AWIA 2018 - America's Water Infrastructure Act Summary
What is AWIA 2018? America’s Water Infrastructure Act
America’s Water Infrastructure Act of 2018 (AWIA) was signed into law on October 23, 2018. It improves drinking water and water quality by requiring community (drinking) water systems serving more than 3,300 people to develop or update risk assessments and emergency response plans (ERPs). The AWIA 2018 provisions are some of the biggest changes to the Safe Drinking Water Act in decades.
Among other things, community water systems are required under the AWIA to conduct and report on a comprehensive water system AWIA risk and resilience assessment. They must also develop an emergency response plan that addresses both physical and cybersecurity threats.
These utilities must:
- Review AWIA 2018 Certification Deadlines
- Conduct a Risk and Resilience Assessment (RRA)
- Prepare or revise an Emergency Response Plan (ERP)
- Submit a certification letter upon completion to the U.S. Environmental Protection Agency (U.S. EPA) for each (RRA and ERP)
- Review, update, revise as necessary and submit a recertification for both at least every 5 years thereafter
- Maintain records (keep copies of RRA and ERP and any updates for 5 years after certification submittal)
AWIA Certification Deadlines
Risk and Resilience
Next 5-Year Cycle
|≥100,000||March 31, 2020||March 31, 2025|
|50,000-99,999||December 31, 2020||December 31, 2025|
|3,301-49,999||June 30, 2021||June 30, 2026|
Next 5-Year Cycle
|≥100,000||September 30, 2020||September 30, 2025|
|50,000-99,999||June 30, 2021||June 30, 2026|
|3,301-49,999||December 31, 2021||December 31, 2026|
*Emergency response plan certifications are due six months from the date of the risk assessment certification. The dates shown above are certification dates based on a utility submitting a risk assessment on the final due date.
AWIA Risk and Resilience Assessment
The AWIA 2018 requires all community water utilities serving more than 3,300 people to conduct an assessment of the risks and resilience for the system. This assessment must include an assessment of:
- The risk of the system from malevolent acts and natural hazards
- Resilience of the pipes and constructed conveyances, physical barriers, source water, water collection and intake, pretreatment, treatment, storage and distribution facilities, electronic, computer, or other automated systems (including the security of such systems) which are utilized by the system
- The monitoring practices of the system
- The financial infrastructure of the system
- The use, storage, or handling of various chemicals by the system
- The operation and maintenance of the system
What does a risk and resilience assessment include?
- Natural hazards and malevolent acts (i.e., all hazards)
- Resilience of water utility infrastructure (including pipes, physical barriers, water sources and collection, treatment, storage and distribution, and electronic, computer and other automated systems)
- Monitoring practices
- Financial and billing systems
- Chemical storage and handling
Emergency Response Plans Must Include Cybersecurity and Physical Security
The AWIA risk and resilience assessment requires community water systems to prepare or revise an emergency response plan with their local emergency planning committee. The assessment must include strategies and plans to improve and respond to hazards. This emergency response plan is due no later than six months after completion of the risk assessment.
While cybersecurity threats have been steadily increasing for the water utilities and wastewater industries, the AWIA will require community water systems to assess their cybersecurity vulnerabilities in a comprehensive fashion to protect against future attacks.
What does my AWIA emergency response plan include?
- Strategies and resources to improve resilience, including physical security and cybersecurity.
- Plans and procedures for responding to a natural hazard or malevolent act that threatens safe drinking water.
- Actions and equipment to lessen the impact of a malevolent act or natural hazard, including alternative water sources, relocating intakes and flood protection barriers.
- Strategies to detect malevolent acts or natural hazards that threaten the system.
Who should I work with when creating my emergency response plan?
Water utility companies must coordinate the risk and resilience assessments, and the emergency response plans with your local
emergency planning committee.
AWIA 2018 Certification Requirements
How do I submit my certification?
What must the certification letter contain?
The water utility must send a letter to the EPA certifying compliance with AWIA by the above-specified dates. The letter should contain:
- Water system name and Public Water System Identification (PWSID) Number
- Date the RRA/ERP was completed (certification date)
- Statement that the utility has conducted, reviewed, or revised, as applicable, their RRA and ERP
What happens if a certification letter is not submitted?
Still Have Questions About AWIA 2018?
We can help! We specialize in cyber security for water utilities. We know the guidelines and what you need to do to be secure and up to date with the EPA. Contact us today to discuss how we can help.
Learn More About CyberSecurity & IT services
Get In Touch
CyberSecurity Company & IT Services
Latest Cybersecurity Posts
Company Vows to Attain Zero Carbon Footprint by 2025 Fort Smith, Ark. – Kirkham, Inc., which operates IronTech Security and Kirkham IT, has taken its first step in its journey to achieve a carbon neutral footprint by 2025. Kirkham, Inc., with a scalable employee base,...
What is a security first culture? A security first culture starts with identifying and preventing employee vulnerabilities before they cause a breach. Employees are your front line of defense in the technology world. Do your employees use strong passwords? Do your...
Many believe information security is information technology, and their IT guy handles all of their cybersecurity. This is a common misconception. Information technology specializes in technology, not security. What is the difference between information...