Be Prepared for §1433 Compliance

The Safe Drinking Water Act (SDWA) is the standard by which public water systems (PWSs) fulfill their obligations to protect drinking water. The US Environmental Protection Agency (EPA) is the federal agency responsible for ensuring a PWS complies with SDWA provisions, which also includes oversight of states that have been granted primacy to implement the act. Monitoring and tracking compliance rests with the Office of Enforcement and Compliance (OECA). EPA is granted the authority to perform inspections at any entity subject to a National Primary Drinking Water Regulation, which requires proper notice and coordination with the primacy agency per SDWA §1445 (42 USC §300j-4).

In 2020, a review of ongoing compliance issues across ~50,000 US community water systems (CWSs) serving nearly 90% of the population led EPA to add safe drinking water to the National Enforcement Compliance Initiative (NECI). EPA reported for fiscal year (FY) 2022 that 18,282 CWSs had at least one SDWA violation, including a health-based violation in 2,854 of those systems. These findings led EPA to extend NECI into FY24–27. In 2024, OECA emphasized assessing SDWA §1433 compliance with more targeted inspections and enforcement nationally “as part of a whole of government approach aimed at strengthening public utility resiliency to mounting cyber-attacks.”

Of the 238 CWS inspections performed in FY24, 206 had EPA on-site to evaluate §1433 compliance. These inspections focus on the utility's ability to produce a physical copy of the risk and resilience assessment (RRA) and emergency response plan (ERP), ensuring certifications were filed on time and that the RRA and ERP include all the statute-required elements, which include assessing cyber vulnerabilities and taking action to mitigate such risks. The process begins with EPA notifying the utility that an inspection will be performed within the next several weeks and a summary of the inspection's scope. Inspections can cover SDWA requirements in full or be more targeted to §1433 and a review of 15 cybersecurity practices EPA has identified as essential. While the cybersecurity checklist does not represent specific statutory mandates, EPA's objective is building awareness and identifying potential technical-assistance needs. Afterward, the utility will receive an inspection report that may identify areas of concern to be used by EPA's regional office to determine whether an enforcement action is warranted. A notice of violation will typically be sent to the utility within three months of receiving the inspection report. Consultation with the regional OECA may follow to review the corrective actions outlined in the notice.

The inspection process associated with §1433 is relatively new and technically quite different from traditional SDWA requirements. This has led to some inconsistency in how inspectors have interpreted what is required to fulfill the statutory requirements. The statute requires the utility to consider “risk to the system from malevolent acts and natural hazards” and allows the system to determine the most applicable threats, but all systems should place a high priority on mitigating a cyberattack. When a Notice of Violation has been issued, generic language may state the RRA or ERP “did not evaluate or include sufficient details,” with specific provision listed. Such vague language is intended to limit disclosure of a possible vulnerability an adversary could leverage. Consultation between the utility and EPA regional staff is conducted to provide details, potentially reconcile specific violations, and clarify deadlines. A violation may subject the respondent to a civil penalty of up to $69,733 per day of violation under §1414(g)(3)(A), 42 USC §300g-3(g)(3)(A).

Since the second round of §1433 compliance has begun and with EPA continuing the targeted enforcement initiative, it is key that systems ensure they can demonstrate due diligence. Use a simple table of contents to ensure all the required elements are included in the RRA and ERP. If an element is not applicable, include a brief statement on why it is not. Ensure utility leadership is aware of the compliance deadlines and has prepared to certify completion of the RRA and ERP accordingly. As of August 2025, about 95% of systems serving 100,000 or more people had certified the RRA (due on or before March 31, 2025). The next deadlines are Sept. 30, 2025, for large-system ERPs and on or before Dec. 31, 2025, for medium-system (50,000–99,999 people) RRAs.

Ensuring the security and resilience of water systems is essential to sustaining our economic vitality, national security, and public health, requiring sustained and continued vigilance by utility leadership. AWWA will continue to work with EPA to improve the process and ensure compliance expectations are transparent.