Recommendations of the CIPAC Metrics
Workgroup for Water

FINAL REPORT

June 2008


-------
TABLE OF CONTENTS

Acknowledgements	1

Executive Summary	2

Introduction	3

The (TPAC	3

Charter and Mission of the Metrics Workgroup	3

Workgroup Composition	4

Assumptions and Consideration of Previous Efforts	4

The Deliberative Process and Consensus	5

Utility Measures	7

Recommended Utility Measures and Implementation Approach	7

Proposed Measures for National Aggregate Reporting	9

Optional Utility Self-Assessment Questions	14

Small Systems Crosswalk	16

Other Actor Measures	18

Background on Recommendations	18

Recommended Other Actor Measures	19

Potential Longer-Term Outcome Measurement Areas to Explore	26

Measures Reporting	28

Utility Measures Reporting	28

Utility Reporting System Characteristics	31

Utility Reporting Baseline and Frequency	32

Other Actor Measures Reporting	33

Features of an Active and Effective Protective Program for Water and Wastewater Utilities
34

Introduction	34

The Features of an Active and Effective Protective Program	34

Attachment 1: Workgroup Charter	40

I.	Establishment and Designation	40

II.	Objectives	40

III.	Scope of Activities	41

IV.	Membership	42

V.	Operating Procedures and Ground Rules	42

Attachment 2: Workgroup Membership and Contact Information	43

Attachment 3: Workgroup Operating Procedures and Ground Rules	46

Workgroup Operating Procedures	46

I.	Participation	46

II.	Decision Making Process	47

III.	Facilitation	48


-------
IV.	Meeting Materials and Documentation	49

V.	Security Sensitive Information	49

VI.	Communication with the Press	50

Workgroup Ground Rules	50

Attachment 4: Recommended Utility Measures	52

Utility Activity Measures	52

Hazardous Chemicals Security Measures	57

Risk Reduction Outcome Measures	58

Attachment 5: Draft Small System Metric Crosswalk	65

Utility Measures	65

Attachment 6: Attribute Data and Banding Rules	68

Introduction	68

Section 1 - Attribute Data	68

Section 2: Data Management (Banding) Rules	70


-------
June 2008

ACKNOWLEDGEMENTS

The U.S. Environmental Protection Agency (EPA) would like to acknowledge everyone who
contributed to the development and finalization of this report containing the recommendations of
the CIPAC Metrics Workgroup for Water. The individuals identified below are members of the
Workgroup and devoted significant time, energy, effort, and resources to develop these
recommendations.

Jane Byrne, PhD

Director of Water Treatment

Hanahan Water Treatment Plant

Lucienne Nelson

CIP Program Manager

Department of Health and Human Services

Nick Catrantzos
Security Unit Manager
Metropolitan Water District of Southern
California

Debbie Newberry, co-chair

Chief, Security Assistance Branch, Water

Security Division

U.S. Environmental Protection Agency

Cynthia Finley
Director, Regulatory Affairs
National Association of Clean Water
Agencies

Bridget O'Grady

Policy and Legislative Affairs Manager
Association of State Drinking Water
Administrators

Damon Guterman
Drinking Water Program
Massachusetts Department of
Environmental Protection

William Komianos, co-chair
Director, Operational Risk Management
American Water Works Service Co., Inc.

John Laws

Water Infrastructure Specialist
Infrastructure Partnership Division
U.S. Department of Homeland Security

Kevin Morley

Regulatory Analyst & Security Committee,
Staff Secretary

American Water Works Association

Roger D. Selburg, PE

Manager, Division of Public Water Supplies
Illinois EPA

David Siburg

General Manager

Kitsap Public Utility District

James K. Sullivan

General Counsel

Water Environment Federation

Scott L. Szalkiewicz, C.H.E.S.

Health Program Supervisor
Office of Public Health Preparedness
CT Department of Public Health

Page 1


-------
June 2008

Vance Taylor

Government Affairs Coordinator	Ed Thomas

Association of Metropolitan Water Agencies	National Rural Water Association

The following subject matter experts also contributed to the Workgroup's efforts.

Cade Clark

Director of State Relations

National Association of Water Companies

Lydia Duckworth (alternate for Lucienne
Nelson)

Center for Enterprise Modernization
The MITRE Corporation

Laura Flynn

Office of Groundwater and Drinking Water,

Water Security Division

U.S. Environmental Protection Agency

Tanya Mottley

Associate Director, Water Security Division
U.S. Environmental Protection Agency

Alan Roberson

Director of Security and Regulatory Affairs
American Water Works Association

Marc Santora

Office of Groundwater and Drinking Water,

Water Security Division

U.S. Environmental Protection Agency

Greg Spraul

Office of Groundwater and Drinking Water,

Water Security Division

U.S. Environmental Protection Agency

John Whitler

Office of Water, Office of Ground Water
and Drinking Water, Water Security
Division, Security Assistance Branch
U.S. Environmental Protection Agency

Patti-Kay Wisniewski

U.S. Environmental Protection Agency,

Region 3

Page 2


-------
June 2008

EXECUTIVE SUMMARY

The CIPAC Metrics Workgroup for Water (the Workgroup) was convened by the Water Sector
Coordinating Council (SCC) and Government Coordinating Council (GCC) to develop a national
performance measurement system for the water sector and align the 14 Features of an Active and
Effective Security Program with the Water Sector Specific Plan (SSP) Goals and Objectives. The
Workgroup is composed of 18 members, including representatives of individual utilities,
drinking water and wastewater associations, and Federal and State government, selected by the
Water SCC and GCC. The Workgroup had four in-person meetings and a number of conference
calls over an eight month period, during which they reached consensus on items contained in the
Interim Final Report (dated October 2007):

•	16 utility measures;

•	Utility reporting system approach;

•	Intent for other actor measures; and

•	Updated Features of an Active and Effective Protective Program for Water and
Wastewater Utilities.

At the issue of the Interim Final Report, the Workgroup had also reached agreement on a process
for further work on hazardous chemical security measurement; risk reduction outcome
measurement; and the development of text and reporting process for other actor measures
consistent with the "intent" for those measures in the Interim Final Report.

Over the past three months, through in person meetings and additional conference calls, the
Workgroup has also reached consensus on the following items, contained in this Final Report:

•	Hazardous chemical security measures;

•	Risk reduction outcome measures;

•	Utility reporting baseline date and frequency;

•	Utility reporting implementation approach;

•	Other actor measures for states, associations, and federal agencies; and

•	A reporting approach for other actor measures.

Page 2


-------
June 2008

I	N

This final report transmits the consensus recommendations reached by the Critical Infrastructure
Partnership Advisory Council Metrics Workgroup for Water (Workgroup). All of the
recommendations contained within this report represent consensus of the Workgroup. This report
has been prepared with the assistance of Ross & Associates Environmental Consulting, Ltd.,
facilitators of the Workgroup process.

The CIPAC

The U.S. Critical Infrastructure Partnership Advisory Council (CIPAC) was established to
support implementation of the National Infrastructure Protection Plan (NIPP) and help
implement the sector partnership model set forth in the NIPP by coordinating Federal
infrastructure protection programs with programs and activities of the private sector and State,
local, territorial, and tribal governments. Members of the CIPAC include critical
infrastructure/key resources owners and operators and their designated trade or equivalent
organizations that are identified by members of Sector Coordinating Councils (SCC) and
representatives from Federal, State, local, and tribal government entities identified as members
of Government Coordinating Councils (GCC) for each sector.

Consistent with Section 201 of the Homeland Security Act of 2002, the Secretary of the
Department of Homeland Security (DHS) has exempted CIPAC and its workgroups from the
requirements of the Federal Advisory Committee Act.

Charter and Mission of the Metrics Workgrc	

The CIPAC Metrics Workgroup was convened by the Water SCC and GCC to develop a national
performance measurement system for the water sector. The Workgroup was asked to focus on
the following objectives:

Objective 1: Develop a national performance measurement system. Specifically:

•	Measures that align and support the goals and objectives of the Water Sector Specific
Plan (SSP);

•	A system for tracking measures;

•	A reporting structure; and

•	Protocols for collection, retention, and protection of information/reports.

Page 3


-------
June 2008

Objective 2: Align the 14 Features of an Active and Effective Security Program with the Water
SSP goals and objectives. Specifically:

•	Determine how the features support the goals and objectives of the Water SSP;

•	Ensure that the features explicitly and adequately address the concepts of response,
recovery, and all hazards; and

•	Streamline and combine features as appropriate.

Attachment 1 contains the complete Workgroup charter.

Wor 3 Composition	

The Water SCC and GCC selected 18 Workgroup members including representatives of
individual utilities, drinking and wastewater trade associations, and Federal and State
government. Debbie Newberry (USEPA) representing the GCC and William Komianos
(American Water) representing the SCC co-chaired the Workgroup. Subject matter experts
assisted the Workgroup in their deliberations. Attachment 2 contains a roster of Workgroup
members and subject matter experts.

Assumptions and Consideration of Previous Efforts	

The Workgroup operated under the following assumptions. For objective 1, development of a

national performance measurement system:

•	Reporting of data will be voluntary;

•	Data will be released to the public at the national level only in aggregate form (no utility-
specific, security-sensitive data will be made available to the public without a utility's
express consent);

•	Progress data submitted by individual utilities will be protected from public disclosure
(i.e., Freedom of Information Act or FOIA requests);

•	Data will be submitted to EPA anonymously, either through a third party in aggregated
form, or failing that, directly to EPA;

•	Decisions about national performance measures should be consistent with the Water SSP
vision, goals and objectives; and

•	Workgroup efforts will be coordinated with the DHS NIPP core metrics development.

Page 4


-------
June 2008

For objective 2, alignment of the 14 Features with the Water SSP:

•	The existing features should be optimized as much as possible;

•	The features should reflect the SSP, which was not completed at the time the existing
features were drafted; and

•	The SSP will not be re-written as part of the alignment effort.

The Workgroup used the following documents to start and as a basis for deliberations.

•	The Water SSP, in particular the vision, goals and objectives;

•	The National Drinking Water Advisory Council's Water Security Working Group
recommendations on the 14 Features of an Active and Effective Security Program and
three aggregate measures of water sector performance; and

•	The findings of the Measures Testing Group for National Aggregate Measures of Water
Security.

Iberative Process and Consensus	

Workgroup members sought to develop consensus recommendations. "Consensus" is defined in
the Workgroup Charter as recommendations that all members can "live with." The Workgroup
Operating Procedures and Ground Rules encouraged members to use interest-based negotiating
techniques to understand one another's needs and interests and reach consensus. Attachment 3
contains the Workgroup's Operating Procedures and Ground Rules.

The Workgroup had four in-person meetings, and a number of conference calls over an eight
month period, during which they reached consensus on items contained in the Interim Final
Report (dated October 2007):

•	16 utility measures;

•	Utility reporting system approach;

•	Intent for other actor measures; and

•	Updated Features of an Active and Effective Protective Program for Water and
Wastewater Utilities.

At the issue of the Interim Final Report, the Workgroup had also reached agreement on a process
for further work on hazardous chemical security measurement; risk reduction outcome
measurement; and the development of text and reporting process for other actor measures
consistent with the "intent" for those measures in the Interim Final Report.

Page 5


-------
June 2008

Over the past three months, the Workgroup has also reached consensus on the following items,
contained in this Final Report:

•	Hazardous chemical security measures;

•	Risk reduction outcome measures;

•	Utility reporting baseline date and frequency;

•	Utility reporting implementation approach;

•	Other actor measures for states, associations, and federal agencies; and

•	A reporting approach for other actor measures.

Page 6


-------
June 2008

U	S

The CIPAC Metrics Workgroup recommends a suite of utility measures that includes the 16
utility measures that were previously presented to and approved by the Water SCC/GCC (with a
few minor text edits to improve clarity), as well as measures of risk reduction outcomes and
security of hazardous chemicals. Attachment 4 contains the full set of recommended measures.

ommendi .' iity Measures a plementation Approach	

Coupled with the proposed measures, and critical to the Workgroup's consensus support for the
full suite of measures, is a recommendation for how best to proceed forward with water sector
metrics implementation. The recommendation prescribes focusing 2008 data collection on a
subset of "core" metrics, with the remaining measures proposed for utility self-assessment
purposes. Self-assessment measures will be available for utility internal use and will not be
connected to national reporting.

2008 Pa ection Measures

The core measures for 2008 data collection would include:

•	all of the 16 previously Council-approved, activity-based measures (U measures);

•	three (of the 15 total) risk reduction outcome measures (R measures); and

•	the hazardous chemicals measures.

Self-Assessment Measures

The remaining 12 risk reduction outcome measures would form the basis for an optional, self-
assessment tool for utilities and would reside as a clearly separate part of the national reporting
system. The self-assessment questions would be intended to help utilities gauge progress and
improvements that would likely result from implementation of the activities associated with the
core measures. The reporting system, by explicit design, will not support submission of self-
assessment information.

The Workgroup further believes the self-assessment tool should, at minimum, reference the "Ten
Features of An Active and Effective Protective Program." A primary purpose of the Features, as
refined during this Workgroup process, is to provide utility managers with a basic guide to
improved security and overall resiliency. The reporting tool and the associated self-assessment
represent an opportunity to raise awareness about and encourage the use of the Features.

Page 7


-------
June 2008

Finally, the Workgroup recommends that the self-assessment include a few basic questions
exploring respondent opinions regarding the utility of self-assessment information and the
potential burden associated with responding to these types of questions. This information can
help inform future national reporting efforts.

Workgroup deliberations indicated that the self-assessment holds the potential to create an
opportunity to improve small system efforts. Small systems, however, may be best served by
drawing upon existing and well-understood small systems tools and/or development of additional
tools. The Workgroup anticipates that key actors in the water sector will continue dialogue
beyond and outside of the CIPAC Workgroup to decide on the appropriate scope and investment
in self-assessment support for small systems, beyond the limited effort associated with the
national reporting tool.

Approach Rationale

The Workgroup believes this proposal addresses a variety of needs reflected in the Workgroup
deliberations. First, utilizing a core set of metrics will address concerns about redundancy and
reporting burden by focusing reporting on a relatively short set of straightforward core metrics.
Second, the tool, through the optional self-assessment questions, will potentially provide internal
management value to utilities - some Workgroup members have seen this as critical to
engendering and maintaining national reporting participation. Finally, this approach provides the
sector the opportunity to "test the waters" with a relatively compact initial reporting effort, while
gathering information on sector interest in a more expansive reporting tool and the benchmarking
or other benefits such an effort might represent.

Reporting Incentives

As a benefit for utility reporting on the core measures, the Workgroup proposes that utility
participants who submit data will be automatically enrolled in the basic WaterlSAC service. The
Workgroup believes this benefit will be a valuable incentive to improve participation rates. This
benefit would be renewed annually for participants in subsequent reporting cycles.

Additional Question in First Reporting Cycle

In the first reporting cycle (2008), the Workgroup proposes that the two sets of questions will be
fully separated with their different purposes described, and the reporting tool will not support
submission of the self-assessment information. The Workgroup proposes to ask respondents
about the value and viability of supporting submission of the self-assessment information in
future reporting cycles to make it available across the sector for benchmarking or other purposes.
While the exact question text will likely need refinement through beta testing, the Workgroup
proposes a few simple questions as listed below:

Page 8


-------
June 2008

•	Would you find it useful to have sector-wide data on these self-assessment questions?

•	How much time does it take to complete the self-assessment?

•	Would national reporting become too burdensome with the self-assessment questions
included?

•	Would you be willing to submit such data in the future?

The reporting tool will be enabled to allow participants, after they have viewed the self
assessment questions, to provide a response to the above questions.

Proposed Measures for National Aggregate Reporting	

The Workgroup recommends the following measures for 2008 national aggregate reporting. The
measures are organized by the SSP Goal they most closely support.

al 1; Sustain Protection of Public Health and the Environment
The nation relies on a sustained amount of safe drinking water and on the treatment of wastewater to
maintain public health and environmental protection. To help better protect and secure public and
environmental health, the water sector will work to ensure the continuity of both drinking water and
wastewater services.

Ul. Measure: Number and percentage of utilities that have integrated security and
preparedness into budgeting, training, and manpower responsibilities.

Question: Have you integrated security and preparedness into budgeting, training, and
manpower responsibilities (Y/N)?

U2. Measure: Number and percentage of utilities that incorporate security into planning and
design protocols applying to all assets and facilities.

Question: Have you incorporated security into planning and design protocols applying to
all assets and facilities (Y/N)?

U3. Measure: Number and percentage of utilities that routinely conduct supplemental
monitoring or more in-depth analysis beyond what is required to identify abnormal water
quality conditions.

Question: Do you routinely conduct supplemental monitoring or more in-depth analysis
beyond what is required to identify abnormal water quality conditions (Y/N)?

Page 9


-------
June 2008

U4. Measure: Number and percentage of utilities that have established relationships with
public health networks to interpret public health anomalies for the purposes of identifying
waterborne public health impacts.

Question: Have you established relationships with public health networks to interpret
public health anomalies for the purposes of identifying waterborne public health impacts
(Y/N)?

U5. Measure: Number and percentage of utilities that monitor and evaluate customer
complaints for possible indications of water quality or other security threats.

Question: Do you monitor and evaluate customer complaints for possible indications of
water quality or other security threats (Y/N)?

U6. Measure: Number and percentage of utilities that have established protocols (e.g.,
consequence management plans) for interpreting and responding to indications of water
quality anomalies.

Question: Have you established protocols (i.e., consequence management plans) for
interpreting and responding to indications of water quality anomalies (Y/N)?

al 2; Recognize ฃ duee Risks Water Sector
With an improved understanding of the vulnerabilities, threats, and consequences, owners and operators of
water sector utilities can continue to thoroughly examine and implement risk-based approaches to better
protect, detect, respond to, and recover from manmade and natural events,

U7. Measure: Number and percentage of utilities that annually review and periodically
update vulnerability assessments.

Questions: Do you review your vulnerability assessment (VA) annually (Y/N)?

How frequently do you update your VA to adjust for changes in your system that may
alter the risk profile of your utility (never update; annually; every 2-3 years; every 3-5
years; every 5-10 years; no defined cycle)?

U8. Measure: Number and percentage of utilities that receive screened, validated, and timely
(e.g., in time to inform decisions or take action) threat information from one or more
trusted sources such as WaterlSAC, the FBI, local police, or DHS.

Question: Does your utility receive screened, validated, and timely (e.g., in time to
inform decisions or take action) threat information from one or more of the following
sources (Y/N)? Please check all that apply.

-	WaterlSAC

-	FBI

Page 10


-------
June 2008

-	Local police

-	DHS

U9. Measure: Number and percentage of utilities that have a plan in place to increase utility
security in response to a threat.

Question: Do you have a plan in place to increase utility security in response to a threat
(Y/N)?

R2. Measure for Intruder Detection Capability: Percent of critical assets with enhanced
capability to detect intruders.

Question: What percent of your critical assets are protected by enhanced detection
capability?

Hazardous Chemicals Measure 1: Number and percent of utilities with physical and/or
procedural controls in place to safeguard hazardous chemicals.

Questions: If you use hazardous chemicals, do you have physical and/or procedural
controls in place to safeguard them(Y/N)?

If yes, do they include some or all of the following? (please indicate)

A.	Restrict Area Perimeter. Have you secured and do you monitor the perimeter of areas
containing hazardous chemicals (Y/N)?

B.	Screen and Control Access. Have you controlled access to restricted areas within the
facility by screening and/or inspecting individuals and vehicles as they enter (Y/N)?

C.	Shipping, Receipt, and Storage. Do you secure and monitor the shipping, receipt, and
storage of hazardous materials for the facility (Y/N)?

D.	Elevated Threats. Do you escalate the level of protective measures for periods of
elevated threat (Y/N)?

E.	Other physical or procedural controls (Y/N)? (For examples of physical and
procedural controls that can be used to safeguard hazardous substances, please see the
Department of Homeland Security risk-based performance standards as attached to this
survey as a sidebar.)1

1 The 18 performance standards — of which the A-D drop-down are a subset — would then be listed somewhere in
a sidebar or with other reference information to help respondents. Wording for A-D and sidebar information would
be updated, as necessary, to be consistent with DHS materials.

Page 11


-------
June 2008

Hazardous Chemicals Measure 2: Number and percentage of utilities that include gaseous
chlorine in their hazardous chemicals use.

Question: If you use hazardous chemicals, does your chemical use include gaseous
chlorine (Y/N)?

Hazardous Chemicals Measure 3: Number and percentage of utilities that have evaluated their
disinfection methods considering water quality, public health, and security issues.

Question: Have you evaluated your disinfection methods considering water quality,
public health, and security issues (Y/N)?

al 3; Maintain a Resilient Infrastruc
The water sector will investigate how to optimize continuity of operations to ensure the economic vitality of
communities and the utilities that serve them. Response and recovery from an incident in the water sector
will be crucial to maintaining public health and public confidence.

U10. Measure: Number and percentage of utilities that have a written business continuity
plan.

Question: Do you have a written business continuity plan (Y/N)?

Ull. Measure: Number and percentage of utilities that:

•	Have an emergency response plan (ERP)

•	Conduct training on their ERP

•	Carry out exercises on their ERP

•	Review and update their ERP on a periodic basis

Questions: Do you:

•	Have an emergency response plan (ERP) (Y/N)?

•	Conduct training on the ERP (Y/N)?

•	Carry out exercises on the ERP (Y/N)?

•	Review and update the ERP on a periodic basis (Y/N)?

U12. Measure: Number and percentage of utilities that have adopted the National Incident
Management System (NIMS).

Question: Has your utility adopted the National Incident Management System (NIMS)
(Y/N)?

Page 12


-------
June 2008

U13. Measure: Number and percentage of utilities that are signatories, or are in the process of
becoming signatories, to written agreements for requesting aid or assistance, such as a
mutual aid or assistance agreement or a Water/Wastewater Agency Response Network
(WARN) membership.

Questions: Is your utility a signatory to written agreements for requesting aid or
assistance, such as a mutual aid or assistance agreement or a Water/Wastewater Agency
Response Network (WARN) membership (Y/N)? If no, are you in the process of
creating an agreement (Y/N)?

U14. Measure: Number and percentage of utilities that have responded to an emergency
request to provide mutual aid and assistance.

Question: Has your utility responded to an emergency request to provide mutual aid and
assistance (Y/N)?

R9. Measure for Power Resiliency: Percent of utilities that have backup power for critical
operations.

Question: Does your utility have backup power for critical operations for:

•	24 hours?

•	48 hours?

•	96 hours?

RIO. Measure for Production Resiliency: Percent of utilities that can meet minimum daily
demand with their primary production/treatment plant non-functional.

Question: What percent of minimum daily demand can your utility meet with your
primary production/treatment plant non-functional for:

•	24 hours?

•	48 hours?

•	96 hours?

al 4; Increase Communications, Outreach, ai \ > ' ficlenee
Safe drinking water and water quality are fundamental to everyday life. An incident in the sector could have
significant impacts on public confidence. Fostering and enhancing the relationships between utilities,
government, and the public can mitigate negative perceptions in the face of an incident.

U15. Measure: Number and percentage of utilities that have plans to handle communications
during a crisis.

Page 13


-------
June 2008

Question: Do you have a crises communication plan (Y/N)?

U16. Measure: Number and percentage of utilities that engage in networking activities
regarding emergency preparedness and collaborative response in the event of an incident.

Question: Do you engage in networking activities regarding emergency preparedness
and collaborative response in the event of an incident (Y/N)?

Optional Utility Self-Assessment Questions	

For each of the optional utility self-assessment questions, utilities would be asked to determine a
date ("date X" in the questions below) from which to measure change or improvement. Utilities
will have the option of selecting the current reporting cycle as their baseline date or another date
past. In future reporting cycles, utilities would determine change since the previous reporting
cycle. These self-assessment questions would be clearly labeled as optional questions and would
be separate from the national measurement questions in the utility reporting tool.

Rl. Measure for Physical Security Capability: Percent of critical assets with physical
access controls in place.

Questions: What percent of your critical assets are currently protected by physical access
controls? What percent of your critical assets were protected by physical access controls
on date X?

R3. Measure of Water Contamination Decision Making Capability: Percent of utilities
that have protocols in place to complete site characterizations and make credibility
determinations eight hours or less after becoming aware of a potential water
contamination event (eight hour time frame based on Response Protocol Toolbox
recommendati on).

Questions: What is your current capability to make a water contamination threat
credibility determination? (within 20-30 hours, 8-20 hours; in 8 hours or less)? What
was it on date X?

R4. Measure for Information Protection Capability: Percent of utilities that have a
process in place for reviewing requests for and restricting access to critical infrastructure
information.

Questions: Do you have a process in place for reviewing requests for and restricting
access to critical infrastructure information? (Yes established process in place; No

Page 14


-------
June 2008

process being developed; Informal/ad hoc review) How would you have answered on
date X?

R5. Measure for SCADA Protection Capability: Percent of SCADA data transmission
networks that are segregated from telephony or Internet networks.

Questions: What percent of your SCADA data transmission network is segregated from
public telephony or Internet networks? What was the percentage on date X?

R6. Measure for Employee Security Investment: Percentage of time permanent employees
dedicate to security tasks.

Questions: What is your current annual FTE commitment to security tasks? What was it
on date X?

R7. Measure for Raw Water Source Supply Resiliency: Percent of utilities that can meet
100% of minimum daily demand with their primary raw water source unavailable.

Questions: What improvements have you seen in your ability to meet 100% of minimum
daily water demand with your primary raw water source unavailable? Not counting in
process or finished water storage, can you meet 100% of minimum daily demand with the
primary raw water source unavailable for 24 hours (Y/N), for 48 hours (Y/N), for 7 days
(Y/N), or other (please specify)? How does this compare with date X - e.g., previously
could meet 100% of minimum daily demand for 24 hours, or 7 days, or never?

R8. Measure for Finished Water Storage Resiliency: Average amount of time a utility can
meet 100% of minimum daily demand with stored finished water.

Questions: How long can you currently meet 100% of minimum daily demand with
stored finish water? How does this compare with date X - how long could you have met
100%) of minimum daily demand with stored finish water on date X?

Rll. Measure for Equipment Resiliency: For critical parts/equipment, the longest lead time
for repair/replacement.

Questions: For critical parts/equipment (as defined in your Vulnerability Assessment)
what is your current longest lead-time for repair or replacement? How does this compare
with date X (e.g., what was longest lead-time for repair or replacement)?

R12. Measure for Personnel Resiliency: Average number of excess (backup) response-
capable people available for critical operation and maintenance positions.

Questions: What is your current average number of response capable backup people for
critical operation and maintenance positions? What was it on date X?

Page 15


-------
June 2008

R13. Measure for Treatment Resiliency: Where chemicals are necessary to meet the Safe
Drinking Water Act standards for acute contaminants (i.e., E.coli, fecal coliform, nitrate,
nitrite, total nitrate and nitrite, chlorine dioxide, turbidity - as referenced in the list of
situations requiring a Tier 1 Public Notification under 40 CFR 141.202), the average
number of days that utilities can deliver 100% of minimum daily demand treated to meet
this subset of SDWA standards without any additional chemical deliveries.

Questions: Where chemicals are necessary to meet Safe Drinking Water Act standards
for acute contaminants (i.e., E.coli, fecal coliform, nitrate, nitrite, total nitrate and nitrite,
chlorine dioxide, turbidity - as referenced in the list of situations requiring a Tier 1 Public
Notification under 40 CFR 141.202), what is the current number of days you can deliver
100% of the minimum daily demand treated to meet this subset of SDWA standards
without any additional chemical deliveries? What was it on date X?

R14. Measure for Overall Response and Recovery Capability. Percent of utilities with
increased capability to respond to real events and exercises consistent with their
emergency response, business continuity, or other appropriate response plans.

Questions: How confident are you in your ability to respond to real events and exercises
consistent with your emergency response, business continuity, or other response plans?
(Measurement would be on a scale from very low to very high with an "I don't know"
option.)

R15. Measure for Reduced Service Event Capability: Number/percent of utilities that have
a protocol and necessary equipment and infrastructure in place to ensure continued water
availability to critical customers during a reduced-service event.

Questions: To what extent have you set priorities and planned for a reduced service
event? (established protocol; equipment and infrastructure in place; plan in place,
protocol, equipment and infrastructure being developed; no formal plan) How has this
changed since date X?

Sine terns Crosswalk	

The Water SSP states that "The most effective measures for small systems will be evaluated
through the CIPAC process and will rely heavily on the vulnerability assessment and emergency
response plan tool used by the majority of small systems." In consideration of this, the CIPAC
Metrics Workgroup came to consensus that the vulnerabilities, event consequences, and
capabilities of typical small utilities may be different than larger utilities. Attachment 5 contains
a crosswalk that incorporates the 16 utility activity measures into the tool used by the majority of
small systems. The crosswalk is intended to highlight commonalities between the two question

Page 16


-------
June 2008

sets and to enhance small systems' abilities to respond to and have confidence in the data
gathering process.

Page 17


-------
June 2008

OTHER ACTOR MEASURES

"Other actors" are the entities in the water sector that are accountable for achieving the SSP
Goals and Objectives and who are not utilities. State and Federal government agencies and
water sector associations are examples of other actors.

Background t	nmendations	

For States:

•	For all measures, there is a need to capture efforts related to both drinking water systems
and efforts related to wastewater systems - they most often are not implemented by the
same state program.

•	In implementation, the state measures will need to be specifically and separately tailored
for two distinct state regulatory agency audiences: those implementing Safe Drinking
Water Act requirements and overseeing drinking water utilities; and those implementing
Clean Water Act requirements and overseeing wastewater utilities.

•	The states felt strongly that the measures should emphasize their principal security role -
that is, assisting and supporting water and/or wastewater utilities through state programs.

•	With that in mind, there was an interest in more closely aligning state measures with
those being reported by utilities and with the SSP goals and objectives. State drinking
water programs have proposed an expanded set of state-focused other actor measures that
are aligned with the SSP goals and objectives and the activity measures for individual
utilities.

For Utility Associations:

•	It may be difficult for utility associations to make a specific count of activities such as
trainings or guidance documents because many association activities take place in a
distributed way. For example, once a utility signs a WARN, the development of materials
becomes more of a state-specific function. As such, a state branch of an association may
develop materials that the national branch doesn't keep track of.

•	Associations can educate utilities about WARNs, but ultimately the utility itself has to
decide to create or join one.

•	The relative emphasis of association SSP goal-related activity will shift over time as
needs in the sector change and evolve. A shift away from a focus in one area (e.g., mutual
aid and assistance) does not necessarily signal deficient emphasis.

Page 18


-------
June 2008

ommendi ' ler Actor Measures

The Workgroup reached consensus on the following suite of other actor measures, which are
organized by the SSP Goal they most closely support.

al 1; Sustain Protection of Public Health and the Environment
The nation relies on a sustained amount of safe drinking water and on the treatment of wastewater to
maintain public health and environmental protection. To help better protect and secure public and
environmental health, the water sector will work to ensure the continuity of both drinking water and
wastewater services,

OAl

Measure: Number of state drinking water and/or wastewater programs that have included
security assistance as part of routine activities that help water and/or wastewater utilities to
prepare security programs and response plans.

Questions to states:

•	Has your state drinking water program provided broadly targeted assistance
activities/initiatives to help water utilities develop or enhance an all hazards/security
response program (Y/N)?

•	Has your state wastewater program provided broadly targeted assistance
activities/initiatives to help wastewater utilities develop or enhance an all
hazards/security response program (Y/N)?

OA2

Measure: Number and percentage of Public Utility Commissions (PUCs) that have designated
personnel or a method in place to discuss security costs and issues with water and/or wastewater
utilities.

Question to PUCs: Does the Commission have designated personnel or a method in place to
discuss security costs and issues with water and/or wastewater utilities (Y/N)?

Does the Commission include security costs and issues in its rate making for drinking water and
wastewater utilities (Y/N)?

OA3

Measure: Whether or not EPA has developed an evaluation system for contaminant warning
systems.

Page 19


-------
June 2008

Question to EPA: Have you developed an evaluation system for contaminant warning systems
(Y/N)?

OA4

Measure: Number of contaminants of concern listed in the Water Contaminant Information Tool
(EPA product) that have updated analytical protocols and contaminant-specific treatment
information (response and recovery protocols) listed.

Question to EPA: How many contaminants of concern listed in the Water Contaminant
Information Tool (WCIT) have updated analytical protocols and contaminant-specific drinking
water and wastewater-treatment information listed (i.e., decontamination, health effects, etc.)?

OA5

Measure: Number of functional exercises conducted to test the implementation of the Regional
Drinking Water Laboratory Response Plans; number of training efforts conducted to enhance
capabilities of environmental laboratories and the water utility sector; and number of chemical
and biological methods developed and/or modified for use by laboratories when analyzing water
security event samples.

Questions to EPA:

•	How many functional exercises have been conducted to test the implementation of the
Regional Drinking Water Laboratory Response Plans?

•	How many training efforts have been conducted to enhance capabilities of environmental
laboratories and the water utility sector?

•	How many chemical and biological methods have been developed and/or modified for
use by laboratories when analyzing water security event samples?

al 2; Recognize ฃ duee Risks Water Sector
With an improved understanding of the vulnerabilities, threats, and consequences, owners and operators of
water sector utilities can continue to thoroughly examine and implement risk-based approaches to better
protect, detect, respond to, and recover from manmade and natural events,

OA6

Measure: DHS efforts to develop sector-specific CI/KR threat assessments needed to support
comprehensive risk assessments, including providing guidance on metrics for annual reporting
and national cross-sector comparative analysis.

Page 20


-------
June 2008

Question to DHS: Have you developed water sector-specific CI/KR threat assessments needed
to support comprehensive risk assessments, including providing guidance on metrics for annual
reporting and national cross-sector comparative analysis (Y/N)?

OA7

Measure: Number and geographic coverage of regional "fusion" centers that aid individual
utilities with timely access to actionable threat characterization and validation services.

Questions to DHS:

•	How many regional "fusion" centers that aid individual utilities with timely access to
actionable threat characterization and validation services have been created?

•	What is the regional coverage of the fusion centers?

OA8

Measure: Elapsed time (e.g., average hours) and quality of response when utilities call to check
threat information.

Question to DHS: What is the average elapsed time (e.g., average hours) and quality of response
when utilities call regional fusion centers to check threat information?

OA9

Measure: Number of state drinking water and/or wastewater programs that have provided or
supported outreach or training on design, implementation or updates to vulnerability
assessments.

Questions to states:

•	Has your state drinking water program performed any of the following activities:
provided or hosted, organized, or sponsored in coordination with water organizations
specific outreach or training on design, implementation or updates to vulnerability
assessments for drinking water systems serving <3300 (Y/N)?

•	Has your state wastewater program performed any of the following activities: provided or
hosted, organized, or sponsored in coordination with water organizations specific
outreach or training on design, implementation or updates to vulnerability assessments
for wastewater systems (Y/N)?

Page 21


-------
June 2008

al 3; Maintain a Resilient Infrastruc
The water sector will investigate how to optimize continuity of operations to ensure the economic vitality of
communities and the utilities that serwe them. Response and recovery from an incident in the water sector
will be crucial to maintaining public health and public confidence.

OAIO

Measure: Number of state drinking water and/or wastewater programs with staff that have the
credentials (NIMS/ICS training) necessary to participate in an incident command structure, if
such participation becomes necessary.

Questions to states:

•	Does your state drinking water program have staff with appropriate training to support
water system needs within the Incident Command Structure (Y/N)?

•	Does your state wastewater program have staff with appropriate training to support water
system needs within the Incident Command Structure (Y/N)?

OA11

Measure: Number of state drinking water and/or wastewater programs that have provided or
supported outreach or training on business continuity planning.

Questions to states:

•	Has your state drinking program performed any of the following activities: provided or
hosted, organized, or sponsored in coordination with water organizations specific
outreach or training for water utilities on the importance and need for a business
continuity plan (Y/N)?

•	Has your state wastewater program performed any of the following activities: provided
or hosted, organized, or sponsored in coordination with water organizations specific
outreach or training for wastewater utilities on the importance and need for a business
continuity plan (Y/N)?

OA12

Measure: Number of state drinking water and/or wastewater programs that have provided or
supported outreach or training on emergency response planning.

Page 22


-------
June 2008

Questions to states:

•	Has your state drinking water program performed any of the following activities:
provided or hosted, organized, or sponsored in coordination with water organizations
specific outreach or training for water utilities on the importance and need for an
emergency response plan (Y/N)?

•	Has your state wastewater program performed any of the following activities: provided
or hosted, organized, or sponsored in coordination with water organizations specific
outreach or training for wastewater utilities on the importance and need for an emergency
response plan (Y/N)?

OA13

Measure: Number of state drinking water and/or wastewater programs that participate in and/or

support development of a state-wide WARN or mutual aid network.

Questions to states:

•	If available in your state, has your state drinking water program participated in and/or
supported development of a WARN or mutual aid initiative (Y/N)?

•	If available in your state, has your state wastewater program participated in and/or
supported development of a WARN or mutual aid initiative (Y/N)?

OA14

Measure: Priority and type of mutual aid and assistance enabling activities conducted by other

actors.

Question(s) to Utility Associations, EPA, and DHS:

•	Relative to all of your SSP goal-related efforts during this reporting period, what has
been the priority (high, medium, or low) of providing mutual aid and assistance
implementation support to the water sector?

•	In what type(s) of mutual aid and assistance implementation support activity did your
organization engage?

o

No activity during this reporting period

o

General promotional efforts (such as identification in newsletter)

o

Targeted workshops and/or training

o

Development of research products

o

Development of guidance documents

o

Development of model agreements/templates

Page 23


-------
June 2008

o Other (please specify)

•	Do you expect the priority of these activities to change during the next reporting cycle
(yes/no) and, if yes to what (high, medium, or low)?

al 4; Increase Communications, Outreach, ai \ > ' ficlenee
Safe drinking water and water quality are fundamental to everyday life. An incident in the sector could have
significant impacts on public confidence. Fostering and enhancing the relationships between utilities,
government, and the public can mitigate negative perceptions in the face of an incident.

OA15

Measure: Priority and type of crises communication activities conducted by other actors.
Question(s) to Utility Associations, EPA, and DHS:

•	Relative to all of your SSP goal-related efforts during this reporting period, what has
been the priority (high, medium, or low) of providing crises communication
implementation support to the water sector?

•	In what type(s) of crises communication implementation support activity did your
organization engage?

o

No activity during this reporting period

o

General promotional efforts (such as identification in newsletter)

o

Targeted workshops and/or training

o

Development of research products

o

Development of guidance documents

o

Development of model agreements/templates

o

Other (please specify)

•	Do you expect the priority of these activities to change during the next reporting cycle
(yes/no) and, if yes to what level (high, medium, or low)?

OA16

Measure: Number of state drinking water and/or wastewater programs that participated in one or
more Federal or state level emergency response exercises in which the water sector was a focus.

Questions to states:

•	If offered, has your state drinking water program participated in any emergency response
exercise in which the water sector was a focus (Y/N)?

Page 24


-------
June 2008

•	If offered, has your state wastewater program participated in any emergency response
exercise in which the water sector was a focus (Y/N)?

OA17

Measure: Number of state drinking water and/or wastewater programs that have provided or

sponsored (including as a partner with one or more other sponsoring agencies) one or more

emergency response exercises for water and/or wastewater utilities.

Questions to states:

•	Has your state drinking water program provided or hosted, organized, or sponsored in
coordination with water organizations, one or more emergency response exercises for
water utilities (Y/N)?

•	Has your state wastewater program provided or hosted, organized, or sponsored in
coordination with water organizations, one or more emergency response exercises for
wastewater utilities (Y/N)?

Page 25


-------
June 2008

POTENTIAL LONGER-TERM OUTCOME
MEASUREMENT AREAS TO EXPLORE

The following potential longer-term, risk reduction outcome measures are those that are of
interest, but will require some time for significant background to develop before implementation
can take place. The measures, developed by the utility Subgroup, are presented solely as options
for future consideration.

Potential	easurement Areas for Federal Partners to Explore

1.	Measure for Overall Water Sector Resilience (#1): Percent of operational area emergency
activations (Emergency Operations Centers) that include a water-related emergency.

•	Operational area typically is a county.

•	This measure would allow the sector to track how often the water sector is
compromised in the context of emergencies. Improved resilience in the sector should
be reflected in a lower water sector percent participation in activations over time.

•	Measure would be drawn from FEMA data.

2.	Measure for Overall Water Sector Resilience (#2): Ratio of total annual FEMA
emergency dollars spent to number of water sector do not use and cessation of service days.

•	Total FEMA emergency dollars are being used as an indication of the number/extent
of natural or man-made disasters in a year.

•	Assuming annual FEMA emergency dollars spent equate to the number and
magnitude of national emergencies then, if the number of "water utility do not
use/cessation of service" counts drop per FEMA dollar over several years, then the
water sector can be seen as having improved resiliency in dealing with catastrophes.

Potential	easurement Areas for Associations and Utilities to Explore

3.	Measure for Overall Individual Utility Resilience (#1): Change in number of customer
day equivalents per annum that Safe Drinking Water Act standards are not achieved.

•	SDWA standards are being used as an indication of verified, compromised water
quality.

Page 26


-------
June 2008

•	24 hours for 1 customer equals 1 customer day equivalent; 1 hour for 24 customers
equals 1 customer day equivalent. This metric approach normalizes the data across
all sizes of utilities enabling easy comparison.

4.	Measure for Overall Individual Utility Resilience (#2): Change in number of customer
day equivalents per annum that customers are without service.

•	"Without service" means no pressure at the tap.

•	24 hours for 1 customer equals 1 customer day equivalent; 1 hour for 24 customers
equals 1 customer day equivalent. This metric approach normalizes the data across
all sizes of utilities enabling easy comparison.

5.	Measure for Overall Individual Utility Resilience (#3): Change in results of annual self-
assessments against the 10 Features of active and effective protective programs.

•	For each Feature, a utility would rank itself (e.g., from 1 to 5 with 1 defined as no
implementation and 5 defined as full implementation).

•	Measure would require the consistent use of an internal "team" of evaluators to
ensure reasonable consistency of judgments made from year-to-year.

6.	Measure for Utility Water Supply Resilience: Number of utilities that have addressed
fixed or transient interconnectivity?

•	"Transient" interconnectivity covers approaches that do not use fixed pipe, such as
temporary pipe, etc.

•	Potential Reporting options: established; engineering feasibility conducted; not
addressed; or does not apply.

7.	Measure for Overall Consequence Reduction: Change in expected value of economic
impacts due to loss of service over time?

•	Would require that the consequence assessment predictive economic impact model
include an adjustment factor for improved resiliency. (Current RAMCAP
development efforts may provide this capability.)

Page 27


-------
June 2008

MEASURES REPORTING

y Measures Reporting	

The following Workgroup recommendations on utility reporting address who should be invited
to report, who should collect, maintain and retain data, and data quality and protection.

Who Reports?

•	Reporting will be voluntary;

•	All water and waste water utilities (and combined utilities) of all sizes and types will be
invited to report; and

o Initial marketing and outreach may focus on acquiring data from large and
medium size systems (i.e., systems serving populations of 10,000 or greater); and
special outreach or tools may be necessary for small systems to improve their
response rate in the future.

•	All reports will be included in the national data set (aggregated).

What Attribute Data Are Collected?

The Workgroup membership has agreed that:

•	State location, population served (size), utility type (drinking water, wastewater,
combined, community, non-community, transient), and utility source/receiving water
type should be collected as attribute data; and

•	Specific requirements for data banding and/or other data management rules will protect
inappropriate combinations/reporting of attribute data (see "how is the identity of
reporters protected" below).

Who Builds and Administers the Reporting System, Collects and Retains the Data?

The Workgroup membership has agreed to the following.

•	System implementation and data collection will be undertaken by a third party.

•	Requirements for the third party are:

o Provides a system that is readily accessible and usable by all water utility types

and sizes at no cost to utilities;
o Has a plan to protect security-sensitive information of the type that might be
reported by utilities under the measurement program; and

Page 28


-------
June 2008

o Agrees to keep PIN codes confidential and protect the identity of reporters in
accordance with the conditions outlined in the section, "how is the identity of
reporters protected" below.

•	The Workgroup membership acknowledges that EPA is accountable to program
overseers and the public, and this accountability creates a need for sector progress data in
the short term (the Workgroup understands the need for and supports the development of
a reporting tool that will make data available to EPA and the states during 2008). In
response to this need, monthly tool development progress updates will be made available
upon request to Workgroup members and, if a written draft of the reporting tool
(containing the questions and associated definitions and directions, as well as the
proposed lay out and sequence of the questions) is not ready by March 31, 2008 and/or
the reporting tool is not ready for beta testing by April 30, 2008, EPA will need to move
forward to collect initial data. If EPA needs to collect initial data:

o The data collected will be consistent with the utility measures recommended in
this report (i.e., EPA will not unilaterally change the measures or questions
recommended by the Workgroup);

o The identity of reporters will be protected; depending on EPA's practical ability
to protect reporters' identities it may be necessary for reports to be fully
anonymous (i.e., no PIN code) and collection of some attribute data, such as state
location data, may need to be reconsidered; and

o As much as possible, the data will be gathered consistent with the third party
system under development allowing EPA to transfer the data to the third party
system once it is ready.

•	The Workgroup membership prefers that, if EPA data gathering is necessary under the
conditions above, it be only a one-time, stop-gap action that would not substitute for
eventual development of a successful third party system as recommended elsewhere in
this report.

What Assures Data Quality?

The Workgroup membership has agreed to the following.

•	The third party will use PIN codes to identify individual reporters for purposes of data
quality assurance and quality control (QA/QC) only. The "translation" of PIN code to
reporter identity will not be contained in the raw data set—it will be kept separate,
available only to the third party.

•	The third party may contact individual reporters (subject to conditions described below)
to ask questions about (and, if necessary, correct) data anomalies to ensure reporting is
accurate (e.g., to eliminate duplicate reporting).

Page 29


-------
June 2008

•	The full Workgroup membership acknowledges that some workgroup members anticipate
including PIN codes to allow for data QA/QC may reduce participation in the reporting
system and, therefore, if reporting rates are low, it may be necessary to reevaluate the
need for/merits of fully anonymous reporting (i.e., no PIN codes) after two years.

•	The third party will include a non-disclosure agreement in the utility reporting tool
(measures survey), indicating that the identity of participating utilities will not be
released or shared with other parties without the express permission of the individual
utility.

•	The third party will include a check-box in the utility reporting tool (measures survey) for
individual utilities to indicate if they do not want to be contacted for QA/QC. Any data
of questionable quality from utilities that indicate they do not want to be contacted will
not be included in the national data set and any analyses/reports produced from the data
set.

Wha- Approach to Validation or Verification of Responses?

The Workgroup membership agreed that the third party will not contact individual reporters to

validate/verify responses (e.g., assess a reporter's basis for answering a particular question or

questions).

How Is the Identity of Report iteeted?

The Workgroup membership agreed to the following.

•	The raw data set will not include specific utility identification data, such as names or
addresses.

•	Banding and/or data management rules for attribute data on population served and state
location must ensure that no data sorts (reports) can reveal the identity of an individual
utility or small set of utilities. For example, because there are fewer large systems, the
third party may not be able to aggregate at any level other than the national location level
or, if data are aggregated at the state location level, it may be necessary to include all
utilities of all sizes in the state aggregation to ensure protection of the individual
identities of large systems. The Workgroup membership directs that the third party
should develop the exact data aggregation and banding protocols during implementation
following the performance standard described above.

•	PIN codes will allow the third party to identify individual reporters for purposes of data
quality control and quality assurance only. The "translation" of PIN code to reporter
identity will not be in the raw data set - they will be kept separate available only to the
third party.

Page 30


-------
June 2008

Utility Reporting Syste aracteristics	

The Workgroup members identified a number of characteristics in addition to those already

covered in the previous recommendations, which they believe the utility reporting system, either

initially or in the future, should have. These include the following

•	Originator control of data;

•	User-friendly structure that hides complexity, perhaps using TurboTaxฎ as a model;

•	Ability to create customized reports for various audiences; and

•	Integrated, web-based planning and preparedness tool that has educational components
(e.g., links to resources).

The following includes additional Workgroup observations about each of these desired

characteristics.

Originator Control of Data

•	Originator control is going to be necessary in some form.

•	Originator control should be less about shielding information from peers, government,
etc., and more about knowing who you are giving data to and what they are doing with it.

•	Have agreements up front about where data resides, who has access, and for what
purpose.

User-Friendly Structure that Hidซ iplexity

•	It will be important for the tool to have a user-friendly structure that hides complexity.

•	TurboTaxฎ is a useful model. Two approaches could be used: 1) thin client/browser-
based on-line system (data resides on remote server); or 2) purchase software where files
reside on user's own computer. Either could be an option.

•	The tool should be customizable to the user.

•	To obtain valuable national aggregation, there would need to be minimum required fields
that all utilities would complete.

Ability to Create Customized Reports for Various Audiences

•	It will be important for the tool to be able to create customized reports.

•	Detailed reports for utilities could be produced locally (by the utility), while a less
detailed report could be what gets shared with the national collection body.

Page 31


-------
June 2008

Integrated, Web-Based Planning and Preparedne >1

The Workgroup also discussed that, in the future, the utility reporting tool could be developed
into an integrated, web-based planning and preparedness tool. The Workgroup supported a
phased implementation approach, beginning with a simple web-based reporting tool, with certain
optional questions available for self-assessment purposes, and developing a planning and
preparedness tool over time as experience dictates and resources allow.

The Workgroup also made the following observations about development of such a tool.

•	A new web-based planning and preparedness tool could be developed to do the kind of
teaching and linking to information that is needed. However, existing tools could provide
inputs/feed data into a new tool.

•	The tool should be a learning tool, with information embedded in links (for example,
links to suggested example practices).

•	If utilities see that what they report feeds into their own planning process, they will be
more likely to use the tool.

.' 'Oiling Baseline an	mcy	

uency

•	In the current absence of DHS reporting frequency guidance, the Workgroup
recommends reporting on an annual basis, provided that the reporting system is easy to
use and that reports (results) are generated and available to the sector quickly (i.e., do not
ask for new reporting if the results of the last report aren't yet available). As DHS
guidance becomes available, the Workgroup recommends that the WSCC/WGCC
explicitly consider the merits of aligning water sector reporting with this guidance to the
extent it differs from the annual approach recommended here.

•	Reports would be asked for in the same month every year, and during a month that is
more convenient for utilities. Utilities would be provided adequate lead-time for
response, but also have a "close" date, so reporting is closed for the year.

Baseline

The reporting baseline for all utility questions corresponding to the measures for national

aggregation would be the first reporting cycle.

Page 32


-------
June 2008

For the optional utility self-assessment questions, utilities would select an appropriate baseline
period based on: data availability, the period over which important changes have taken place, or
other criteria determined by the utility. The utilities will have the option of selecting the current
reporting cycle as their baseline or a date past. In future reporting cycles, and to the extent the
national reporting tool embraces additional measures, utilities would determine change since the
previous reporting cycle.

Other Actor Measures Reporting	

The following are the Workgroup recommendation on voluntary reporting by other actors -
states, federal agencies, and water sector associations. The Workgroup proposes a multi-path
approach to collection and aggregation of other actor measures data. The Workgroup believes
that several discussions about other actor measures reporting will need to continue beyond and
outside the Workgroup deliberations.

•	EPA would collect and aggregate data on federal measures from EPA programs and the
Department of Homeland Security.

•	The Workgroup deliberations considered the WSCC Secretariat (currently from AWWA)
as the entity to collect and aggregate data from water sector utility association measures.
The Workgroup agreed that a subset of the Workgroup members from the water sector
associations should continue discussions and develop a reporting approach for association
measures data.

•	The Workgroup agreed that a subset of the Workgroup members, including EPA,
ASDWA and the States should continue discussions and develop a reporting approach for
state and PUC measures data. The Workgroup identified the state and PUC measures as
having a special consideration around data collection should EPA be involved in the
reporting approach, as the number of states and PUCs would trigger Information
Collection Request (ICR) rules.

Page 33


-------
June 2008

FEATURES OF AN ACTIVE AND EFFECTIVE
PROTECTIVE PROGRAM FOR WATER AND
WASTEWATER UTILITIES

:tion

The water sector has developed the Features of an Active and Effective Protective Program to
assist owners and operators of drinking water and wastewater utilities (water sector) in
preventing, detecting, responding to, and recovering from all-hazards, including terrorist attacks
or natural disasters. The features are based on the National Drinking Water Advisory Council's
recommendation: 14 Features of an Active and Effective Security Program. The features
contained in this version update the original 14 to:

•	Capture the water sector's post Hurricane Katrina emphasis on "all hazards"
preparedness; and

•	Establish explicit alignment with the Water Sector-Specific Plan for Critical
Infrastructure Protection (Water Sector SSP) prepared under the framework of the
National Infrastructure Protection Plan (NIPP).

The features describe the basic elements for establishing a "protective program" for
owners/operators of utilities to consider as they develop utility-specific approaches.

Note: Throughout this document, the terms "protective program," "protection," or "protective"
are used to describe activities that enhance resiliency and promote continuity of service
regardless of the hazard a utility might experience. These activities address the physical, cyber,
and human elements of prevention, detection, response, and recovery.

I	res of an Active ai 1 1 ptective Program	

1. Encourage awareness and integration of a comprehensive protective posture into daily
business operations to foster a protective culture throughout the organization and
ensure continuity of utility services. (Most strongly aligned with SSP Goal 1, Objective

1.)

•	Senior leadership makes an explicit, easily communicated commitment to a program that
incorporates the full spectrum of protection activities.

•	Incorporate protection concepts into organizational culture.

Page 34


-------
June 2008

•	Foster attentiveness to protection among front line workers and encourage them to bring
potential issues and concerns to the attention of others; establish a process for employees
to make suggestions for protection improvements.

•	Identify employees responsible for implementation of protection priorities and establish
expectations in job descriptions and annual performance reviews.

•	Designate a single manager (even if it is not a full time duty) responsible for protective
programs. Establish this responsibility at a level to ensure protection is given
management attention and made a priority for line supervisors and staff.

•	Keep current on improvements and good protective practices adopted by other utilities.

•	Monitor incidents and available threat-level information; escalate procedures in response
to relevant threats and incidents.

2.	Annually identify protective program priorities and resources needed; support
priorities with utility-specific measures and self-assess using these measures to
understand and document program progress. (Most strongly aligned with Goal 1,
Objective 1.)

•	Annually identify and dedicate resources to protective programs in capital, operations,
and maintenance budgets; and/or staff resource plans.

•	Tailor protective approaches and tactics to utility-specific circumstances and operating
conditions; balance resource allocations and other organizational priorities.

•	Annually review protection commitments and improvement priorities with top
executives.

•	Develop measures appropriate to utility-specific circumstances and operating conditions.

•	Self-assess against the measures developed to understand and document program
progress.

3.	Employ protocols for detection of contamination while recognizing limitations in
current contaminant detection, monitoring, and public health surveillance methods.
(Most strongly aligned with Goal 1, Objectives 2 and 3.)

•	Recognize that water quality monitoring, consumer complaint surveillance, sampling and
analysis, enhanced security monitoring, and public health syndromic surveillance are
different, but related, elements of an overall contamination warning system. The
effectiveness of these components may vary from system to system.

•	Establish sampling and testing protocols for events (and suspected events) and
understand availability of, and be prepared to access, specialized laboratory capabilities
that can handle both typical and atypical contaminants.

Page 35


-------
June 2008

•	Track, characterize, and consider customer complaints to identify potential contamination
events.

•	Use security monitoring methods (e.g., intrusion detection devices such as alarms or
closed circuit television) to aid in determining whether a suspected contamination event
is the result of an intentional act. (Also see feature 5)

•	Establish working relationship with local, state, and public health communities to detect
public health anomalies and evaluate them for contamination implications.

4.	Assess risks and periodically review (and update) vulnerability assessments to reflect
changes in potential threats, vulnerabilities, and consequences. (Most strongly aligned
with Goal 2, Objectives 1-3, although is a critical contributor to Goal 1, Objective 1.)

•	Maintain current understanding and assessment of threats, vulnerabilities, and
consequences.

•	Utilities will need to adjust continually to respond to changes in threats, vulnerabilities,
and consequences.

•	Establish and implement a schedule for review of threats, vulnerabilities, and
consequences and their impact on the vulnerability assessment at least every three to five
years to account for factors such as, but not limited to, facility expansion/upgrades,
community growth, etc..

•	Reassess threats, vulnerabilities, and consequences after incidents and incorporate lessons
into protective practices.

•	Individuals who are knowledgeable about utility operations should conduct the reviews.
Include an executive in the review process to provide an ongoing conduit of information
to/from management.

•	Use a methodology that best suits utility-specific circumstances and operating conditions;
however, ensure the selected method supports the criteria outlined in the National
Infrastructure Protection Plan (NIPP).

5.	Establish physical and procedural controls to restrict access only to authorized
individuals and to detect unauthorized physical and cyber intrusions. (Most strongly
aligned with Goal 2, All Objectives.)

•	Identify critical facilities, operations, components, and cyber systems (such as SCAD A).

•	Develop and implement physical and cyber intrusion detection and access control tactics
that enable timely and effective detection and response.

•	Utilize both physical and procedural means to restrict access to sensitive facilities,
operations, and components; including treatment facilities and
supply/di stribution/collection networks.

Page 36


-------
June 2008

•	Define, identify, and restrict access to security-sensitive information (both electronic and
hard copy) on utility operations and technical details.

•	Establish means to readily identify all employees (e.g. ID badges).

•	Verify identity of all employees, contractors and temporary workers, with access to
facilities, through background checks as appropriate per local/state law and/or labor
contract and other agreements.

•	Test physical and procedural access controls to ensure performance.

6.	Incorporate protective program considerations into procurement, repair, maintenance,
and replacement of physical infrastructure decisions. (Most strongly aligned with Goal
2, All Objectives)

•	Bring forward protective program considerations early in the design, planning, and
budgeting processes to mitigate vulnerability and/or potential consequences and improve
resiliency over time.

•	Design and construction specifications should address both physical hardening of
sensitive infrastructure; and adoption of inherently lower risk technologies and
approaches where feasible.

•	Design choices should consider ability to rapidly recover and continue services following
an incident.

7.	Prepare emergency response, recovery, and business continuity plan(s); test and review
plan(s) regularly, update plan(s) as necessary to ensure NIMS compliance and to reflect
changes in potential threats, vulnerabilities, consequences, physical infrastructure,
utility operations, critical interdependencies, and response protocols in partner
organizations. (Most strongly aligned with Goal 3, Objectives 1 and 3.)

•	Understand the National Incident Management System (NIMS) guidelines established by
DHS (as well as community and state response plans and FEMA Public Assistance
procedures); and incident command systems (ICS). At a minimum, utility response and
recovery planning should be NIMS compliant.

•	Coordinate emergency plan(s) with community emergency management partners:

o Establish interoperable communications systems where feasible to maintain contact

with police, fire, and other first responder entities,
o Establish internal protocols to maintain communications with employees to ensure
safety and to coordinate response activities.

•	Implement backup plans and strategies for critical operations, including water supply and
treatment (to mitigate the potential public health, environmental, and economic
consequences of events), power, and other key components.

Page 37


-------
June 2008

•	Maintain plan(s) that are exercised at least annually, identify circumstances that prompt
implementation, and identify individuals responsible for implementation.

o Provide employees with appropriate security and preparedness training and education
opportunities.

o At least annually review plan(s) and conduct exercises that address the full range of
threats relevant to the utility.

o Update plan(s), as necessary, to incorporate lessons from training, exercises, and
incident responses.

•	Ensure plan(s) identify critical and time sensitive applications, vital records, processes,
and functions that need to be maintained; and the personnel and procedures necessary to
do so until utility has recovered. At a minimum, plan(s) should include a business impact
analysis and address need for power, communication (internal and external), logistics
support, facilities, information technology, and finance and administration-related
functions; including necessary redundancy and/or timely access to backup systems and
cash reserves.

8.	Forge reliable and collaborative partnerships with first responders, managers of critical
interdependent infrastructure, other utilities, and response organizations to maintain a
resilient infrastructure. (Most strongly aligned with Goal 3, Objectives 2 and 4.)

•	Partnerships should be forged in advance of an emergency, ensuring utilities and key
partners are better prepared to work together if an emergency should occur.

•	Partnerships with other local utilities, peers, and associations should emphasize formation
of, and participation in, mutual aid and assistance agreements such as a Water and
Wastewater Agency Response Network (WARNs).

•	Maintain awareness of industry best practices and available protective program-related
tools and training.

•	Establish relationship with critical customers (hospitals, manufacturing, etc.) to identify
interdependency issues that may impact business continuity.

•	Participate in joint exercises with identified partners as appropriate.

9.	Develop and implement strategies for regular, ongoing communication about protective
programs with employees, customers, and the general public to increase overall
awareness and preparedness for response to an incident. (Most strongly aligned with
Goal 4, Objective 1, although is critically supportive of Goal 1, Objectives 1 and 2.)

•	Establish public communications protocol, including pre-prepared public announcement
templates, to share critical information; and implement mechanisms for receiving
community feedback.

•	Public communication strategies should:

Page 38


-------
June 2008

o Identify means to reach customers and the general public with incident information;

o Provide a mechanism for customers and the public to communicate with appropriate

personnel about unusual or suspicious events;
o Inform customers about appropriate actions to enhance their preparedness for
potential incidents that may impact services; and

•	Internal communication strategies should:

o Increase and/or maintain employee awareness of protective program;

o Motivate staff to support protective program strategies and goals;

o Provide ways for staff to notify appropriate personnel about unusual or suspicious
activities;

o Ensure employees understand nature of, and restrictions on, access to security

sensitive information and/or facilities; and
o Ensure employee safety during an event or incident and enable effective employee
participation during response and recovery efforts.

•	Evaluate effectiveness of communication mechanisms over time.

10. Monitor incidents and available threat-level information; escalate procedures in

response to relevant threats and incidents. (Most strongly aligned with Goal 4,

Objective 2, although a critical contributor to Goal 1, Objective 1 and Goal 3, Objective

3.)

•	Develop standard operating procedures to identify and report incidents in a timely way
and establish incident reporting expectations.

o In the specific context of intentional threats and acts, ensure staff can distinguish
between normal and unusual activity (both on/off site) and know how to notify
management of suspicious activity.

•	Develop systems to access threat information, identify threat levels, and determine the
specific responses to take.

o Investigate available information sources locally, and at the state or regional level

(e.g., FBI Infraguard and Water ISAC).
o Where barriers to accessing information exist, make attempts to align with those who
can, and will, provide effective information to the utility.

•	Make monitoring threat information a regular part of the protective program designee's
job and share utility-, facility- and region-specific threat levels and information with key
staff and those responsible for protection.

Page 39


-------
June 2008

ATTACHMENT 1: WORKGROUP CHARTER

The following charter was adopted by the Workgroup on February 28, 2007.

I. Establishment and Designation	

The CIPAC Metrics Workgroup is convened by the Water Sector Coordinating Council (SCC)
and Government Coordinating Council (GCC) to develop a national performance measurement
system. As part of the process of developing the performance measurement system, the CIPAC
Metrics Workgroup intends to update the 14 Features of an Active and Effective Water Security
Program to encompass an all-hazards approach and align them with the goals and objectives of
the SSP.2 The Secretary of the Department of Homeland Security exempted CIPAC and its
workgroups (including the Metrics Workgroup) from the requirements of the Federal Advisory
Committee Act (FACA).3

Objectives	

The CIPAC Metrics Workgroup is expected to focus on the following objectives:

Objective (1) Development of a national performance measurement system. Specifically:

•	Developing measures that align and support the goals and objectives of the Water Sector
Specific Plan (SSP);

•	How to track measures;

•	How to structure reporting; and

•	Who will collect and retain information and how it will be protected.

Objective (2) Aligning the 14 features of an active and effective security program with the
Water SSP goals and objectives. Specifically:

•	Determine how the features support the various goals and objectives of the Water SSP;

•	Ensure that the features explicitly and adequately address the concepts of response,
recovery, and all-hazards; and

•	Streamline or combine the features as appropriate.

2	"performance measurement system" is a term used to summarize all the facets of collecting measurement data including, but not limited to, the
data elements to be reported, how the data will be reported, who will collect the data, and how the data will be protected from public disclosure.

3	For more information, see: http://www.dhs.gov/cipac

Page 40


-------
June 2008

Sco . 1 ivities	

The CIPAC Metrics Workgroup is expected to spend the bulk of its time on establishing a
national performance measurement system. The 14 features alignment with the Water SSP
should take no more than one multi-day in-person meeting and a minimum of one conference
call. Development of a national performance measurement system should take three in-person
meetings and several conference calls.

The scope of the activities includes:

Objective (1) Development of a national performance measurement system:

•	Assumptions

o Reporting of utility level data will be voluntary.

o Data will be released to the public at the national level only in aggregate form.
Therefore, no utility-specific security-sensitive data will be made available to the
public without the utility's express consent,
o Progress data from individual utilities submitted to the government will be
protected from public disclosure (i.e., FOIA).

o Decisions on national performance measures should be consistent with the Water
SSP's vision, goals, and objectives.

o CIPAC Workgroup efforts will be coordinated with DHS' National Infrastructure
Protection Plan (NIPP) core-metric development.

•	The Workgroup will deliberate for 6-8 months by having three 2-3 day in-person
meetings, in addition to conference calls and video conferencing as needed.

•	The final performance measurement system will be documented in a report, reviewed by
the Workgroup, and finalized by the full CIPAC. The final report will be provided to
EPA and DHS for use in the SSP in support of the NIPP.

Objective (2) Aligning the 14 features of an active and effective security program with the
Water SSP goals and objectives:

•	Assumptions

o The Workgroup should optimize the existing features as much as possible,
o The Sector Specific Plan will not be re-written in this process.

•	A detailed scope and agenda for the features update meeting will be developed before the
meeting.

Page 41


-------
June 2008

•	The Workgroup will meet once for 2-3 days to finalize updates to the features by the
conclusion of the meeting. These updates could then be quickly rolled out to the water
sector.

•	The finalized features, decided upon at the meeting, will be documented in a report,
reviewed by the Workgroup, and finalized by the full CIPAC. The final report will be
provided to EPA and DHS for use in the SSP.

•	The following documents will serve as the starting place, and basis for, objectives 1 and 2
of the CIPAC Metrics Workgroup deliberations:

o Water SSP, in particular the vision, goals, and objectives;

o NDWAC recommendations on 14 Features of Active and Effective Security
Programs and three aggregate measures of sector performance; and

o Findings of the Measures Testing Group (MTG) for National Aggregate Measures
of Water Security.

IV. Membership	

The Water Sector Coordinating Council (SCC) will select representatives from sitting members
of the Council, association staff and/or their membership. The Government Coordinating
Council (GCC) will choose government representatives for the metrics Workgroup. The SCC
will strive to have 8 to 10 representatives on the Workgroup; the GCC will strive to have 4 to 5.

V. Operating Procedures and Groom ;s	

The CIPAC Metrics Workgroup is expected to follow the Workgroup Operating Procedures and
Ground Rules.

Page 42


-------
June 2008

ATTACHMENT 2: WORKGROUP MEMBERSHIP AND

CONTACT INFORMATION

Jane Byrne, PhD

Director of Water Treatment
Hanahan Water Treatment Plant
1104 Hanahan Road
Hanahan, South Carolina 29406
Ph: 843.863.4014
Cell: 843.297.1071
ByrneJF@CharlestonCPW.com

Nick Catrantzos

Security Unit Manager

Metropolitan Water District of Southern

California

700 N. Alameda Street
Los Angeles, California 90012
Ph: (0)213.217.7134
ncatrantzos@mwdh2o.com

Cynthia Finley

Director, Regulatory Affairs
National Association of Clean Water
Agencies

1816 Jefferson Place, N.W.

Washington, DC 20036-2505
Ph: 202.296.9836
cfinley@nacwa.org

Damon Guterman

Drinking Water Program
Massachusetts Department of
Environmental Protection
1 Winter Street, 5th Floor
Boston, MA 02108
Ph: 617.574.6811
damon.guterman@state.ma.us

William Komianos, co-chair
Director, Operational Risk Management
American Water Works Service Co., Inc.
1025 Laurel Oak Road
Voorhees, NJ 08043
Ph: 856.309.4519
William.Komianos@amwater.com

John Laws

Water/Dams Infrastructure Specialist
Infrastructure Partnership Division
Department of Homeland Security
3801 Nebraska Avenue, Bldg 20, 2nd floor
Washington, D.C. 20528
Ph: 202.447.3042
Cell: 202.680.4373
john.laws2@dhs.gov

Kevin Morley

Regulatory Analyst & Security Committee,
Staff Secretary

American Water Works Association
1300 Eye Street NW
Suite 701W

Washington, DC 20005-3314
Ph: 202.628.8303
Fax: 202.628.2846
kmorley@awwa.org

Lucienne Nelson

CIP Program Manager

Department of Health and Human Services

200 Independence Ave. S.W.

Washington, DC 20201

Lucienne.Nelson@hhs.gov

Ph: 202.205.5781

Fax: 202.690.6056

Page 43


-------
June 2008

Debbie Newberry, co-chair

Chief, Security Assistance Branch, Water

Security Division

Environmental Protection Agency

1200 Pennsylvania Avenue, NW

Mail Code: 4601 M

Washington, DC 20460

Ph: 202.564.1415

newberry.debbie@epa.gov

Bridget O'Grady

Policy and Legislative Affairs Manager

Association of State Drinking Water

Administrators

1401 Wilson Blvd, Suite 1225

Arlington, VA 22209

Ph: 703.812.4772

Fax: 703.812.9506

bogrady@asdwa.org

Roger D. Selburg, PE

Manager, Division of Public Water Supplies

Illinois EPA

PO Box 19276

Springfield, IL 62794

Ph: 217.782.1722

Fax: 217.782.0075

roger. selburg@Illinoi s. gov

David Siburg

General Manager
Kitsap Public Utility District
PUD #1 of Kitsap County
1431 Finn Hill Road
P.O. Box 1989

Poulsbo, Washington 98370-0933
Ph: 360.626.7703
Cell: 360.620.7680
dave@kpud.org

Jim Sullivan

Water Environment Federation
601 Wythe Street
Alexandria VA 22314
Ph: 703.684.2436
Fax: 703.684-2413
j sullivan@wef. org

Scott L. Szalkiewicz, C.H.E.S.

Health Program Supervisor

Office of Public Health Preparedness

CT Department of Public Health

410 Capitol Ave., MS# 12PHP

P.O. Box 340308

Hartford, CT 06134-0308

Ph: 860.509.8100

Fax: 860.509.7987

scott. szalkiewicz@po. state.ct.us

Vance Taylor

Association of Metropolitan Water Agencies
1620 I Street, NW, Suite 500
Washington, DC 20006
Ph: (O) 202.331.2820
taylor@amwa.net

Ed Thomas

National Rural Water Association
101 Constitution Ave, NW Suite 900
Washington DC 20001
Ph: 202.742.4413
Cell: 443.739.1358
thomas@rural water. org

Page 44


-------
June 2008

Subject Matter Experts

Cade Clark, staff to Bill Komianos

Director of State Relations

National Association of Water Companies

1725 K Street, NW Suite 200

Washington, DC 20006

Ph: 202.466.3331

cade@nawc.com

Lydia Duckworth, alternate for Lucienne
Nelson

Center for Enterprise Modernization
The MITRE Corporation
Ph: 301.429.2241
1 duckworth@mitre. org

Laura Flynn, staff to Debbie Newberry
Environmental Protection Agency
1200 Pennsylvania Avenue, N. W.

Mail Code: 4601M
Washington, DC 20460
Ph: 202.564.4611
flynn.laura@epa.gov

Tanya Mottley

Associate Director, Water Security Division

Environmental Protection Agency

1200 Pennsylvania Avenue, N. W.

Mail Code: 2722A

Washington, DC 20460

Ph: 202.566.0818

mottley.tanya@epa.gov

Alan Roberson

Director of Security and Regulatory Affairs
American Water Works Association
1300 Eye Street NW, Suite 701W

Washington, DC 20005-3314
Ph: 202.628.8303
aroberson@awwa.org

Marc Santora, staff to Debbie Newberry

Office of Groundwater and Drinking Water

Environmental Protection Agency

1200 Pennsylvania Avenue, NW

Mail Code: 4601 M

Washington, DC 20460

Ph: 202.564.1597

Fax: 202.564.8513

santora.marc@epa.gov

Greg Spraul, staff to Debbie Newberry
Environmental Protection Agency
1200 Pennsylvania Avenue, NW
Mail Code: 4601M
Washington, DC 20460
Ph: 202.564.0255
spraul. greg@epa. gov

John Whitler, staff to Debbie Newberry
Environmental Protection Agency
1200 Pennsylvania Avenue, NW
Mail Code: 4601M
Washington, DC 20460
Ph: 202.564.1929
whitler.john@epa.gov

Patti-Kay Wisniewski, staff to Debbie
Newberry

Environmental Protection Agency, Region 3

1650 Arch Street

Mail Code: 3WP21

Philadelphia, PA 19103-2029

Ph: 215.814.5668

wisniewski.patti-kay@epa.gov

Page 45


-------
June 2008

ATTACHMENT 3: WORKGROUP OPERATING
PROCEDURES AND GROUND RULES

WORKGROUP OPERATING PROCEDURES

The following operating procedures were adopted by the Workgroup on February 28, 2007.

1. Participation	

ml

CIPAC Metrics Workgroups will consist of water utility representation, association staff and
federal, state and local government representatives. The SCC and the GCC will each select their
representatives for the workgroup. The number of representatives attending a particular meeting
is expected to vary depending on the meeting agenda. The CIPAC Metrics Workgroup will have
two co-chairs (one water sector representative and an EPA representative).

Expectations

Direct participation of all members is essential to the success of the CIPAC Metrics Workgroup.
For that reason, members are asked to make every effort to attend in-person meetings and
participate in conference calls.

All members are expected to participate throughout the duration of the process. However, any
member may withdraw from a CIPAC Metrics Workgroup at any time. In the event a member
decides to withdraw from the process, he or she will be asked to document the reasons for their
withdrawal and may be replaced by the Coordinating Councils with another representative of
similar expertise and interest. Further expectations are described in the Ground Rules.

Alternates

In the rare event that a designated member is unable to participate in a particular meeting or
conference call, another person from that member's organization (i.e., utility, Agency, state, or
association) may attend the meeting in his or her place as an alternate. It is the responsibility of
the workgroup member to ensure that any alternate is fully briefed and prepared to participate in
workgroup deliberations and decision making on behalf of the member and the member's
organization.

Page 46


-------
June 2008

Co-Chairs

To facilitate close coordination with the Water SCC and GCC throughout the process one co-
chair will also be a full voting member of the SCC and the other co-chair will be from EPA and
represent the GCC. The co-chairs will strive to represent not only their own views but also the
views of their colleagues from the SCC or GCC, respectively, and the views of their colleagues
on the workgroup.

The role of the Workgroup co-chairs is to:

•	Open and close meetings;

•	Work with the facilitation team to run meetings and keep deliberations on point and on
schedule;

•	Assist in consensus building;

•	Make decisions about subject matter experts;

•	Make final decisions about process, scope, and schedule in accordance with the Charter;

•	Ensure coordination between the workgroup and the SCC and GCC; and

•	Work with the facilitation team between meetings.

Subject Matter Experts

Subject matter experts may participate in CIPAC Metrics Workgroups, as needed. Subject
matter experts advise the CIPAC Metrics Workgroup, but do not participate in workgroup
decision making. Any CIPAC Metrics Workgroup member may request a subject matter expert.
However, the final decision on whether to provide particular subject matter experts is to be made
by the co-chairs. The DHS CIPAC office will be notified of any subject matter experts.

Decision Making Process	

Consensus

The CIPAC Metrics Workgroup intends to use a collaborative, problem-solving approach in their
work. The workgroup will strive for consensus among participating members. Consensus is
defined as decisions that all participants can "live with." Consensus will be assessed using a
variety of techniques including discussion, "straw polling," and review/acceptance of written
documents.

If the CIPAC Metrics Workgroup has trouble reaching consensus on a particular issue, the co-
chairs will work with the membership to seek common ground. If common ground cannot be
achieved after extensive discussion, the co-chairs will document the divergent views and forward
them to the SCC and GCC for resolution. After the divergent views are forwarded to the SCC

Page 47


-------
June 2008

and GCC, each Council would first come to resolution independently, the SCC would use their
decision making process and the GCC would use theirs. After each Council resolves the issue
within their own body, the SCC and GCC would come together to reach consensus and a final
resolution.

Rules of Engagement

Successful consensus building depends on mutual respect and careful listening among members.
Meetings and conference calls will be structured to support a respectful atmosphere, encourage
the development of trust and understanding, and provide for participation of all CIPAC Metrics
Workgroup members. Workgroup members are encouraged to frame observations in terms of
needs and interests (e.g., it is critically important to my utility that security sensitive information
is kept confidential) rather than positions (e.g., it is not acceptable under any conditions to
release security sensitive information from this utility). Opportunities for finding solutions
increase dramatically when discussion focuses on needs and interests.

Meetings

Meetings of the CIPAC Metrics Workgroup will be closed to the public. A schedule of meeting
dates and times will be developed by the facilitator who will work towards scheduling meetings
at times when all workgroup members can attend.

Reporting

The CIPAC Metrics Workgroup will develop a report documenting their process and decisions.
This document will be provided to the full CIPAC. Once the full CIPAC concurs with the
report, it will forward the document to EPA and DHS for use with the Water SSP/NIPP
framework.

ilitation

A neutral, third-party facilitation team will support the CIPAC Metrics Workgroup.

The facilitation team will work with the CIPAC Metrics Workgroup Co-Chairs to:

•	Develop draft meeting agendas, materials, and summaries, draft reports based on the
workgroups decisions and develop supporting documents;

•	Facilitate workgroup meetings to ensure that the perspectives of all members come
forward, to maintain a respectful atmosphere, and keep discussions on track and on
schedule;

•	Work with members between meetings and conference calls to support understanding and
consensus building;

Page 48


-------
June 2008

•	Work with members to identify, organize, synthesize, and provide information and other
material needed to support deliberations;

•	Support any necessary decision making; and

•	Coordinate activities with the DHS - NIPP PMO.

IV. Meeting Materials and Documentation	

The facilitation team will strive to distribute meeting agendas and supporting materials at least
one week before meetings and conference calls. Summaries of key discussion points, tentative
areas of agreement and action items will be prepared by the facilitation team and provided to
members for review. These summaries should be distributed within two weeks of meetings and
conference calls. Final summaries will be distributed after incorporation of member's comments.

Documents shared in CIPAC Metrics Workgroup meetings may be subject to the Freedom of
Information Act. All documents produced by or on behalf of the CIPAC Metrics Workgroup are
to be handled in accordance with Chapter 3.0 of the CIPAC Operational Guidance, "Document
Handling and Protection."

Electronic communication mechanisms (largely email) will be used to the greatest extent
possible to distribute meeting materials, summaries, and references.

V. 1 . siti1 ?rmation	

Definition of Security-Sensitive Information

For purposes of Workgroup deliberations, security-sensitive information is: (1) information on
system-specific, attributable tactical security procedures; and (2) integrated or aggregated detail
on security (e.g., by aggregating information from previous un-aggregated sources) that creates a
clear picture of a specific strike opportunity. Information that is already available in the public
domain in the same form and at the same level of detail discussed by the CIPAC Metrics
Workgroup is not security sensitive.

Procedures for Discussion of Security-Sensitive Information

The following procedures will be used for discussion of security-sensitive information.
• Workgroup members who choose to raise or discuss security-sensitive information will
indicate that they consider the information they are sharing security sensitive. Unless
permission is given, Workgroup members will not discuss such information outside
Workgroup meetings.

Page 49


-------
June 2008

•	The general topics of discussion covered during the meeting will be documented in the
meeting summary; discussion details will not be summarized.

•	Any security sensitive meeting materials that are distributed during the meeting will be
collected at the end of the meeting unless the Workgroup decides that the materials are
suitable for public disclosure.

•	The Workgroup will evaluate discussions at the end of the meeting and determine if
security-sensitive information that was discussed requires protection going forward. A
low threshold for identification of security-sensitive information is appropriate, and any
participant can distinguish information as security sensitive.

Limit 3 of Security-Sensitive Information

To maximize the usability of their report, the Workgroup will strive to limit inclusion of security

sensitive information in the written materials they consider and produce.

ฅ1. Communication with tl

The way in which workgroup deliberations are publicly characterized will affect the group's
ability to function effectively. Workgroup members should refer inquiries from the press to the
co-chairs of the CIPAC Metrics Workgroup or to final meeting summaries or other final
workgroup materials. Individuals who choose to speak with the press should limit their remarks
to personal views and to refrain from characterizing the views of, or attributing comments to, the
full workgroup, other individual members, or the SCC or the GCC.

WORKGROUP GROUND RULES

1.	All members of the CIPAC Metrics Workgroup have equal representation and equal
opportunities to participate.

2.	Discussions will stay within the objectives and scope of the CIPAC Metrics Workgroup
Charter, dated February 28, 2007; conduct and protocols at meetings will be consistent with
the CIPAC Metrics Workgroup operating procedures dated February 28, 2007.

3.	Collaborative problem solving depends on mutual respect and careful listening among
participants and on active participation by all. Participants will strive for honest and direct
communication and a focus on interests and needs (e.g., it is critically important to my utility
that we maintain as confidential security sensitive information) rather than positions (e.g., it
is not acceptable under any conditions to release security program-related information from
this utility).

Page 50


-------
June 2008

4.	Participants will allow for open discussion and the right to disagree, and will look for
opportunities to find common interests, agreements, and solutions.

5.	Participants will focus on clarifying their own views and interests; they will refrain from
characterizing the views of other participants especially in conversations with the press.

6.	Participants and/or the facilitator may request a caucus break at any time during a meeting.
In order to keep the flow of meetings on track, individual caucus breaks may not exceed 15
minutes

7.	The facilitator is a neutral third party with no stake in the outcome of the project. Ross &
Associates will structure meetings to support a respectful atmosphere and the development of
trust among participants.

8.	Meetings are expected to start and end on time.

Page 51


-------
June 2008

ATTACHMENT 4: RECOMMENDED UTILITY MEASURES

Attachment 4 contains the full suite of utility measures recommended by the Workgroup.

The Workgroup developed utility measures through a process recommended by the Water SCC.
The process began with examining the Water SSP to identify the key partners, resources, outputs
and outcomes associated with each Goal and Objective.

The Workgroup recommends the following measures of utility progress. The measures are
presented in the form of questions that utilities would answer. Most are simple and call for a
binary, "yes/no" response. The Workgroup believes this simple approach is an appropriate way
to begin a measurement system. Over time, the sector may desire to move towards a performance
progress structure, where degrees of progress can be communicated. A few of the recommended
measures use this more detailed approach. Key terms that require further information and/or
definition are identified in an "Other Observations" section associated with each measure.

UTILITY ACTIVITY MEASURES

The following are the 16 activity-based utility measures that were previously recommended by
the Workgroup and approved by the WSCC7WGCC in October 2007. The Workgroup has some
minor word changes to the measures to improve clarity, but not to change the intent of the
measures previously approved.

Ul. Measure: Number and percentage of utilities that have integrated security and
preparedness into budgeting, training, and manpower responsibilities.

Question: Have you integrated security and preparedness into budgeting, training, and
manpower responsibilities (Y/N)?

U2. Measure: Number and percentage of utilities that incorporate security into planning and
design protocols applying to all assets and facilities.

Question: Have you incorporated security into planning and design protocols applying to
all assets and facilities (Y/N)?

Additional Workgroup Observations:

•	"Planning and design protocols" needs to be defined.

•	The Workgroup intended this measure to cover all parts of the facilities, including
the collection and distribution systems.

Page 52


-------
June 2008

U3. Measure: Number and percentage of utilities that routinely conduct supplemental
monitoring or more in-depth analysis beyond what is required to identify abnormal water
quality conditions.

Question: Do you routinely conduct supplemental monitoring or more in-depth analysis
beyond what is required to identify abnormal water quality conditions (Y/N)?

Additional Workgroup Observations:

• The phrase "beyond what is required to identify abnormal water conditions" is
imprecise and raises questions as to what the question is referring to.
Clarification will be needed.

U4. Measure: Number and percentage of utilities that have established relationships with
public health networks to interpret public health anomalies for the purposes of identifying
waterborne public health impacts.

Question: Have you established relationships with public health networks to interpret
public health anomalies for the purposes of identifying waterborne public health impacts
(Y/N)?

Additional Workgroup Observations:

• The phrase "established relationships" is very open-ended and could be defined in
a number of ways. For instance, a one-time contact does not necessarily qualify
as a relationship. There should be some kind of periodic ongoing contact to
qualify as a "relationship."

U5. Measure: Number and percentage of utilities that monitor and evaluate customer
complaints for possible indications of water quality or other security threats.

Question: Do you monitor and evaluate customer complaints for possible indications of
water quality or other security threats (Y/N)?

U6. Measure: Number and percentage of utilities that have established protocols (e.g.,
consequence management plans) for interpreting and responding to indications of water
quality anomalies.

Question: Have you established protocols (i.e., consequence management plans) for
interpreting and responding to indications of water quality anomalies (Y/N)?

Additional Workgroup Observations:

• "Consequence management plans" will need to be defined. The Water Security
Initiative currently uses this term, and the Workgroup believed consistency would
be helpful.

Page 53


-------
June 2008

U7. Measure: Number and percentage of utilities that annually review and periodically
update vulnerability assessments.

Questions:

Do you review your vulnerability assessment (VA) annually (Y/N)?

How frequently do you update your VA to adjust for changes in your system that may
alter the risk profile of your utility? (never update; annually; every 2-3 years; every 3-5
years; every 5-10 years; no defined cycle)?

Additional Workgroup Observations:

•	The difference between VA review and VA update will need to be defined.

U8. Measure: Number and percentage of utilities that receive screened, validated, and timely
(e.g., in time to inform decisions or take action) threat information from one or more
trusted sources such as WaterlSAC, the FBI, local police, or DHS.

Question: Does your utility receive screened, validated, and timely (e.g., in time to
inform decisions or take action) threat information from one or more of the following
sources (Y/N)? Please check all that apply.

-	WaterlSAC

-	FBI

-	Local police

-	DHS

U9. Measure: Number and percentage of utilities that have a plan in place to increase utility
security in response to a threat.

Question: Do you have a plan in place to increase utility security in response to a threat
(Y/N)?

Additional Workgroup Observations:

•	There will be a need to define "threat" here. It would be easy to envision very
different interpretations of the kinds of things that might constitute a threat.

U10. Measure: Number and percentage of utilities that have a written business continuity
plan.

Question: Do you have a written business continuity plan (Y/N)?

Additional Workgroup Observations:

Page 54


-------
June 2008

•	The term "business continuity plan" needs to be clearly defined (e.g., does it
incorporate emergency response plans?).

•	One option for a definition of "business continuity" could be: "A comprehensive
managed effort to prioritize key business processes, identify significant threats to
normal operation, and plan mitigation strategies to ensure effective and efficient
organizational response to the challenges that surface during and after a crisis and
establish minimum requirements for sustaining essential business operation while
recovering from a significant disruption." This definition is derived from
Subgroup deliberations.

Ull. Measure: Number and percentage of utilities that:

•	Have an emergency response plan (ERP)

•	Conduct training on their emergency response plan (ERP)

•	Carry out exercises on their ERP

•	Review and update their ERP on a periodic basis.

Questions: Do you:

•	Have an emergency response plan (ERP) (Y/N)?

•	Conduct training on the ERP (Y/N)?

•	Carry out exercises on the ERP (Y/N)?

•	Review and update the ERP on a periodic basis (Y/N)?

Additional Workgroup Observations:

•	The ERP may be part of an overall business continuity plan.

•	The term "emergency response plan" needs to be clearly defined.

•	There will be a need to clarify under what conditions a respondent will get
"credit" - will it be if these exercises have ever been done, or will the question
refer to a particular discrete time frame?

U12. Measure: Number and percentage of utilities that have adopted the National Incident

Management System (NIMS) as part of emergency response planning.

Question: Has your utility adopted NIMS as part of its emergency response plan (Y/N)?

Additional Workgroup Observations:

•	"NIMS" needs to be clearly defined. The reporting tool must identify NIMS
activities (e.g., are you ready to respond to an incident, do you fit into the local,
state, and national response framework [i.e., Incident Command System]).

Page 55


-------
June 2008

•	Reporting tool should include text that explains why NIMS activities are
important (e.g., allows a utility to see where they fit in the local, state, and
national response framework, better enables a utility to respond to incidents,
increases a utility's ability to capture federal funding).

U13. Measure: Number and percentage of utilities that are signatories, or are in the process of
becoming signatories, to written agreements for requesting aid or assistance, such as a
mutual aid or assistance agreement or Water/Waste water Agency Response Network
(WARN) membership.

Questions: Is your utility a signatory to written agreements for requesting aid or
assistance, such as a mutual aid or assistance agreement or Water/Wastewater Agency
Response Network (WARN) membership (Y/N)?

If no, are you in the process of creating an agreement (Y/N)?

Additional Workgroup Observations:

•	"WARN" needs to be clearly defined.

•	The differences between "Mutual aid" and "mutual assistance" need to be clearly
defined.

U14. Measure: Number and percentage of utilities that have responded to an emergency
request to provide mutual aid and assistance.

Question: Has your utility responded to an emergency request to provide mutual aid and
assistance (Y/N)?

U15. Measure: Number and percentage of utilities that have plans to handle communications
during a crisis.

Question: Do you have a crises communication plan (Y/N)?

U16. Measure: Number and percentage of utilities that engage in networking activities
regarding emergency preparedness and collaborative response in the event of an incident.

Question: Do you engage in networking activities regarding emergency preparedness
and collaborative response in the event of an incident (Y/N)?

Additional Workgroup Observations:

•	Virtually every utility could claim that it "networks" to some greater or lesser
extent. This measure will produce a more meaningful response with some better
delineation.

Page 56


-------
June 2008

HAZARDOUS CHEMICALS SECURITY MEASURES

Hazardous Chemicals Measure 1: Number and percent of utilities with physical and/or
procedural controls in place to safeguard hazardous chemicals.

Questions: If you use hazardous chemicals, do you have physical and/or procedural
controls in place to safeguard them(Y/N)?

If yes, do they include some or all of the following? (please indicate)

A.	Restrict Area Perimeter. Have you secured and do you monitor the perimeter of areas
containing hazardous chemicals (Y/N)?

B.	Screen and Control Access. Have you controlled access to restricted areas within the
facility by screening and/or inspecting individuals and vehicles as they enter (Y/N)?

C.	Shipping, Receipt, and Storage. Do you secure and monitor the shipping, receipt, and
storage of hazardous materials for the facility (Y/N)?

D.	Elevated Threats. Do you escalate the level of protective measures for periods of
elevated threat (Y/N)?

E.	Other physical or procedural controls (Y/N)? (For examples of physical and
procedural controls that can be used to safeguard hazardous substances, please see the
Department of Homeland Security risk-based performance standards as attached to this
survey as a sidebar.)4

Additional Workgroup Observations:

• For Question "C," it is difficult to imagine any facility, no matter what size,
answering "no" to this question.

Hazardous Chemicals Measure 2: Number and percentage of utilities that include gaseous
chlorine in their hazardous chemicals use.

Question: If you use hazardous chemicals, does your chemical use include gaseous
chlorine (Y/N)?

4 The 18 performance standards — of which the A-D drop-down are a subset — would then be listed somewhere in
a sidebar or with other reference information to help respondents. Wording for A-D and sidebar information would
be updated, as necessary, to be consistent with DHS materials.

Page 57


-------
June 2008

Hazardous Chemicals Measure 3: Number and percentage of utilities that have evaluated their
disinfection methods considering water quality, public health, and security issues.

Question: Have you evaluated your disinfection methods considering water quality,
public health, and security issues (Y/N)?

Additional Workgroup Observations:

• It is difficult to imagine any facility, no matter what size, answering "no" to this
question.

RISK REDUCTION OUTCOME MEASURES

Rl. Measure for Physical Security Capability: Percent of critical assets with physical
access controls in place.

Questions: What percent of your critical assets are currently protected by physical access
controls? What percent of your critical assets were protected by physical access controls
on date X?

Additional Workgroup Observations:

•	Physical access controls include fences, gates, door locks, and other similar
structural barriers.

•	Without more definition, this question will offer little value added as every water
utility has some type of physical access control: door, lock, gate. As currently
presented, the question allows an opportunity to misinterpret just to get to a "yes"
answer, making results unhelpful.

R2. Measure for Intruder Detection Capability: Percent of critical assets with enhanced
capability to detect intruders.

Question: What percent of your critical assets are protected by enhanced detection
capability?

Additional Workgroup Observations:

•	Enhanced detection capability includes physical monitoring such as cameras and
other alarms/sensors, guards or other human monitoring (such as neighborhood
and customer watch efforts), and combinations of physical changes and
procedural changes (e.g., installation and use a door peep hole).

Page 58


-------
June 2008

•	This question has the potential to imply that smaller systems either should or must
invest in some type of intruder alarm. In reality, this may not be the best
investment of their limited resources. The measure also needs to clarify whether
it relates to total number of assets, a percentage of the dollar value of all assets, or
some other basis.

•	The terms 'critical assets' and 'enhanced' will need to be defined.

R3. Measure of Water Contamination Decision Making Capability: Percent of utilities
that have protocols in place to complete site characterizations and make credibility
determinations eight hours or less after becoming aware of a potential water
contamination event (eight hour time frame based on Response Protocol Toolbox
recommendati on).

Questions: What is your current capability to make a water contamination threat
credibility determination? (within 20-30 hours, 8-20 hours; in 8 hours or less)? What
was it on date X?

Additional Workgroup Observations:

•	Site characterizations and credibility determinations are as defined by the EPA
Response Protocol Toolbox.

•	Site characterization generally includes in-person site evaluation and may include
field testing/screening of water and/or monitoring of baseline water quality data.
The purpose of this process is to determine if a contamination threat is credible
and, therefore, initiate additional response activities - it is not to identify the
specific nature and extent of any contamination that may be present.

R4. Measure for Information Protection Capability: Percent of utilities that have a
process in place for reviewing requests for and restricting access to critical infrastructure
information.

Questions: Does your utility have a process in place for reviewing requests for and
restricting access to critical infrastructure information? (Yes established process in place;
No process is being developed; or Informal/ad hoc review) How would you have
answered on date X?

Additional Workgroup Observations:

•	Critical infrastructure information is as defined by DHS.

•	In implementing this question, it may be helpful to focus on highlighting whether
utilities have further limited the type of information they provide (e.g.. "Have you
initiated restrictions or tightened access...").

Page 59


-------
June 2008

R5. Measure for SCADA Protection Capability: Percent of SCADA data transmission
networks that are segregated from telephony or Internet networks.

Questions: What percent of your SCADA data transmission network is segregated from
public telephony or Internet networks? What was the percentage on date X?

Additional Workgroup Observations:

•	Need definition/guidance on what are "segregated connections."

•	This measure could easily be misinterpreted as a critical driver by a smaller
community.

R6. Measure for Employee Security Investment: Percentage of time permanent employees
dedicate to security tasks.

Questions: What is your current annual FTE commitment to security tasks? What was it
on date X?

Additional Workgroup Observations:

•	"Security tasks" are defined narrowly as tasks related to asset protection,
hardening, and other direct security related work. This is not an attempt to
capture efforts focused on improving broader resiliency or preparing for natural
disasters; emergency response planning and exercise time would not be counted
here.

•	There is no good way for many smaller water systems to answer this question.
They may only have one or two employees and would find it difficult to allocate
specific FTEs to particular security activities. This measure also conflicts with
the long term SDWA goal to integrate security into planning, design, and
implementation actions for drinking water treatment that results in water safe to
drink. Even the largest of water utilities should be integrating "security" actions
into their daily activities. This measure "stovepipes" water security activities.
Additionally, since the total number of employees engaged in security tasks is not
known the data we obtain from this measure may be highly misleading. For
example, if a utility has one staff person they could report a high value - say 20%,
yet a larger utility with twenty people on staff may find that although everyone
spends some time on security (our goal) the percentage of each individual's time
may be low - say 2%. This measure/question could be construed as too narrowly
defined unless the question is asked in a way to capture the broader activities
related to training and exercise time.

R7. Measure for Raw Water Source Supply Resiliency: Percent of utilities that can meet
100% of minimum daily demand with their primary raw water source unavailable.

Page 60


-------
June 2008

Questions: What improvements have you seen in your ability to meet 100% of minimum
daily water demand with your primary raw water source unavailable? Not counting in
process or finished water storage, can you meet 100% of minimum daily demand with the
primary raw water source unavailable for 24 hours (Y/N), for 48 hours (Y/N), for 7 days
(Y/N), or other (please specify)? How does this compare with date X - e.g., previously
could meet 100% of minimum daily demand for 24 hours, or 7 days, or never?

Additional Workgroup Observations:

•	"Minimum daily demand" is the average daily demand for the lowest production
month of the year.

R8. Measure for Finished Water Storage Resiliency: Average amount of time a utility can
meet 100% of minimum daily demand with stored finished water.

Questions: How long can you currently meet 100% of minimum daily demand with
stored finish water? How does this compare with date X - how long could you have met
100%) of minimum daily demand with stored finish water on date X?

Additional Workgroup Observations:

•	"Minimum daily demand" is the average daily demand for the lowest production
month of the year.

R9. Measure for Power Resiliency: Percent of utilities that have backup power for critical
operations.

Question: Does your utility have backup power for critical operations for:

•	24 hours?

•	48 hours?

•	96 hours?

R10. Measure for Production Resiliency: Percent of utilities that can meet minimum daily
demand with their primary production/treatment plant non-functional.

Question: What percent of minimum daily demand can your utility meet with your
primary production/treatment plant non-functional for:

•	24 hours?

•	48 hours?

•	96 hours?

Page 61


-------
June 2008

Additional Workgroup Observations:

•	"Minimum daily demand" is the average daily demand for the lowest production
month of the year.

•	For all 4 measures above (R7, R8, R9, RIO), the questions seem to imply that
meeting 100% of minimum daily demand is a reasonable performance
expectation. It is not clear that such an expectation exists, and it may not be
consistent with some state regulations (and certain states may have specific or
different timeframes that apply). Creating such a performance expectation will
have resource implications for EPA and DHS, who may be expected to find funds
to assist utilities achieve this level of performance. The concept of "minimum
daily demand" (average daily demand for lowest production month of the year)
assumes that the higher demands at other times of the year are due solely to
discretionary uses (e.g. lawn watering). Although this may be true in some
utilities, it is not universal. R8 speaks to "average amount of time" for using
stored water; the other resiliency questions address percent of utilities that can
accomplish a certain performance level. RIO requires clarity around whether the
plant is unable to deliver water or whether it is unable to treat it appropriately.
The question needs to clarify whether it is getting at the existence of redundant
plants or redundant pump capacity.

Rll. Measure for Equipment Resiliency: For critical parts/equipment, the longest lead time
for repair/replacement.

Questions: For critical parts/equipment (as defined in your Vulnerability Assessment)
what is your current longest lead-time for repair or replacement? How does this compare
with date X (e.g., what was longest lead-time for repair or replacement)?

R12. Measure for Personnel Resiliency: Average number of excess (backup) response-
capable people available for critical operation and maintenance positions.

Questions: What is your current average number of response capable backup people for
critical operation and maintenance positions? What was it on date X?

Additional Workgroup Observations:

•	"Response-capable" means the person has the knowledge, experience, and
proficiency to perform the work immediately.

•	Need guidance to utilities on how to reflect their definition of "critical operation
and maintenance positions" to maintain reasonable reporting consistency (e.g.,
positions required to meet core mission capability such as water plant operators
and maintenance workers).

Page 62


-------
June 2008

•	For question Rll, the term "lead time" could be thought of differently by
different people. For question R12, there is a need to clarify whether the question
refers to the average number of back-up folks who are available at any given time
or the total number of response-capable people that exist within the organization,
(e.g., can a utility take into consideration parts/equipment [for Rll] and people
[for R12] potentially available via WARN-type agreements). Finally, R12 will
need to explicitly take into account the need for individuals to hold appropriate
licenses to operate facilities.

R13. Measure for Treatment Resiliency: Where chemicals are necessary to meet the Safe
Drinking Water Act standards for acute contaminants (i.e., E.coli, fecal coliform, nitrate,
nitrite, total nitrate and nitrite, chlorine dioxide, turbidity - as referenced in the list of
situations requiring a Tier 1 Public Notification under 40 CFR 141.202), the average
number of days that utilities can deliver 100% of minimum daily demand treated to meet
this subset of SDWA standards without any additional chemical deliveries.

Questions: Where chemicals are necessary to meet Safe Drinking Water Act standards
for acute contaminants (i.e., E.coli, fecal coliform, nitrate, nitrite, total nitrate and nitrite,
chlorine dioxide, turbidity - as referenced in the list of situations requiring a Tier 1 Public
Notification under 40 CFR 141.202), what is the current number of days you can deliver
100% of the minimum daily demand treated to meet this subset of SDWA standards
without any additional chemical deliveries? What was it on date X?

Additional Workgroup Observations:

•	Will need a refined list of which SDWA standards are based on "acute effects."

•	This question can imply that all PWS should stockpile critical chemicals for
extended periods of time, while not providing guidance for how long is
"reasonable" or what the performance expectation is to provide water that is safe
to drink. It will also be important to consider that a utility may be allowed to
operate under special conditions without these treatments being in operation (e.g.
under a boil order). The term "acute effects" needs to be distinguished from acute
contaminants. The former is possible for almost all contaminants at high levels
(i.e., multiples of the MCL/MRDL) the latter is typically used to describe a small
subset of contaminants that can cause adverse health effects at low levels over
short exposure periods (see Tier 1 Public Notification list for drinking water
utilities). The language here is limited to SDWA; a CWA dimension should be
considered.

R14. Measure for Overall Response and Recovery Capability. Percent of utilities with
increased capability to respond to real events and exercises consistent with their
emergency response, business continuity, or other appropriate response plans.

Page 63


-------
June 2008

Questions: How confident are you in your ability to respond to real events and exercises
consistent with your emergency response, business continuity, or other response plans?
(Measurement would be on a scale from very low to very high with an "I don't know"
option.)

R15. Measure for Reduced Service Event Capability: Number/percent of utilities that have
a protocol and necessary equipment and infrastructure in place to ensure continued water
availability to critical customers during a reduced-service event.

Questions: To what extent have you set priorities and planned for a reduced service
event? (established protocol; equipment and infrastructure in place; plan in place,
protocol, equipment and infrastructure being developed; no formal plan) How has this
changed since date X?

Additional Workgroup Observations:

•	This would involve establishing critical customer service delivery priorities and
associated strategies (e.g., backup equipment, alternative supply, etc.).

•	"Critical customers" should be identified based on direct life safety, homeland
defense, and continuity of government considerations.

•	Focus is on establishing a utility's ability to curtail service for non-critical
customers to ensure critical care facilities (e.g., hospitals) and military\national
guard facilities have sufficient water quality and supply to remain functional
during and immediately after an emergency.

•	For R14, it is not clear in relation to what basis "Increased capability" is being
compared. For R15, the reduced service event protocol does not appear to cover
the provision of bottled water to residential customers. If this is the case, the
critical customers (hospitals, nursing homes) may be inundated with additional
people as many elderly and ill residents may not be able to obtain their own water
supply. Overall, R14 seems like a very subjective question (how confident are
you).

Page 64


-------
June 2008

ATTACHMENT 5: DRAFT SMALL SYSTEM METRIC

CROSSWALK

The following table presents a crosswalk of the 16 utility activity-based measures identified by
the CIPAC Metrics Workgroup with the structure included in the tool that has been used by
many small utilities to conduct security self-assessments and develop emergency response plans.
The crosswalk is intended to highlight commonalities between the two question sets and to
enhance small systems' abilities to respond to and have confidence in the data gathering process.
Possible additional questions that could be added to this tool were identified in the crosswalk to
more fully flesh out specifics on certain measures.

y Measures

SSP Goal 1

Small Utility Goal

Possible Questions

Ul. Number and percentage of utilities
that have integrated security into
budgeting, training, and manpower
responsibilities.

Ul. VA- Sec Assessment
#34

VA Report - Security needs
and costs Appendix C



U2. Number and percentage of utilities
that incorporate security into planning
and design protocols.

U2. VA - Sec Assessment
#14



U3. Number and percentage of utilities
that routinely conduct supplemental
monitoring or more in-depth analysis
beyond what is required to identify
abnormal water quality conditions.

U3. VA - Sec Assessment
#23



U4. Number and percentage of utilities
that have established connections with
public health networks to detect and
interpret public health anomalies for the
purposes of identifying waterborne
public health impacts.

U4. VA - Sec Assessment
#43

ERP - Coordination



U5. Number and percentage of utilities
that monitor and evaluate customer
complaints for possible indications of
water quality or other security threats.

U5. VA - Sec Assessment
#41 and #45



U6. Number and percentage of utilities
that have established protocols (i.e.,
consequence management plans) for
interpreting and responding to
indications of water quality anomalies.

U6. VA - Sec Assessment
#41, #43, and #44
ERP - LEPC and
Coordination



Page 65


-------
June 2008

SSP Goal 2

Small Utility Goal

Possible Questions

U7. Number and percentage of utilities
that annually review and periodically
update vulnerability assessments (VAs).

U7. ERP - System
Identification

U7. Do you review
and update your VA
and ERP regularly?
Or refer to Ul.

U8. Number and percentage of utilities
that receive screened and validated
timely (e.g. in time to inform decisions
or take actions) threat information from
one or more trusted sources such as
WaterlSAC, the FBI, local police, or
DHS.

U8. VA - Sec Assessment
#2 and #8

ERP - Coordination - FBI
and local police

U8. Do you receive
security updates
from ISAC, water
associations, or
other real time
security information
networks?

U9. Number and percentage of utilities
that have a plan in place to increase
utility security in response to a threat.

U9. VA - Supplemental
Documents (EPA -
Guarding against Terrorist
and Security Threats)



SSP Goal 3

Small Utility Goal

Possible Questions

U10. Number and percentage of utilities
that have a written business continuity
plans.

U10. ERP - Completed



Ull. Number and percentage of utilities
that:

•	Have an emergency response plan
(ERP)

•	Conduct training on their ERP

Ull. ERP - Coordination
and System Specific
Information

Ull. Do you
exercise your ERP
or practice using the
potential threat
scenarios unique to
your community?

• Carry out exercises on their ERP





• Review and update their ERP on a
periodic basis





U12. Number and percentage of
utilities that have adopted NIMS.

U12. SEMS NIMS
Implementation module
approved by DHS NIMS
Integration Center -
Completed



U13. Number and percentage of
utilities that are signatories, or are in the
process of becoming signatories, to
written agreements for requesting aid or
assistance, such as a mutual aid and
assistance agreement or WARN
membership.

U13. ERP - Notification
Information and Alternative
Water/Wastewater Source

U13. Have you
been notified about
the water utility
mutual aid networks
in your state?

Page 66


-------
June 2008

U14. Number and percentage of utilities
that have responded to an emergency
request to provide mutual aid and
assistance.

U14.

U14. Have you
responded to an
emergency request
from another utility?

SSP Goal 4

Small Utility Goal

Possible Questions

U15. Number and percentage of utilities
that have plans to handle
communications during a crisis.

U15. VA- Security
Assessment #44 and #45
ERP - Coordination (Public
Notification plan) and
Communication and
Notification



U16. Number and percentage of utilities
that engage in networking activities
regarding emergency preparedness and
collaborative response in the event of an
incident.

U16. ERP - Coordination
and Alternative
Water/Wastewater Source

Have you been
notified about the
water utility mutual
aid networks in your
state?

Page 67


-------
June 2008

ATTACHMENT 6: ATTRIBUTE DATAAND BANDING

RULES

:tion

In its final report, the CIPAC Metrics Workgroup for Water (the Workgroup) recommended
attribute data for collection as part of the national metrics reporting effort. Specifically, the
Workgroup recommended that "state location, population served (size), utility type (drinking
water, wastewater, combined, community, transient non-community, non-transient non-
community), and utility source/receiving water type should be collected as attribute data..."
Additionally, the Workgroup recommended that "specific requirements for data banding and/or
other data management rules (be developed to) protect inappropriate combinations/reporting of
attribute data..This document specifically articulates the attribute data proposed for collection
as part of the national reporting tool (see Section 1), and proposes a set of data management
protocols (see Section 2) to ensure data analysis and aggregate reporting do not provide
information to the public that would allow the identification of an individual utility.

Section 1 - Attribute Data

Listed below is a detailed articulation of the attribute data proposed for collection as part of the
water sector national metrics reporting tool. These data specifically mirror those recommended
by the Workgroup, but also further articulate the data, fill in gaps where deemed needed, and
indicate a data definition source that will be relied upon for providing definitions in the reporting
tool. In a few instances, to develop consistency between drinking water and wastewater data
attributes, some additional data elements have been added. These are clearly marked.

It is anticipated that, when first entering the reporting tool, the respondent will indicate that the
information is for a drinking water utility or a wastewater utility. Combined utilities will be
asked to complete two separate responses: one for the drinking water operations; and one for the
wastewater operations. The rationale behind eliminating the "combined" choice suggested by
the Workgroup is the distinctly different regulatory and other environments the two types of
utilities operate under (in particular, the Bioterrorism Act coverage of drinking water, but not
wastewater utilities). The combined category also would potentially create difficulties for data
analysis, particularly for any questions that arise pertaining to a count of either water or
wastewater utility respondents - a "combined" response (which is ambiguous regarding whether
it refers to the water side, wastewater side, or both sides of the utility) would not allow for a fully
clean articulation of these counts from the data.

Page 68


-------
June 2008

Provided below is the attribute data structure and associated data elements for a drinking water
utility and a wastewater utility.

1.	Drinking Water Utility Attribute Data

a.	Operation Type Response Options (drawn from SDWIS categories) (choose one)

i.	Community Water System: A public water system that supplies water to
the same population year-round.

ii.	Non-Transient Non-Community Water System: A public water system
that regularly supplies water to at least 25 of the same people at least six
months per year, but not year-round. Some examples are schools,
factories, office buildings, and hospitals which have their own water
systems.

iii.	Transient Non-Community Water System: A public water system that
provides water in a place such as a gas station or campground where
people do not remain for long periods of time.

b.	Size Options (Bioterrorism Act consistent, definitions from SDWIS - number of
people present in the service area) (choose one)

i.	Large: system serves a population of 100,000 or more

ii.	Medium: system serves a population of 50,000 or more but less than
100,000

iii.	Small: system serves a population of more than 3,300 but less than 50,000

iv.	Very Small: system serves a population of 3,300 or less

c.	Source Water Options (SDWIS categories and definitions) (choose "primary"
source) (Note: the "source water" attribute came from the CIPAC, but the
articulation of specific data element choices has been drawn from SDWIS)

i.	Surface water

ii.	Purchase surface water

iii.	Ground water under the influence of surface water

iv.	Purchased ground water under the influence of surface water

v.	Ground water

vi.	Purchased ground water

d.	Location - State/territory drop down menu (choose one)

2.	Wastewater Utility Attribute Data

a. Operation Type Response Options (Needs Survey consistent categories) (check
all that apply) (Note: these attributes added to provide consistency with the

Page 69


-------
June 2008

drinking water utility approach and to provide for the distinction between
collection only and other wastewater utilities)

i.	Collection System (Combined and/or Separate Sewers)

ii.	Treatment Plant(s)

iii.	Biosolids Handling Facility

b.	Size Options(Bioterrorism Act consistent, definitions from Needs Survey -
number of people present in the service area) (choose one category)

i.	Large: system serves a population of 100,00 or more

ii.	Medium: system serves a population of 50,000 or more but less than
100,000

iii.	Small: system serves a population of more than 3,300 but less than 50,000

iv.	Very Small: system serves a population of 3,300 or less

c.	Receiving Water Options (Needs Survey Consistent Categories) (choose primary
discharge) (Note: "receiving water" attribute derives from the CIPAC, but the
data element choices derive from the Needs Survey)

i.	Outfall to surface water

ii.	Ocean Discharge

iii.	Reuse

iv.	Discharge to Groundwater

v.	Evaporation

vi.	Spray Irrigation

vii.	Deep Well

viii.	Discharge to Another Facility

ix.	Overland Flow

x.	Other (specify)

d.	Location - State/territory drop down menu (choose one)

tion 2: Data Manageme ndi ules	

The CIPAC Metrics Workgroup for Water specifically directed that explicit data management
(banding) rules be developed to protect the anonymity of reporting tool respondents. The
purpose of the data management rules is to ensure that any reporting tool results made publicly
available will not reveal, through interpretation, the individual identity of a reporting tool
respondent. Theoretically, in the absence of data management rules, an aggregation of reporting
tool responses by state and size attribute data could identify only one or two respondents in a
state's "large size" category. If there are only two large systems in that state, it would be easy to

Page 70


-------
June 2008

"connect the dots" and specifically identify who the respondents are. The two recommended
data management protocols presented below are designed to assure this type of inadvertent
identification of respondents will not occur.

Rule 1 (State/Size Data Set): In order to have a data set showing reporting tool responses
sorted by both state and size attribute data, and in order to ensure that individual utility identity
is not revealed, the following rule regarding the display of the state/size data set is proposed: If a
state has five or fewer (total existing) utilities (based on SDWIS data for drinking water utilities
and Needs Survey data for wastewater utilities) of a certain type (drinking water or wastewater)
in any given size category, then all respondents for that type/size category will be merged with
the next lower size category. Merging will continue until the merger of existing utilities
produces a state-based size category populated with five or more utilities.

Rule 2 (Other Data Sets): Given the large number of potential data sorts using combinations of
attribute data, our ability to screen potential data sorts in advance to understand similar
problems regarding the protection of utility identity is limited. As such, the following rule is
proposed. If any combination (aggregation) of submitted data produces an output containing the
data from five or fewer individual utilities, the third party responsible for data collection will
reference external databases (e.g., SDWIS, Needs Survey) to determine the total number of
utilities to which the combination of attribute data applies (i.e., not just those utilities that
submitted data). If five or fewer total utilities exist, the information will not be provided for
public consumption. However, if six or more total utilities exist, then the information could be
provided publicly.

If the third party is unable to verify external conditions using these databases for any
combination of attribute data that produces an output containing the data from five or fewer
individual utilities, then that data sort will not be used for public display purposes. For example,
if a data sort portraying the number of large, community water systems, utilizing surface water in
EPA Region 8 (the states of Colorado, Montana, North Dakota, South Dakota, Utah, and
Wyoming) produces data on three utilities, and an identical sort of SDWIS data indicates there
are only four utilities that fit this description, then the original reporting tool data sort will not be
available publicly. On the other hand, if the SDWIS data indicated more than five utilities fit the
description, then the reporting tool data would be made available.

Page 71


-------