EPA Sends Memo on Cybersecurity for Water Systems to OMB for Review

On Friday, 12/16, EPA sent a “Memorandum to State Drinking Water Administrators on Public Water System Cybersecurity” (RIN: 2040-ZA41) to the Office of Management and Budget’s (OMB’s) Office of Information and Regulatory Affairs (OIRA) for the standard Executive Order (EO) 12866 Review. ASDWA has been working with EPA on its approach to cybersecurity for water systems for the past 18 months by inserting cybersecurity into one of the eight elements in sanitary surveys. Without having seen the memorandum, it’s likely to be included as part of the management and operation element.

ASDWA has been working with EPA for to develop a mutual understanding of states’ concerns with this approach. States are concerned with the lack of subject matter expertise with the sanitary survey inspectors, the lack of a standard to measure agains, the protection of sensitive information from sanitary surveys, the potential liability for the states, the low frequency of sanitary surveys (typically either every 3 years or every 5 years) compared to rapidly shifting cybersecurity threats, and the potential time and resource burden to states. How these concerns are addressed in the memorandum and the associated guidance is unclear at this time, as well as the potential schedule for this memorandum to be finalized and distributed to the EPA Regions and states.