Section 2013 of America’s Water Infrastructure Act of 2018 (AWIA) requires community water systems that serve more than 3,300 people to complete a Risk and Resilience Assessment (RRA) and develop an Emergency Response Plan (ERP). The deadline to certify completion of the RRA is June 30, 2021 for systems serving 3,301 to 49,999 people, which is most of the public water systems in Massachusetts. The deadline for larger systems occurred already. Six months after completing the RRA, the Act requires systems to develop an ERP.
Massachusetts public water systems (PWS) were previously required to develop ERPs. The Public Health Security and Bioterrorism Preparedness and Response Act of 2002 (Bioterrorism Act) required each PWS serving a population greater than 3,300 persons to conduct a vulnerability assessment and prepare an ERP. The new federal requirement adds new risk elements to the assessment, including natural hazards, cybersecurity and financial systems. Cybersecurity is an important addition to the assessments, as evidenced by the February 2021 remote access cyberattack on the Oldsmar, Florida water treatment facility and the May 2021 ransomware cyberattack on the Colonial Pipeline.
Water system remote operation using computerized systems
(photo from U.S. EPA Water Infrastructure Resilience website:
Every five years, the PWS must review its risk and resilience assessment and submit a recertification to the U.S. EPA that the assessment has been reviewed and, if necessary, revised. Within six months of submitting the recertification for the RRA, the PWS must certify it has reviewed and, if necessary, revised, its ERP.
An RRA evaluates the vulnerabilities, threats, and consequences from potential hazards. The assessment includes the following:
- Natural hazards and malevolent acts (i.e., all hazards).
- Resilience of water facility infrastructure (including pipes, physical barriers, water sources and collection, treatment, storage and distribution, and electronic, computer and other automated systems).
- Monitoring practices.
- Financial systems (e.g., billing systems).
- Chemical storage and handling.
- Operation and maintenance.
An ERP includes the following:
- Strategies and resources to improve resilience, including physical security and cybersecurity.
- Plans and procedures for responding to a natural hazard or malevolent act that threatens safe drinking water.
- Actions and equipment to lessen the impact of a malevolent act or natural hazard, including alternative water sources, relocating intakes and flood protection barriers.
- Strategies to detect malevolent acts or natural hazards that threaten the system.
Visit the U.S. EPA website to find more information on AWIA at: https://www.epa.gov/waterresilience/awia-section-2013
The U.S. EPA provides guidance for developing an RRA and an ERP on the following two websites: