penalty of up to $25,000 per day for non-compliance.
What is the difference between the Bioterrorism Act of 2002 and AWIA of 2018?
The Bioterrorism Act of 2002 is the basis for AWIA of 2018. However, there are some notable differences:
- Under the Bioterrorism Act, the threat focus was on malevolent acts of terrorism or other intentional threats. Under AWIA, the focus includes an all-hazards approach, considering cyber and natural hazards as well as malevolent threats.
- Vulnerability Assessments are now called Risk and Resilience Assessments and include increased emphasis on cybersecurity and natural hazards.
- Formerly, utilities had to submit actual Vulnerability Assessments to EPA; under AWIA, utilities will now submit a letter certifying that they have conducted RRAs and updated their ERP.
What must a utility assess under AWIA?
The utility must consider all potentially critical components of the water system, including:
- Pipes and constructed conveyances
- Physical barriers
- Source water
- Water collection and intake
- Pretreatment, treatment, storage, and distribution facilities
- Electronic, computer, or other automated systems
In addition to assessing the physical parts of the system, the utility must also assess:
- Any Monitoring practices – physical security, water quality
- Financial infrastructure – accounting, billing, and ability to do payroll when facing a threat, including cyber attack or destruction of the administration buildings housing these systems
- Use, storage, or handling of various chemicals by the water system
- Operation and maintenance of the system
- May include evaluation of capital and operational needs for risk and resilience management
What must the ERP include to comply with AWIA?
The ERP must include:
- Strategies and resources to improve resilience, including physical and cyber security
- Plans and procedures that can be implemented and identification of equipment that can be utilized in the event of a malevolent act or natural hazard that threatens the ability of the utility to deliver safe drinking water
- Actions, procedures, and equipment to lessen the impact on public health and safety and supply of drinking water from a malevolent act or natural hazards, including the development of alternative source water options, relocation of water intakes, and construction of flood protection barriers
- Strategies that can be used to aid in the detection of malevolent acts or natural hazards that threaten the security of the water system.
Are there tools available to conduct the RRA and develop the ERP?
Yes. American Water Works Association has tools that may be helpful as you conduct the assessment and develop your plans.
- AWWA J-100: Risk and Resilience Management of Water and Wastewater Systems. This includes a 7-Step process for data collection and interpretation, analysis, and decision-making valuable for understanding and managing risk and reliance.
- AWWA G440-17: Emergency Preparedness Practices and AWWA M-19: Emergency Planning for Water and Wastewater Utilities. These standards cover the minimum requirements to establish and maintain an acceptable level of preparedness based on perceived risks.
- AWWA Cybersecurity Guidance and Use Case Tools. Free online tool available at AWWA website https://www.awwa.org/Resources-Tools/Toolbox/Cybersecurity-Tool. The use case tools are intended to reflect the configuration and/or the utilization of a utility’s process control system. The operational characteristics associated with each use case represent different types and degrees of cybersecurity risk. The Use-Case Tools determine the appropriate cybersecurity controls and priorities based on the use cases selected by the user.
- AWWA G430-14: Security Practices for Operation and Management. This covers the minimum requirements for a security program for a water, wastewater, or reuse utility.
How can HR Green help?
You do not have to tackle this alone. HR Green professionals have completed the requirements for the AWWA Utility Risk and Resilience Certificate Program for potable water treatment plants and distribution systems. Contact us today for assistance in meeting the requirements of the American Water Infrastructure Act of 2018.