America’s Water Infrastructure Act (AWIA) of 2018, signed into law in October, requires drinking water utilities serving more than 3,300 customers to conduct a risk and resilience assessment (RRA) and produce an emergency response plan (ERP). Unlike former legislation which focused primarily on terrorism, physical security, and human threats, the new requirements have been expanded to include natural hazards and threats to electronic systems, including financial and administrative functions. With the compliance deadline for larger systems looming in early 2020 and smaller systems soon to follow, many entities could be left scrambling to add this scope of work into their fiscal year budget cycle. Regardless of their size, public water systems should begin the budgeting process soon to ensure adequate funding to satisfy these new requirements.
Woodard & Curran has extensive experience helping our clients develop RRAs (formerly referred to as vulnerability assessments) and ERPs with consideration given to both malevolent acts and natural hazards. Our scope has included assessment of both physical and technological infrastructure systems for water suppliers ranging from small, single facility, and campus supplies to large municipal systems.
While many public water systems have developed plans in the past, AWIA 2018 requires new elements for consideration, such as cybersecurity and risk to a utility’s financial and data management systems. This legislation may seem onerous and the assessment process and planning may come with many unknowns, including financial implications of necessary improvements. Impacts will not be fully understood until requirements are met.
New Requirements at a Glance
Expanding upon requirements of the Public Health Security and Bioterrorism Preparedness and Response Act of 2002 (the Bioterrorism Act), legislation passed in the aftermath of September 11, 2001, the new legislation requires each water system’s RRA to consider the following:
• Natural hazards and malevolent acts;
• Resilience of water facility infrastructure (from pipes and facilities to software and cybersecurity);
• Monitoring practices;
• Financial systems (including billing); and
• Chemical storage and handling.
Based on the data collected during the assessment, each entity must then develop an ERP that includes:
• Strategies and resources to improve resilience;
• Physical security and cybersecurity;
• Procedures for when any form of hazard threatens safe drinking water;
• Implementation of actions or installation of equipment to lessen the impact of any form of hazard; and
• Strategies to detect natural or malevolent acts that threaten the system.
A certificate of completion for the RRA must be submitted to the U.S. Environmental Protection Agency (EPA). Within six months of the RRA certification, a certification must also be submitted documenting the completion of an ERP. Deadlines by utility size are as follows:
Following the initial certification, both plans will need to be recertified every five years by the EPA.
While these dates may seem generous for smaller systems, it is a very tight timeline to complete comprehensive plans, particularly for the larger, typically more complex drinking water systems who now have less than nine months to perform the RRA and submit the first certification.
Making the Most Out of AWIA Requirements
Our drinking water practice is keeping a close eye on any recommendations or guidance coming from the EPA and working with existing clients to navigate the AWIA 2018 requirements. While the legislation may seem daunting, we know first-hand the value that can be derived from the development of a well thought out, action-oriented plan. Our own operators across the country have faced emergency situations from flood and fire to electrical outages, catastrophic natural gas system failures, and total automation system shutdowns. When an RRA has been thoroughly conducted and an ERP is in place, the swift response to such events has prevented service interruptions and related public health catastrophes.
Regardless of these new AWIA requirements, utilities face a pressing need to identify risks, improve resiliency, and develop strategies to mitigate potential damage to man-made and natural resources. These assessments also must be conducted in a fiscally responsible manner and be balanced by considering the likelihood of any such threats. Additionally, strategies for addressing potential risks may also reveal necessary capital upgrades to improve a utility’s resiliency and longevity. As with consideration for funding the RRA and ERP, utilities should calculate return on investments when considering improvements and prioritize work accordingly based on the reality of potential risks.
