Establishes a Water Risk and Resilience Organization to set cybersecurity standards for community water systems serving over 3,300 people, ensuring the protection and resilience of the water sector against cyber threats.
Eric "Rick" Crawford
Representative
AR-1
This bill directs the EPA Administrator to establish a Water Risk and Resilience Organization (WRRO) to develop cybersecurity risk and resilience requirements for community water systems or treatment works serving 3,300+ people. The WRRO will monitor and assess the implementation and effectiveness of cybersecurity requirements, and can impose penalties for violations. The bill allocates \$10,000,000 for these activities and clarifies that the WRRO is not a government entity, nor does this preempt state authority over water service safety and resilience.
This bill proposes creating a brand-new entity, the Water Risk and Resilience Organization (WRRO), tasked with developing and enforcing cybersecurity standards for the water sector. Specifically, it targets 'covered water systems' – think community water systems or treatment works that serve over 3,300 people. The Environmental Protection Agency (EPA) Administrator gets the job of certifying this single, non-governmental WRRO within 270 days of the bill's passage, kicking things off with a $10 million appropriation to get the WRRO rolling.
So, what does this WRRO actually do? Its main gig is to write the rulebook for cybersecurity in larger water systems. These rules, covering 'cybersecurity risk and resilience requirements,' need the EPA Administrator's stamp of approval. The EPA has to find them 'just, reasonable, and not unduly discriminatory,' though the bill says the EPA should generally defer to the WRRO's technical know-how. Once rules are approved, the WRRO monitors compliance. This involves water systems submitting annual self-attestations saying they're following the rules, plus undergoing assessments by the WRRO or a third party at least every five years. If a system doesn't comply, the WRRO can impose penalties up to $25,000 per day after a notice and hearing process. These penalty funds are earmarked to support WRRO training and resources.
The goal here is straightforward: make the systems delivering your drinking water more 'cyber resilient' – better protected against digital threats like ransomware or hacking that could disrupt service or compromise safety. This directly impacts those 'covered water systems' serving mid-sized to larger communities. They'll need to meet the new WRRO standards, which likely means investing time and money into cybersecurity measures and proving they're compliant. While the bill aims for balanced stakeholder representation within the WRRO, there's always the practical reality that compliance costs for water utilities could eventually influence customer rates. Smaller systems (serving under 3,300 people) aren't subject to these specific WRRO requirements.
While the WRRO isn't technically a government agency, the EPA holds significant oversight. The Administrator approves the initial rules, can order the WRRO to create or modify rules if needed, and reviews any penalties the WRRO imposes. The bill also mandates public input during rule development and requires the WRRO to manage sensitive information securely. However, questions remain about how a non-governmental body will interpret 'just and reasonable' standards and wield penalty power effectively and fairly. There's also the potential for friction if WRRO requirements clash with existing state or local regulations, although the bill states it doesn't preempt consistent state rules. Ensuring the WRRO remains independent and focused on resilience, rather than being influenced by specific industry players, will be crucial for its success.