PolicyBrief
H.R. 2594
119th CongressApr 2nd 2025
To establish a Water Risk and Resilience Organization to develop risk and resilience requirements for the water sector.
IN COMMITTEE

Establishes a Water Risk and Resilience Organization to set cybersecurity standards for community water systems serving over 3,300 people, ensuring the protection and resilience of the water sector against cyber threats.

Eric "Rick" Crawford
R

Eric "Rick" Crawford

Representative

AR-1

LEGISLATION

Bill Creates $10M Funded 'WRRO' to Set and Enforce Cyber Rules on Water Systems Serving 3,300+ People

This bill proposes creating a brand-new entity, the Water Risk and Resilience Organization (WRRO), tasked with developing and enforcing cybersecurity standards for the water sector. Specifically, it targets 'covered water systems' – think community water systems or treatment works that serve over 3,300 people. The Environmental Protection Agency (EPA) Administrator gets the job of certifying this single, non-governmental WRRO within 270 days of the bill's passage, kicking things off with a $10 million appropriation to get the WRRO rolling.

Meet the New Water Watchdog: The WRRO

So, what does this WRRO actually do? Its main gig is to write the rulebook for cybersecurity in larger water systems. These rules, covering 'cybersecurity risk and resilience requirements,' need the EPA Administrator's stamp of approval. The EPA has to find them 'just, reasonable, and not unduly discriminatory,' though the bill says the EPA should generally defer to the WRRO's technical know-how. Once rules are approved, the WRRO monitors compliance. This involves water systems submitting annual self-attestations saying they're following the rules, plus undergoing assessments by the WRRO or a third party at least every five years. If a system doesn't comply, the WRRO can impose penalties up to $25,000 per day after a notice and hearing process. These penalty funds are earmarked to support WRRO training and resources.

The Ripple Effect: Costs, Compliance, and Your Water

The goal here is straightforward: make the systems delivering your drinking water more 'cyber resilient' – better protected against digital threats like ransomware or hacking that could disrupt service or compromise safety. This directly impacts those 'covered water systems' serving mid-sized to larger communities. They'll need to meet the new WRRO standards, which likely means investing time and money into cybersecurity measures and proving they're compliant. While the bill aims for balanced stakeholder representation within the WRRO, there's always the practical reality that compliance costs for water utilities could eventually influence customer rates. Smaller systems (serving under 3,300 people) aren't subject to these specific WRRO requirements.

Checks, Balances, and Potential Hurdles

While the WRRO isn't technically a government agency, the EPA holds significant oversight. The Administrator approves the initial rules, can order the WRRO to create or modify rules if needed, and reviews any penalties the WRRO imposes. The bill also mandates public input during rule development and requires the WRRO to manage sensitive information securely. However, questions remain about how a non-governmental body will interpret 'just and reasonable' standards and wield penalty power effectively and fairly. There's also the potential for friction if WRRO requirements clash with existing state or local regulations, although the bill states it doesn't preempt consistent state rules. Ensuring the WRRO remains independent and focused on resilience, rather than being influenced by specific industry players, will be crucial for its success.