Summary

Creates a new, EPA-overseen regime that lets the EPA certify one nonprofit or other organization as the Water Risk and Resilience Organization (WRRO). The WRRO would write, file, and help enforce cybersecurity and resilience requirements for drinking water and wastewater systems that serve 3,300 or more people, subject to procedural protections, information-sharing limits, and EPA review. The EPA Administrator must issue a final rule within 270 days to set application and certification standards. The WRRO must include owners/operators among its members, protect sensitive security information, provide notice and opportunities for public comment, and follow fair enforcement and fee allocation rules. Covered water systems could be required to meet WRRO-set cybersecurity rules and face penalties under the regime.

• Establishes a federal process for certifying a single Water Risk and Resilience Organization (WRRO) to set cybersecurity and resilience rules for certain water systems.
• Applies to community drinking water systems and wastewater treatment works that serve 3,300 or more people.
• EPA must issue a final implementing rule within 270 days of enactment to govern applications and certification.
• WRRO applicants must show technical expertise, include owners/operators as members, and protect sensitive security information.
• WRRO must follow procedures for notice, public comment, due process, openness, and balanced development of requirements.
• WRRO must file proposed cybersecurity requirements with the EPA before they take effect; the regime includes enforcement and penalties.
• The law centralizes standard-setting in a single certified organization while keeping EPA oversight through certification and rulemaking.
• Potential benefits include stronger, coordinated cybersecurity protections; potential burdens include compliance costs and fee allocations for covered systems.