To establish a Water Risk and Resilience Organization to develop risk and resilience requirements for the water sector.

This bill creates a new Water Risk and Resilience Organization (WRRO) to help protect water systems from cyberattacks that could disrupt service. The Environmental Protection Agency (EPA) will select and oversee one independent group to write and carry out cybersecurity rules for “covered water systems.” The WRRO is not a federal agency.

How it works: the WRRO drafts cybersecurity requirements and an implementation plan with a timeline. EPA reviews them and generally defers to the WRRO’s technical expertise, but can send them back with specific fixes. The WRRO checks compliance through yearly self-attestations and audits at least every five years, and it sends EPA an annual report with only anonymized findings. If a system ignores approved rules, the WRRO can fine it—up to $25,000 per day—after notice and a chance to be heard. EPA can review penalties, and any fine money goes back into training and other support. States can still act to keep water safe, as long as their actions don’t conflict with these cybersecurity rules. The bill authorizes $10 million for this work.

• Who is affected: owners and operators of covered water systems; EPA; the new WRRO.
• What changes: new cybersecurity rules with public input, regular monitoring, and fines for violations.
• When: within 270 days of enactment, EPA must issue the rule to set this up; each requirement comes with its own schedule; penalties can’t take effect for at least 31 days after notice; audits happen at least every five years.