EPA Releases Interpretative Memorandum Addressing Cybersecurity in Sanitary Surveys

Today (3/3), EPA released an interpretative memorandum to include cybersecurity in sanitary surveys, along with an associated guidance. The guidance discusses two actions for states:

  1. If a Public Water System (PWS) uses an Industrial Control System (ICS) or other operational technology (OT) as part of the equipment or operation of any required component of the sanitary survey, then the state must evaluate the adequacy of the cybersecurity of that ICS or OT for producing and distributing safe drinking water.
  2. If the state determines that a cybersecurity deficiency identified during a sanitary survey is significant, then the state must use its authority to require the PWS to address the significant deficiency.

The memorandum provides three cybersecurity assessment options:

  1. Water systems conduct a self-assessment or use a third-party assessor of cybersecurity practices with third-party assessors to be approved by the states; or
  2. States evaluate cybersecurity practices during a sanitary survey; or
  3. States can use alternative assessment methods as long as these methods are at least as strict as sanitary surveys, i.e., the alternatives identify cybersecurity gaps, and the systems address significant deficiencies that are identified by the state.

EPA has also released two fact sheets – to access these and for more information, click here.