AWIA 2018 - America's Water Infrastructure Act Summary

What is AWIA 2018? America’s Water Infrastructure Act

America’s Water Infrastructure Act of 2018 (AWIA) was signed into law on October 23, 2018. It improves drinking water and water quality by requiring community (drinking) water systems serving more than 3,300 people to develop or update risk assessments and emergency response plans (ERPs). The AWIA 2018 provisions are some of the biggest changes to the Safe Drinking Water Act in decades.

Among other things, community water systems are required under the AWIA to conduct and report on a comprehensive water system AWIA risk and resilience assessment. They must also develop an emergency response plan that addresses both physical and cybersecurity threats.

These utilities must:

awia 2018 summary, awia risk and resillience, awia assessment, awia certification, awia deadlines, americas water infrastructure act 2018 summary

AWIA Certification Deadlines

Population Served

Risk  and Resilience

Assessment

Next 5-Year Cycle

Submission Date          

≥100,000 March 31, 2020 March 31, 2025
50,000-99,999 December 31, 2020 December 31, 2025
3,301-49,999 June 30, 2021 June 30, 2026
Population Served

Emergency Response

 Plan*

Next 5-Year Cycle 

Submission Date*

≥100,000 September 30, 2020 September 30, 2025
50,000-99,999 June 30, 2021 June 30, 2026
3,301-49,999 December 31, 2021 December 31, 2026

*Emergency response plan certifications are due six months from the date of the risk assessment certification. The dates shown above are certification dates based on a utility submitting a risk assessment on the final due date.

AWIA Risk and Resilience Assessment

The AWIA 2018 requires all community water utilities serving more than 3,300 people to conduct an assessment of the risks and resilience for the system. This assessment must include an assessment of:

  • The risk of the system from malevolent acts and natural hazards
  • Resilience of the pipes and constructed conveyances, physical barriers, source water, water collection and intake, pretreatment, treatment, storage and distribution facilities, electronic, computer, or other automated systems (including the security of such systems) which are utilized by the system
  • The monitoring practices of the system
  • The financial infrastructure of the system
  • The use, storage, or handling of various chemicals by the system
  • The operation and maintenance of the system

What does a risk and resilience assessment include?

  • Natural hazards and malevolent acts (i.e., all hazards)
  • Resilience of water utility infrastructure (including pipes, physical barriers, water sources and collection, treatment, storage and distribution, and electronic, computer and other automated systems)
  • Monitoring practices
  • Financial and billing systems
  • Chemical storage and handling

Emergency Response Plans Must Include Cybersecurity and Physical Security 

The AWIA risk and resilience assessment requires community water systems to prepare or revise an emergency response plan with their local emergency planning committee. The assessment must include strategies and plans to improve and respond to hazards. This emergency response plan is due no later than six months after completion of the risk assessment.

While cybersecurity threats have been steadily increasing for the water utilities and wastewater industries, the AWIA will require community water systems to assess their cybersecurity vulnerabilities in a comprehensive fashion to protect against future attacks.

What does my AWIA emergency response plan include?
  • Strategies and resources to improve resilience, including physical security and cybersecurity.
  • Plans and procedures for responding to a natural hazard or malevolent act that threatens safe drinking water.
  • Actions and equipment to lessen the impact of a malevolent act or natural hazard, including alternative water sources, relocating intakes and flood protection barriers.
  • Strategies to detect malevolent acts or natural hazards that threaten the system.
Who should I work with when creating my emergency response plan?

Water utility companies must coordinate the risk and resilience assessments, and the emergency response plans with your local
emergency planning committee.

AWIA 2018 Certification Requirements

How do I submit my certification?
Three options will be provided for submittal: regular mail, email and a user-friendly secure online portal. The online submission portal will provide drinking water systems with a receipt of submittal. The U.S. EPA recommends using this method. The
What must the certification letter contain?

The water utility must send a letter to the EPA certifying compliance with AWIA by the above-specified dates. The letter should contain:

  • Water system name and Public Water System Identification (PWSID) Number
  • Date the RRA/ERP was completed (certification date)
  • Statement that the utility has conducted, reviewed, or revised, as applicable, their RRA and ERP
What happens if a certification letter is not submitted?
EPA can initiate enforcement action and assess a penalty of up to $25,000 per day for non-compliance.

Still Have Questions About AWIA 2018?

We can help! We specialize in cyber security for water utilities. We know the guidelines and what you need to do to be secure and up to date with the EPA. Contact us today to discuss how we can help.

Learn More About CyberSecurity & IT services

Get In Touch

Irontech Security

CyberSecurity Company & IT Services

Phone: 479-434-1400

Email:  commandcenter@irontechsecurity.com

Mon-Fri: 9am-5pm

Latest Cybersecurity Posts

Why All Employees Are Responsible for Cybersecurity

  Did you know that 90% of data breaches are caused by human error?  Cyber-attacks are more likely to occur as a result of employee actions rather than a direct attack to a system. With human error being the most common reason for cyber-attacks, employers need to...

Cybersecurity vs. Cyber Insurance

Do you know the difference between cybersecurity and cyber insurance?  Most people don’t, leaving thousands of organizations left vulnerable.   What is Cybersecurity? Cybersecurity is the practice of protecting systems, networks, and programs for digital...

Best of Breed: The IronTech Way

A determined hacker can bypass even the most robust security program.  I bet you’re asking, what should my organization do?  The answer is simple: layer your defenses to address gaps in your security strategy with the best solutions.  The best solutions are also known...