Recommendations of the CIPAC Metrics Workgroup for Water FINAL REPORT June 2008 ------- TABLE OF CONTENTS Acknowledgements 1 Executive Summary 2 Introduction 3 The (TPAC 3 Charter and Mission of the Metrics Workgroup 3 Workgroup Composition 4 Assumptions and Consideration of Previous Efforts 4 The Deliberative Process and Consensus 5 Utility Measures 7 Recommended Utility Measures and Implementation Approach 7 Proposed Measures for National Aggregate Reporting 9 Optional Utility Self-Assessment Questions 14 Small Systems Crosswalk 16 Other Actor Measures 18 Background on Recommendations 18 Recommended Other Actor Measures 19 Potential Longer-Term Outcome Measurement Areas to Explore 26 Measures Reporting 28 Utility Measures Reporting 28 Utility Reporting System Characteristics 31 Utility Reporting Baseline and Frequency 32 Other Actor Measures Reporting 33 Features of an Active and Effective Protective Program for Water and Wastewater Utilities 34 Introduction 34 The Features of an Active and Effective Protective Program 34 Attachment 1: Workgroup Charter 40 I. Establishment and Designation 40 II. Objectives 40 III. Scope of Activities 41 IV. Membership 42 V. Operating Procedures and Ground Rules 42 Attachment 2: Workgroup Membership and Contact Information 43 Attachment 3: Workgroup Operating Procedures and Ground Rules 46 Workgroup Operating Procedures 46 I. Participation 46 II. Decision Making Process 47 III. Facilitation 48 ------- IV. Meeting Materials and Documentation 49 V. Security Sensitive Information 49 VI. Communication with the Press 50 Workgroup Ground Rules 50 Attachment 4: Recommended Utility Measures 52 Utility Activity Measures 52 Hazardous Chemicals Security Measures 57 Risk Reduction Outcome Measures 58 Attachment 5: Draft Small System Metric Crosswalk 65 Utility Measures 65 Attachment 6: Attribute Data and Banding Rules 68 Introduction 68 Section 1 - Attribute Data 68 Section 2: Data Management (Banding) Rules 70 ------- June 2008 ACKNOWLEDGEMENTS The U.S. Environmental Protection Agency (EPA) would like to acknowledge everyone who contributed to the development and finalization of this report containing the recommendations of the CIPAC Metrics Workgroup for Water. The individuals identified below are members of the Workgroup and devoted significant time, energy, effort, and resources to develop these recommendations. Jane Byrne, PhD Director of Water Treatment Hanahan Water Treatment Plant Lucienne Nelson CIP Program Manager Department of Health and Human Services Nick Catrantzos Security Unit Manager Metropolitan Water District of Southern California Debbie Newberry, co-chair Chief, Security Assistance Branch, Water Security Division U.S. Environmental Protection Agency Cynthia Finley Director, Regulatory Affairs National Association of Clean Water Agencies Bridget O'Grady Policy and Legislative Affairs Manager Association of State Drinking Water Administrators Damon Guterman Drinking Water Program Massachusetts Department of Environmental Protection William Komianos, co-chair Director, Operational Risk Management American Water Works Service Co., Inc. John Laws Water Infrastructure Specialist Infrastructure Partnership Division U.S. Department of Homeland Security Kevin Morley Regulatory Analyst & Security Committee, Staff Secretary American Water Works Association Roger D. Selburg, PE Manager, Division of Public Water Supplies Illinois EPA David Siburg General Manager Kitsap Public Utility District James K. Sullivan General Counsel Water Environment Federation Scott L. Szalkiewicz, C.H.E.S. Health Program Supervisor Office of Public Health Preparedness CT Department of Public Health Page 1 ------- June 2008 Vance Taylor Government Affairs Coordinator Ed Thomas Association of Metropolitan Water Agencies National Rural Water Association The following subject matter experts also contributed to the Workgroup's efforts. Cade Clark Director of State Relations National Association of Water Companies Lydia Duckworth (alternate for Lucienne Nelson) Center for Enterprise Modernization The MITRE Corporation Laura Flynn Office of Groundwater and Drinking Water, Water Security Division U.S. Environmental Protection Agency Tanya Mottley Associate Director, Water Security Division U.S. Environmental Protection Agency Alan Roberson Director of Security and Regulatory Affairs American Water Works Association Marc Santora Office of Groundwater and Drinking Water, Water Security Division U.S. Environmental Protection Agency Greg Spraul Office of Groundwater and Drinking Water, Water Security Division U.S. Environmental Protection Agency John Whitler Office of Water, Office of Ground Water and Drinking Water, Water Security Division, Security Assistance Branch U.S. Environmental Protection Agency Patti-Kay Wisniewski U.S. Environmental Protection Agency, Region 3 Page 2 ------- June 2008 EXECUTIVE SUMMARY The CIPAC Metrics Workgroup for Water (the Workgroup) was convened by the Water Sector Coordinating Council (SCC) and Government Coordinating Council (GCC) to develop a national performance measurement system for the water sector and align the 14 Features of an Active and Effective Security Program with the Water Sector Specific Plan (SSP) Goals and Objectives. The Workgroup is composed of 18 members, including representatives of individual utilities, drinking water and wastewater associations, and Federal and State government, selected by the Water SCC and GCC. The Workgroup had four in-person meetings and a number of conference calls over an eight month period, during which they reached consensus on items contained in the Interim Final Report (dated October 2007): 16 utility measures; Utility reporting system approach; Intent for other actor measures; and Updated Features of an Active and Effective Protective Program for Water and Wastewater Utilities. At the issue of the Interim Final Report, the Workgroup had also reached agreement on a process for further work on hazardous chemical security measurement; risk reduction outcome measurement; and the development of text and reporting process for other actor measures consistent with the "intent" for those measures in the Interim Final Report. Over the past three months, through in person meetings and additional conference calls, the Workgroup has also reached consensus on the following items, contained in this Final Report: Hazardous chemical security measures; Risk reduction outcome measures; Utility reporting baseline date and frequency; Utility reporting implementation approach; Other actor measures for states, associations, and federal agencies; and A reporting approach for other actor measures. Page 2 ------- June 2008 I N This final report transmits the consensus recommendations reached by the Critical Infrastructure Partnership Advisory Council Metrics Workgroup for Water (Workgroup). All of the recommendations contained within this report represent consensus of the Workgroup. This report has been prepared with the assistance of Ross & Associates Environmental Consulting, Ltd., facilitators of the Workgroup process. The CIPAC The U.S. Critical Infrastructure Partnership Advisory Council (CIPAC) was established to support implementation of the National Infrastructure Protection Plan (NIPP) and help implement the sector partnership model set forth in the NIPP by coordinating Federal infrastructure protection programs with programs and activities of the private sector and State, local, territorial, and tribal governments. Members of the CIPAC include critical infrastructure/key resources owners and operators and their designated trade or equivalent organizations that are identified by members of Sector Coordinating Councils (SCC) and representatives from Federal, State, local, and tribal government entities identified as members of Government Coordinating Councils (GCC) for each sector. Consistent with Section 201 of the Homeland Security Act of 2002, the Secretary of the Department of Homeland Security (DHS) has exempted CIPAC and its workgroups from the requirements of the Federal Advisory Committee Act. Charter and Mission of the Metrics Workgrc The CIPAC Metrics Workgroup was convened by the Water SCC and GCC to develop a national performance measurement system for the water sector. The Workgroup was asked to focus on the following objectives: Objective 1: Develop a national performance measurement system. Specifically: Measures that align and support the goals and objectives of the Water Sector Specific Plan (SSP); A system for tracking measures; A reporting structure; and Protocols for collection, retention, and protection of information/reports. Page 3 ------- June 2008 Objective 2: Align the 14 Features of an Active and Effective Security Program with the Water SSP goals and objectives. Specifically: Determine how the features support the goals and objectives of the Water SSP; Ensure that the features explicitly and adequately address the concepts of response, recovery, and all hazards; and Streamline and combine features as appropriate. Attachment 1 contains the complete Workgroup charter. Wor 3 Composition The Water SCC and GCC selected 18 Workgroup members including representatives of individual utilities, drinking and wastewater trade associations, and Federal and State government. Debbie Newberry (USEPA) representing the GCC and William Komianos (American Water) representing the SCC co-chaired the Workgroup. Subject matter experts assisted the Workgroup in their deliberations. Attachment 2 contains a roster of Workgroup members and subject matter experts. Assumptions and Consideration of Previous Efforts The Workgroup operated under the following assumptions. For objective 1, development of a national performance measurement system: Reporting of data will be voluntary; Data will be released to the public at the national level only in aggregate form (no utility- specific, security-sensitive data will be made available to the public without a utility's express consent); Progress data submitted by individual utilities will be protected from public disclosure (i.e., Freedom of Information Act or FOIA requests); Data will be submitted to EPA anonymously, either through a third party in aggregated form, or failing that, directly to EPA; Decisions about national performance measures should be consistent with the Water SSP vision, goals and objectives; and Workgroup efforts will be coordinated with the DHS NIPP core metrics development. Page 4 ------- June 2008 For objective 2, alignment of the 14 Features with the Water SSP: The existing features should be optimized as much as possible; The features should reflect the SSP, which was not completed at the time the existing features were drafted; and The SSP will not be re-written as part of the alignment effort. The Workgroup used the following documents to start and as a basis for deliberations. The Water SSP, in particular the vision, goals and objectives; The National Drinking Water Advisory Council's Water Security Working Group recommendations on the 14 Features of an Active and Effective Security Program and three aggregate measures of water sector performance; and The findings of the Measures Testing Group for National Aggregate Measures of Water Security. Iberative Process and Consensus Workgroup members sought to develop consensus recommendations. "Consensus" is defined in the Workgroup Charter as recommendations that all members can "live with." The Workgroup Operating Procedures and Ground Rules encouraged members to use interest-based negotiating techniques to understand one another's needs and interests and reach consensus. Attachment 3 contains the Workgroup's Operating Procedures and Ground Rules. The Workgroup had four in-person meetings, and a number of conference calls over an eight month period, during which they reached consensus on items contained in the Interim Final Report (dated October 2007): 16 utility measures; Utility reporting system approach; Intent for other actor measures; and Updated Features of an Active and Effective Protective Program for Water and Wastewater Utilities. At the issue of the Interim Final Report, the Workgroup had also reached agreement on a process for further work on hazardous chemical security measurement; risk reduction outcome measurement; and the development of text and reporting process for other actor measures consistent with the "intent" for those measures in the Interim Final Report. Page 5 ------- June 2008 Over the past three months, the Workgroup has also reached consensus on the following items, contained in this Final Report: Hazardous chemical security measures; Risk reduction outcome measures; Utility reporting baseline date and frequency; Utility reporting implementation approach; Other actor measures for states, associations, and federal agencies; and A reporting approach for other actor measures. Page 6 ------- June 2008 U S The CIPAC Metrics Workgroup recommends a suite of utility measures that includes the 16 utility measures that were previously presented to and approved by the Water SCC/GCC (with a few minor text edits to improve clarity), as well as measures of risk reduction outcomes and security of hazardous chemicals. Attachment 4 contains the full set of recommended measures. ommendi .' iity Measures a plementation Approach Coupled with the proposed measures, and critical to the Workgroup's consensus support for the full suite of measures, is a recommendation for how best to proceed forward with water sector metrics implementation. The recommendation prescribes focusing 2008 data collection on a subset of "core" metrics, with the remaining measures proposed for utility self-assessment purposes. Self-assessment measures will be available for utility internal use and will not be connected to national reporting. 2008 Pa ection Measures The core measures for 2008 data collection would include: all of the 16 previously Council-approved, activity-based measures (U measures); three (of the 15 total) risk reduction outcome measures (R measures); and the hazardous chemicals measures. Self-Assessment Measures The remaining 12 risk reduction outcome measures would form the basis for an optional, self- assessment tool for utilities and would reside as a clearly separate part of the national reporting system. The self-assessment questions would be intended to help utilities gauge progress and improvements that would likely result from implementation of the activities associated with the core measures. The reporting system, by explicit design, will not support submission of self- assessment information. The Workgroup further believes the self-assessment tool should, at minimum, reference the "Ten Features of An Active and Effective Protective Program." A primary purpose of the Features, as refined during this Workgroup process, is to provide utility managers with a basic guide to improved security and overall resiliency. The reporting tool and the associated self-assessment represent an opportunity to raise awareness about and encourage the use of the Features. Page 7 ------- June 2008 Finally, the Workgroup recommends that the self-assessment include a few basic questions exploring respondent opinions regarding the utility of self-assessment information and the potential burden associated with responding to these types of questions. This information can help inform future national reporting efforts. Workgroup deliberations indicated that the self-assessment holds the potential to create an opportunity to improve small system efforts. Small systems, however, may be best served by drawing upon existing and well-understood small systems tools and/or development of additional tools. The Workgroup anticipates that key actors in the water sector will continue dialogue beyond and outside of the CIPAC Workgroup to decide on the appropriate scope and investment in self-assessment support for small systems, beyond the limited effort associated with the national reporting tool. Approach Rationale The Workgroup believes this proposal addresses a variety of needs reflected in the Workgroup deliberations. First, utilizing a core set of metrics will address concerns about redundancy and reporting burden by focusing reporting on a relatively short set of straightforward core metrics. Second, the tool, through the optional self-assessment questions, will potentially provide internal management value to utilities - some Workgroup members have seen this as critical to engendering and maintaining national reporting participation. Finally, this approach provides the sector the opportunity to "test the waters" with a relatively compact initial reporting effort, while gathering information on sector interest in a more expansive reporting tool and the benchmarking or other benefits such an effort might represent. Reporting Incentives As a benefit for utility reporting on the core measures, the Workgroup proposes that utility participants who submit data will be automatically enrolled in the basic WaterlSAC service. The Workgroup believes this benefit will be a valuable incentive to improve participation rates. This benefit would be renewed annually for participants in subsequent reporting cycles. Additional Question in First Reporting Cycle In the first reporting cycle (2008), the Workgroup proposes that the two sets of questions will be fully separated with their different purposes described, and the reporting tool will not support submission of the self-assessment information. The Workgroup proposes to ask respondents about the value and viability of supporting submission of the self-assessment information in future reporting cycles to make it available across the sector for benchmarking or other purposes. While the exact question text will likely need refinement through beta testing, the Workgroup proposes a few simple questions as listed below: Page 8 ------- June 2008 Would you find it useful to have sector-wide data on these self-assessment questions? How much time does it take to complete the self-assessment? Would national reporting become too burdensome with the self-assessment questions included? Would you be willing to submit such data in the future? The reporting tool will be enabled to allow participants, after they have viewed the self assessment questions, to provide a response to the above questions. Proposed Measures for National Aggregate Reporting The Workgroup recommends the following measures for 2008 national aggregate reporting. The measures are organized by the SSP Goal they most closely support. al 1; Sustain Protection of Public Health and the Environment The nation relies on a sustained amount of safe drinking water and on the treatment of wastewater to maintain public health and environmental protection. To help better protect and secure public and environmental health, the water sector will work to ensure the continuity of both drinking water and wastewater services. Ul. Measure: Number and percentage of utilities that have integrated security and preparedness into budgeting, training, and manpower responsibilities. Question: Have you integrated security and preparedness into budgeting, training, and manpower responsibilities (Y/N)? U2. Measure: Number and percentage of utilities that incorporate security into planning and design protocols applying to all assets and facilities. Question: Have you incorporated security into planning and design protocols applying to all assets and facilities (Y/N)? U3. Measure: Number and percentage of utilities that routinely conduct supplemental monitoring or more in-depth analysis beyond what is required to identify abnormal water quality conditions. Question: Do you routinely conduct supplemental monitoring or more in-depth analysis beyond what is required to identify abnormal water quality conditions (Y/N)? Page 9 ------- June 2008 U4. Measure: Number and percentage of utilities that have established relationships with public health networks to interpret public health anomalies for the purposes of identifying waterborne public health impacts. Question: Have you established relationships with public health networks to interpret public health anomalies for the purposes of identifying waterborne public health impacts (Y/N)? U5. Measure: Number and percentage of utilities that monitor and evaluate customer complaints for possible indications of water quality or other security threats. Question: Do you monitor and evaluate customer complaints for possible indications of water quality or other security threats (Y/N)? U6. Measure: Number and percentage of utilities that have established protocols (e.g., consequence management plans) for interpreting and responding to indications of water quality anomalies. Question: Have you established protocols (i.e., consequence management plans) for interpreting and responding to indications of water quality anomalies (Y/N)? al 2; Recognize ฃ duee Risks Water Sector With an improved understanding of the vulnerabilities, threats, and consequences, owners and operators of water sector utilities can continue to thoroughly examine and implement risk-based approaches to better protect, detect, respond to, and recover from manmade and natural events, U7. Measure: Number and percentage of utilities that annually review and periodically update vulnerability assessments. Questions: Do you review your vulnerability assessment (VA) annually (Y/N)? How frequently do you update your VA to adjust for changes in your system that may alter the risk profile of your utility (never update; annually; every 2-3 years; every 3-5 years; every 5-10 years; no defined cycle)? U8. Measure: Number and percentage of utilities that receive screened, validated, and timely (e.g., in time to inform decisions or take action) threat information from one or more trusted sources such as WaterlSAC, the FBI, local police, or DHS. Question: Does your utility receive screened, validated, and timely (e.g., in time to inform decisions or take action) threat information from one or more of the following sources (Y/N)? Please check all that apply. - WaterlSAC - FBI Page 10 ------- June 2008 - Local police - DHS U9. Measure: Number and percentage of utilities that have a plan in place to increase utility security in response to a threat. Question: Do you have a plan in place to increase utility security in response to a threat (Y/N)? R2. Measure for Intruder Detection Capability: Percent of critical assets with enhanced capability to detect intruders. Question: What percent of your critical assets are protected by enhanced detection capability? Hazardous Chemicals Measure 1: Number and percent of utilities with physical and/or procedural controls in place to safeguard hazardous chemicals. Questions: If you use hazardous chemicals, do you have physical and/or procedural controls in place to safeguard them(Y/N)? If yes, do they include some or all of the following? (please indicate) A. Restrict Area Perimeter. Have you secured and do you monitor the perimeter of areas containing hazardous chemicals (Y/N)? B. Screen and Control Access. Have you controlled access to restricted areas within the facility by screening and/or inspecting individuals and vehicles as they enter (Y/N)? C. Shipping, Receipt, and Storage. Do you secure and monitor the shipping, receipt, and storage of hazardous materials for the facility (Y/N)? D. Elevated Threats. Do you escalate the level of protective measures for periods of elevated threat (Y/N)? E. Other physical or procedural controls (Y/N)? (For examples of physical and procedural controls that can be used to safeguard hazardous substances, please see the Department of Homeland Security risk-based performance standards as attached to this survey as a sidebar.)1 1 The 18 performance standards of which the A-D drop-down are a subset would then be listed somewhere in a sidebar or with other reference information to help respondents. Wording for A-D and sidebar information would be updated, as necessary, to be consistent with DHS materials. Page 11 ------- June 2008 Hazardous Chemicals Measure 2: Number and percentage of utilities that include gaseous chlorine in their hazardous chemicals use. Question: If you use hazardous chemicals, does your chemical use include gaseous chlorine (Y/N)? Hazardous Chemicals Measure 3: Number and percentage of utilities that have evaluated their disinfection methods considering water quality, public health, and security issues. Question: Have you evaluated your disinfection methods considering water quality, public health, and security issues (Y/N)? al 3; Maintain a Resilient Infrastruc The water sector will investigate how to optimize continuity of operations to ensure the economic vitality of communities and the utilities that serve them. Response and recovery from an incident in the water sector will be crucial to maintaining public health and public confidence. U10. Measure: Number and percentage of utilities that have a written business continuity plan. Question: Do you have a written business continuity plan (Y/N)? Ull. Measure: Number and percentage of utilities that: Have an emergency response plan (ERP) Conduct training on their ERP Carry out exercises on their ERP Review and update their ERP on a periodic basis Questions: Do you: Have an emergency response plan (ERP) (Y/N)? Conduct training on the ERP (Y/N)? Carry out exercises on the ERP (Y/N)? Review and update the ERP on a periodic basis (Y/N)? U12. Measure: Number and percentage of utilities that have adopted the National Incident Management System (NIMS). Question: Has your utility adopted the National Incident Management System (NIMS) (Y/N)? Page 12 ------- June 2008 U13. Measure: Number and percentage of utilities that are signatories, or are in the process of becoming signatories, to written agreements for requesting aid or assistance, such as a mutual aid or assistance agreement or a Water/Wastewater Agency Response Network (WARN) membership. Questions: Is your utility a signatory to written agreements for requesting aid or assistance, such as a mutual aid or assistance agreement or a Water/Wastewater Agency Response Network (WARN) membership (Y/N)? If no, are you in the process of creating an agreement (Y/N)? U14. Measure: Number and percentage of utilities that have responded to an emergency request to provide mutual aid and assistance. Question: Has your utility responded to an emergency request to provide mutual aid and assistance (Y/N)? R9. Measure for Power Resiliency: Percent of utilities that have backup power for critical operations. Question: Does your utility have backup power for critical operations for: 24 hours? 48 hours? 96 hours? RIO. Measure for Production Resiliency: Percent of utilities that can meet minimum daily demand with their primary production/treatment plant non-functional. Question: What percent of minimum daily demand can your utility meet with your primary production/treatment plant non-functional for: 24 hours? 48 hours? 96 hours? al 4; Increase Communications, Outreach, ai \ > ' ficlenee Safe drinking water and water quality are fundamental to everyday life. An incident in the sector could have significant impacts on public confidence. Fostering and enhancing the relationships between utilities, government, and the public can mitigate negative perceptions in the face of an incident. U15. Measure: Number and percentage of utilities that have plans to handle communications during a crisis. Page 13 ------- June 2008 Question: Do you have a crises communication plan (Y/N)? U16. Measure: Number and percentage of utilities that engage in networking activities regarding emergency preparedness and collaborative response in the event of an incident. Question: Do you engage in networking activities regarding emergency preparedness and collaborative response in the event of an incident (Y/N)? Optional Utility Self-Assessment Questions For each of the optional utility self-assessment questions, utilities would be asked to determine a date ("date X" in the questions below) from which to measure change or improvement. Utilities will have the option of selecting the current reporting cycle as their baseline date or another date past. In future reporting cycles, utilities would determine change since the previous reporting cycle. These self-assessment questions would be clearly labeled as optional questions and would be separate from the national measurement questions in the utility reporting tool. Rl. Measure for Physical Security Capability: Percent of critical assets with physical access controls in place. Questions: What percent of your critical assets are currently protected by physical access controls? What percent of your critical assets were protected by physical access controls on date X? R3. Measure of Water Contamination Decision Making Capability: Percent of utilities that have protocols in place to complete site characterizations and make credibility determinations eight hours or less after becoming aware of a potential water contamination event (eight hour time frame based on Response Protocol Toolbox recommendati on). Questions: What is your current capability to make a water contamination threat credibility determination? (within 20-30 hours, 8-20 hours; in 8 hours or less)? What was it on date X? R4. Measure for Information Protection Capability: Percent of utilities that have a process in place for reviewing requests for and restricting access to critical infrastructure information. Questions: Do you have a process in place for reviewing requests for and restricting access to critical infrastructure information? (Yes established process in place; No Page 14 ------- June 2008 process being developed; Informal/ad hoc review) How would you have answered on date X? R5. Measure for SCADA Protection Capability: Percent of SCADA data transmission networks that are segregated from telephony or Internet networks. Questions: What percent of your SCADA data transmission network is segregated from public telephony or Internet networks? What was the percentage on date X? R6. Measure for Employee Security Investment: Percentage of time permanent employees dedicate to security tasks. Questions: What is your current annual FTE commitment to security tasks? What was it on date X? R7. Measure for Raw Water Source Supply Resiliency: Percent of utilities that can meet 100% of minimum daily demand with their primary raw water source unavailable. Questions: What improvements have you seen in your ability to meet 100% of minimum daily water demand with your primary raw water source unavailable? Not counting in process or finished water storage, can you meet 100% of minimum daily demand with the primary raw water source unavailable for 24 hours (Y/N), for 48 hours (Y/N), for 7 days (Y/N), or other (please specify)? How does this compare with date X - e.g., previously could meet 100% of minimum daily demand for 24 hours, or 7 days, or never? R8. Measure for Finished Water Storage Resiliency: Average amount of time a utility can meet 100% of minimum daily demand with stored finished water. Questions: How long can you currently meet 100% of minimum daily demand with stored finish water? How does this compare with date X - how long could you have met 100%) of minimum daily demand with stored finish water on date X? Rll. Measure for Equipment Resiliency: For critical parts/equipment, the longest lead time for repair/replacement. Questions: For critical parts/equipment (as defined in your Vulnerability Assessment) what is your current longest lead-time for repair or replacement? How does this compare with date X (e.g., what was longest lead-time for repair or replacement)? R12. Measure for Personnel Resiliency: Average number of excess (backup) response- capable people available for critical operation and maintenance positions. Questions: What is your current average number of response capable backup people for critical operation and maintenance positions? What was it on date X? Page 15 ------- June 2008 R13. Measure for Treatment Resiliency: Where chemicals are necessary to meet the Safe Drinking Water Act standards for acute contaminants (i.e., E.coli, fecal coliform, nitrate, nitrite, total nitrate and nitrite, chlorine dioxide, turbidity - as referenced in the list of situations requiring a Tier 1 Public Notification under 40 CFR 141.202), the average number of days that utilities can deliver 100% of minimum daily demand treated to meet this subset of SDWA standards without any additional chemical deliveries. Questions: Where chemicals are necessary to meet Safe Drinking Water Act standards for acute contaminants (i.e., E.coli, fecal coliform, nitrate, nitrite, total nitrate and nitrite, chlorine dioxide, turbidity - as referenced in the list of situations requiring a Tier 1 Public Notification under 40 CFR 141.202), what is the current number of days you can deliver 100% of the minimum daily demand treated to meet this subset of SDWA standards without any additional chemical deliveries? What was it on date X? R14. Measure for Overall Response and Recovery Capability. Percent of utilities with increased capability to respond to real events and exercises consistent with their emergency response, business continuity, or other appropriate response plans. Questions: How confident are you in your ability to respond to real events and exercises consistent with your emergency response, business continuity, or other response plans? (Measurement would be on a scale from very low to very high with an "I don't know" option.) R15. Measure for Reduced Service Event Capability: Number/percent of utilities that have a protocol and necessary equipment and infrastructure in place to ensure continued water availability to critical customers during a reduced-service event. Questions: To what extent have you set priorities and planned for a reduced service event? (established protocol; equipment and infrastructure in place; plan in place, protocol, equipment and infrastructure being developed; no formal plan) How has this changed since date X? Sine terns Crosswalk The Water SSP states that "The most effective measures for small systems will be evaluated through the CIPAC process and will rely heavily on the vulnerability assessment and emergency response plan tool used by the majority of small systems." In consideration of this, the CIPAC Metrics Workgroup came to consensus that the vulnerabilities, event consequences, and capabilities of typical small utilities may be different than larger utilities. Attachment 5 contains a crosswalk that incorporates the 16 utility activity measures into the tool used by the majority of small systems. The crosswalk is intended to highlight commonalities between the two question Page 16 ------- June 2008 sets and to enhance small systems' abilities to respond to and have confidence in the data gathering process. Page 17 ------- June 2008 OTHER ACTOR MEASURES "Other actors" are the entities in the water sector that are accountable for achieving the SSP Goals and Objectives and who are not utilities. State and Federal government agencies and water sector associations are examples of other actors. Background t nmendations For States: For all measures, there is a need to capture efforts related to both drinking water systems and efforts related to wastewater systems - they most often are not implemented by the same state program. In implementation, the state measures will need to be specifically and separately tailored for two distinct state regulatory agency audiences: those implementing Safe Drinking Water Act requirements and overseeing drinking water utilities; and those implementing Clean Water Act requirements and overseeing wastewater utilities. The states felt strongly that the measures should emphasize their principal security role - that is, assisting and supporting water and/or wastewater utilities through state programs. With that in mind, there was an interest in more closely aligning state measures with those being reported by utilities and with the SSP goals and objectives. State drinking water programs have proposed an expanded set of state-focused other actor measures that are aligned with the SSP goals and objectives and the activity measures for individual utilities. For Utility Associations: It may be difficult for utility associations to make a specific count of activities such as trainings or guidance documents because many association activities take place in a distributed way. For example, once a utility signs a WARN, the development of materials becomes more of a state-specific function. As such, a state branch of an association may develop materials that the national branch doesn't keep track of. Associations can educate utilities about WARNs, but ultimately the utility itself has to decide to create or join one. The relative emphasis of association SSP goal-related activity will shift over time as needs in the sector change and evolve. A shift away from a focus in one area (e.g., mutual aid and assistance) does not necessarily signal deficient emphasis. Page 18 ------- June 2008 ommendi ' ler Actor Measures The Workgroup reached consensus on the following suite of other actor measures, which are organized by the SSP Goal they most closely support. al 1; Sustain Protection of Public Health and the Environment The nation relies on a sustained amount of safe drinking water and on the treatment of wastewater to maintain public health and environmental protection. To help better protect and secure public and environmental health, the water sector will work to ensure the continuity of both drinking water and wastewater services, OAl Measure: Number of state drinking water and/or wastewater programs that have included security assistance as part of routine activities that help water and/or wastewater utilities to prepare security programs and response plans. Questions to states: Has your state drinking water program provided broadly targeted assistance activities/initiatives to help water utilities develop or enhance an all hazards/security response program (Y/N)? Has your state wastewater program provided broadly targeted assistance activities/initiatives to help wastewater utilities develop or enhance an all hazards/security response program (Y/N)? OA2 Measure: Number and percentage of Public Utility Commissions (PUCs) that have designated personnel or a method in place to discuss security costs and issues with water and/or wastewater utilities. Question to PUCs: Does the Commission have designated personnel or a method in place to discuss security costs and issues with water and/or wastewater utilities (Y/N)? Does the Commission include security costs and issues in its rate making for drinking water and wastewater utilities (Y/N)? OA3 Measure: Whether or not EPA has developed an evaluation system for contaminant warning systems. Page 19 ------- June 2008 Question to EPA: Have you developed an evaluation system for contaminant warning systems (Y/N)? OA4 Measure: Number of contaminants of concern listed in the Water Contaminant Information Tool (EPA product) that have updated analytical protocols and contaminant-specific treatment information (response and recovery protocols) listed. Question to EPA: How many contaminants of concern listed in the Water Contaminant Information Tool (WCIT) have updated analytical protocols and contaminant-specific drinking water and wastewater-treatment information listed (i.e., decontamination, health effects, etc.)? OA5 Measure: Number of functional exercises conducted to test the implementation of the Regional Drinking Water Laboratory Response Plans; number of training efforts conducted to enhance capabilities of environmental laboratories and the water utility sector; and number of chemical and biological methods developed and/or modified for use by laboratories when analyzing water security event samples. Questions to EPA: How many functional exercises have been conducted to test the implementation of the Regional Drinking Water Laboratory Response Plans? How many training efforts have been conducted to enhance capabilities of environmental laboratories and the water utility sector? How many chemical and biological methods have been developed and/or modified for use by laboratories when analyzing water security event samples? al 2; Recognize ฃ duee Risks Water Sector With an improved understanding of the vulnerabilities, threats, and consequences, owners and operators of water sector utilities can continue to thoroughly examine and implement risk-based approaches to better protect, detect, respond to, and recover from manmade and natural events, OA6 Measure: DHS efforts to develop sector-specific CI/KR threat assessments needed to support comprehensive risk assessments, including providing guidance on metrics for annual reporting and national cross-sector comparative analysis. Page 20 ------- June 2008 Question to DHS: Have you developed water sector-specific CI/KR threat assessments needed to support comprehensive risk assessments, including providing guidance on metrics for annual reporting and national cross-sector comparative analysis (Y/N)? OA7 Measure: Number and geographic coverage of regional "fusion" centers that aid individual utilities with timely access to actionable threat characterization and validation services. Questions to DHS: How many regional "fusion" centers that aid individual utilities with timely access to actionable threat characterization and validation services have been created? What is the regional coverage of the fusion centers? OA8 Measure: Elapsed time (e.g., average hours) and quality of response when utilities call to check threat information. Question to DHS: What is the average elapsed time (e.g., average hours) and quality of response when utilities call regional fusion centers to check threat information? OA9 Measure: Number of state drinking water and/or wastewater programs that have provided or supported outreach or training on design, implementation or updates to vulnerability assessments. Questions to states: Has your state drinking water program performed any of the following activities: provided or hosted, organized, or sponsored in coordination with water organizations specific outreach or training on design, implementation or updates to vulnerability assessments for drinking water systems serving <3300 (Y/N)? Has your state wastewater program performed any of the following activities: provided or hosted, organized, or sponsored in coordination with water organizations specific outreach or training on design, implementation or updates to vulnerability assessments for wastewater systems (Y/N)? Page 21 ------- June 2008 al 3; Maintain a Resilient Infrastruc The water sector will investigate how to optimize continuity of operations to ensure the economic vitality of communities and the utilities that serwe them. Response and recovery from an incident in the water sector will be crucial to maintaining public health and public confidence. OAIO Measure: Number of state drinking water and/or wastewater programs with staff that have the credentials (NIMS/ICS training) necessary to participate in an incident command structure, if such participation becomes necessary. Questions to states: Does your state drinking water program have staff with appropriate training to support water system needs within the Incident Command Structure (Y/N)? Does your state wastewater program have staff with appropriate training to support water system needs within the Incident Command Structure (Y/N)? OA11 Measure: Number of state drinking water and/or wastewater programs that have provided or supported outreach or training on business continuity planning. Questions to states: Has your state drinking program performed any of the following activities: provided or hosted, organized, or sponsored in coordination with water organizations specific outreach or training for water utilities on the importance and need for a business continuity plan (Y/N)? Has your state wastewater program performed any of the following activities: provided or hosted, organized, or sponsored in coordination with water organizations specific outreach or training for wastewater utilities on the importance and need for a business continuity plan (Y/N)? OA12 Measure: Number of state drinking water and/or wastewater programs that have provided or supported outreach or training on emergency response planning. Page 22 ------- June 2008 Questions to states: Has your state drinking water program performed any of the following activities: provided or hosted, organized, or sponsored in coordination with water organizations specific outreach or training for water utilities on the importance and need for an emergency response plan (Y/N)? Has your state wastewater program performed any of the following activities: provided or hosted, organized, or sponsored in coordination with water organizations specific outreach or training for wastewater utilities on the importance and need for an emergency response plan (Y/N)? OA13 Measure: Number of state drinking water and/or wastewater programs that participate in and/or support development of a state-wide WARN or mutual aid network. Questions to states: If available in your state, has your state drinking water program participated in and/or supported development of a WARN or mutual aid initiative (Y/N)? If available in your state, has your state wastewater program participated in and/or supported development of a WARN or mutual aid initiative (Y/N)? OA14 Measure: Priority and type of mutual aid and assistance enabling activities conducted by other actors. Question(s) to Utility Associations, EPA, and DHS: Relative to all of your SSP goal-related efforts during this reporting period, what has been the priority (high, medium, or low) of providing mutual aid and assistance implementation support to the water sector? In what type(s) of mutual aid and assistance implementation support activity did your organization engage? o No activity during this reporting period o General promotional efforts (such as identification in newsletter) o Targeted workshops and/or training o Development of research products o Development of guidance documents o Development of model agreements/templates Page 23 ------- June 2008 o Other (please specify) Do you expect the priority of these activities to change during the next reporting cycle (yes/no) and, if yes to what (high, medium, or low)? al 4; Increase Communications, Outreach, ai \ > ' ficlenee Safe drinking water and water quality are fundamental to everyday life. An incident in the sector could have significant impacts on public confidence. Fostering and enhancing the relationships between utilities, government, and the public can mitigate negative perceptions in the face of an incident. OA15 Measure: Priority and type of crises communication activities conducted by other actors. Question(s) to Utility Associations, EPA, and DHS: Relative to all of your SSP goal-related efforts during this reporting period, what has been the priority (high, medium, or low) of providing crises communication implementation support to the water sector? In what type(s) of crises communication implementation support activity did your organization engage? o No activity during this reporting period o General promotional efforts (such as identification in newsletter) o Targeted workshops and/or training o Development of research products o Development of guidance documents o Development of model agreements/templates o Other (please specify) Do you expect the priority of these activities to change during the next reporting cycle (yes/no) and, if yes to what level (high, medium, or low)? OA16 Measure: Number of state drinking water and/or wastewater programs that participated in one or more Federal or state level emergency response exercises in which the water sector was a focus. Questions to states: If offered, has your state drinking water program participated in any emergency response exercise in which the water sector was a focus (Y/N)? Page 24 ------- June 2008 If offered, has your state wastewater program participated in any emergency response exercise in which the water sector was a focus (Y/N)? OA17 Measure: Number of state drinking water and/or wastewater programs that have provided or sponsored (including as a partner with one or more other sponsoring agencies) one or more emergency response exercises for water and/or wastewater utilities. Questions to states: Has your state drinking water program provided or hosted, organized, or sponsored in coordination with water organizations, one or more emergency response exercises for water utilities (Y/N)? Has your state wastewater program provided or hosted, organized, or sponsored in coordination with water organizations, one or more emergency response exercises for wastewater utilities (Y/N)? Page 25 ------- June 2008 POTENTIAL LONGER-TERM OUTCOME MEASUREMENT AREAS TO EXPLORE The following potential longer-term, risk reduction outcome measures are those that are of interest, but will require some time for significant background to develop before implementation can take place. The measures, developed by the utility Subgroup, are presented solely as options for future consideration. Potential easurement Areas for Federal Partners to Explore 1. Measure for Overall Water Sector Resilience (#1): Percent of operational area emergency activations (Emergency Operations Centers) that include a water-related emergency. Operational area typically is a county. This measure would allow the sector to track how often the water sector is compromised in the context of emergencies. Improved resilience in the sector should be reflected in a lower water sector percent participation in activations over time. Measure would be drawn from FEMA data. 2. Measure for Overall Water Sector Resilience (#2): Ratio of total annual FEMA emergency dollars spent to number of water sector do not use and cessation of service days. Total FEMA emergency dollars are being used as an indication of the number/extent of natural or man-made disasters in a year. Assuming annual FEMA emergency dollars spent equate to the number and magnitude of national emergencies then, if the number of "water utility do not use/cessation of service" counts drop per FEMA dollar over several years, then the water sector can be seen as having improved resiliency in dealing with catastrophes. Potential easurement Areas for Associations and Utilities to Explore 3. Measure for Overall Individual Utility Resilience (#1): Change in number of customer day equivalents per annum that Safe Drinking Water Act standards are not achieved. SDWA standards are being used as an indication of verified, compromised water quality. Page 26 ------- June 2008 24 hours for 1 customer equals 1 customer day equivalent; 1 hour for 24 customers equals 1 customer day equivalent. This metric approach normalizes the data across all sizes of utilities enabling easy comparison. 4. Measure for Overall Individual Utility Resilience (#2): Change in number of customer day equivalents per annum that customers are without service. "Without service" means no pressure at the tap. 24 hours for 1 customer equals 1 customer day equivalent; 1 hour for 24 customers equals 1 customer day equivalent. This metric approach normalizes the data across all sizes of utilities enabling easy comparison. 5. Measure for Overall Individual Utility Resilience (#3): Change in results of annual self- assessments against the 10 Features of active and effective protective programs. For each Feature, a utility would rank itself (e.g., from 1 to 5 with 1 defined as no implementation and 5 defined as full implementation). Measure would require the consistent use of an internal "team" of evaluators to ensure reasonable consistency of judgments made from year-to-year. 6. Measure for Utility Water Supply Resilience: Number of utilities that have addressed fixed or transient interconnectivity? "Transient" interconnectivity covers approaches that do not use fixed pipe, such as temporary pipe, etc. Potential Reporting options: established; engineering feasibility conducted; not addressed; or does not apply. 7. Measure for Overall Consequence Reduction: Change in expected value of economic impacts due to loss of service over time? Would require that the consequence assessment predictive economic impact model include an adjustment factor for improved resiliency. (Current RAMCAP development efforts may provide this capability.) Page 27 ------- June 2008 MEASURES REPORTING y Measures Reporting The following Workgroup recommendations on utility reporting address who should be invited to report, who should collect, maintain and retain data, and data quality and protection. Who Reports? Reporting will be voluntary; All water and waste water utilities (and combined utilities) of all sizes and types will be invited to report; and o Initial marketing and outreach may focus on acquiring data from large and medium size systems (i.e., systems serving populations of 10,000 or greater); and special outreach or tools may be necessary for small systems to improve their response rate in the future. All reports will be included in the national data set (aggregated). What Attribute Data Are Collected? The Workgroup membership has agreed that: State location, population served (size), utility type (drinking water, wastewater, combined, community, non-community, transient), and utility source/receiving water type should be collected as attribute data; and Specific requirements for data banding and/or other data management rules will protect inappropriate combinations/reporting of attribute data (see "how is the identity of reporters protected" below). Who Builds and Administers the Reporting System, Collects and Retains the Data? The Workgroup membership has agreed to the following. System implementation and data collection will be undertaken by a third party. Requirements for the third party are: o Provides a system that is readily accessible and usable by all water utility types and sizes at no cost to utilities; o Has a plan to protect security-sensitive information of the type that might be reported by utilities under the measurement program; and Page 28 ------- June 2008 o Agrees to keep PIN codes confidential and protect the identity of reporters in accordance with the conditions outlined in the section, "how is the identity of reporters protected" below. The Workgroup membership acknowledges that EPA is accountable to program overseers and the public, and this accountability creates a need for sector progress data in the short term (the Workgroup understands the need for and supports the development of a reporting tool that will make data available to EPA and the states during 2008). In response to this need, monthly tool development progress updates will be made available upon request to Workgroup members and, if a written draft of the reporting tool (containing the questions and associated definitions and directions, as well as the proposed lay out and sequence of the questions) is not ready by March 31, 2008 and/or the reporting tool is not ready for beta testing by April 30, 2008, EPA will need to move forward to collect initial data. If EPA needs to collect initial data: o The data collected will be consistent with the utility measures recommended in this report (i.e., EPA will not unilaterally change the measures or questions recommended by the Workgroup); o The identity of reporters will be protected; depending on EPA's practical ability to protect reporters' identities it may be necessary for reports to be fully anonymous (i.e., no PIN code) and collection of some attribute data, such as state location data, may need to be reconsidered; and o As much as possible, the data will be gathered consistent with the third party system under development allowing EPA to transfer the data to the third party system once it is ready. The Workgroup membership prefers that, if EPA data gathering is necessary under the conditions above, it be only a one-time, stop-gap action that would not substitute for eventual development of a successful third party system as recommended elsewhere in this report. What Assures Data Quality? The Workgroup membership has agreed to the following. The third party will use PIN codes to identify individual reporters for purposes of data quality assurance and quality control (QA/QC) only. The "translation" of PIN code to reporter identity will not be contained in the raw data setit will be kept separate, available only to the third party. The third party may contact individual reporters (subject to conditions described below) to ask questions about (and, if necessary, correct) data anomalies to ensure reporting is accurate (e.g., to eliminate duplicate reporting). Page 29 ------- June 2008 The full Workgroup membership acknowledges that some workgroup members anticipate including PIN codes to allow for data QA/QC may reduce participation in the reporting system and, therefore, if reporting rates are low, it may be necessary to reevaluate the need for/merits of fully anonymous reporting (i.e., no PIN codes) after two years. The third party will include a non-disclosure agreement in the utility reporting tool (measures survey), indicating that the identity of participating utilities will not be released or shared with other parties without the express permission of the individual utility. The third party will include a check-box in the utility reporting tool (measures survey) for individual utilities to indicate if they do not want to be contacted for QA/QC. Any data of questionable quality from utilities that indicate they do not want to be contacted will not be included in the national data set and any analyses/reports produced from the data set. Wha- Approach to Validation or Verification of Responses? The Workgroup membership agreed that the third party will not contact individual reporters to validate/verify responses (e.g., assess a reporter's basis for answering a particular question or questions). How Is the Identity of Report iteeted? The Workgroup membership agreed to the following. The raw data set will not include specific utility identification data, such as names or addresses. Banding and/or data management rules for attribute data on population served and state location must ensure that no data sorts (reports) can reveal the identity of an individual utility or small set of utilities. For example, because there are fewer large systems, the third party may not be able to aggregate at any level other than the national location level or, if data are aggregated at the state location level, it may be necessary to include all utilities of all sizes in the state aggregation to ensure protection of the individual identities of large systems. The Workgroup membership directs that the third party should develop the exact data aggregation and banding protocols during implementation following the performance standard described above. PIN codes will allow the third party to identify individual reporters for purposes of data quality control and quality assurance only. The "translation" of PIN code to reporter identity will not be in the raw data set - they will be kept separate available only to the third party. Page 30 ------- June 2008 Utility Reporting Syste aracteristics The Workgroup members identified a number of characteristics in addition to those already covered in the previous recommendations, which they believe the utility reporting system, either initially or in the future, should have. These include the following Originator control of data; User-friendly structure that hides complexity, perhaps using TurboTaxฎ as a model; Ability to create customized reports for various audiences; and Integrated, web-based planning and preparedness tool that has educational components (e.g., links to resources). The following includes additional Workgroup observations about each of these desired characteristics. Originator Control of Data Originator control is going to be necessary in some form. Originator control should be less about shielding information from peers, government, etc., and more about knowing who you are giving data to and what they are doing with it. Have agreements up front about where data resides, who has access, and for what purpose. User-Friendly Structure that Hidซ iplexity It will be important for the tool to have a user-friendly structure that hides complexity. TurboTaxฎ is a useful model. Two approaches could be used: 1) thin client/browser- based on-line system (data resides on remote server); or 2) purchase software where files reside on user's own computer. Either could be an option. The tool should be customizable to the user. To obtain valuable national aggregation, there would need to be minimum required fields that all utilities would complete. Ability to Create Customized Reports for Various Audiences It will be important for the tool to be able to create customized reports. Detailed reports for utilities could be produced locally (by the utility), while a less detailed report could be what gets shared with the national collection body. Page 31 ------- June 2008 Integrated, Web-Based Planning and Preparedne >1 The Workgroup also discussed that, in the future, the utility reporting tool could be developed into an integrated, web-based planning and preparedness tool. The Workgroup supported a phased implementation approach, beginning with a simple web-based reporting tool, with certain optional questions available for self-assessment purposes, and developing a planning and preparedness tool over time as experience dictates and resources allow. The Workgroup also made the following observations about development of such a tool. A new web-based planning and preparedness tool could be developed to do the kind of teaching and linking to information that is needed. However, existing tools could provide inputs/feed data into a new tool. The tool should be a learning tool, with information embedded in links (for example, links to suggested example practices). If utilities see that what they report feeds into their own planning process, they will be more likely to use the tool. .' 'Oiling Baseline an mcy uency In the current absence of DHS reporting frequency guidance, the Workgroup recommends reporting on an annual basis, provided that the reporting system is easy to use and that reports (results) are generated and available to the sector quickly (i.e., do not ask for new reporting if the results of the last report aren't yet available). As DHS guidance becomes available, the Workgroup recommends that the WSCC/WGCC explicitly consider the merits of aligning water sector reporting with this guidance to the extent it differs from the annual approach recommended here. Reports would be asked for in the same month every year, and during a month that is more convenient for utilities. Utilities would be provided adequate lead-time for response, but also have a "close" date, so reporting is closed for the year. Baseline The reporting baseline for all utility questions corresponding to the measures for national aggregation would be the first reporting cycle. Page 32 ------- June 2008 For the optional utility self-assessment questions, utilities would select an appropriate baseline period based on: data availability, the period over which important changes have taken place, or other criteria determined by the utility. The utilities will have the option of selecting the current reporting cycle as their baseline or a date past. In future reporting cycles, and to the extent the national reporting tool embraces additional measures, utilities would determine change since the previous reporting cycle. Other Actor Measures Reporting The following are the Workgroup recommendation on voluntary reporting by other actors - states, federal agencies, and water sector associations. The Workgroup proposes a multi-path approach to collection and aggregation of other actor measures data. The Workgroup believes that several discussions about other actor measures reporting will need to continue beyond and outside the Workgroup deliberations. EPA would collect and aggregate data on federal measures from EPA programs and the Department of Homeland Security. The Workgroup deliberations considered the WSCC Secretariat (currently from AWWA) as the entity to collect and aggregate data from water sector utility association measures. The Workgroup agreed that a subset of the Workgroup members from the water sector associations should continue discussions and develop a reporting approach for association measures data. The Workgroup agreed that a subset of the Workgroup members, including EPA, ASDWA and the States should continue discussions and develop a reporting approach for state and PUC measures data. The Workgroup identified the state and PUC measures as having a special consideration around data collection should EPA be involved in the reporting approach, as the number of states and PUCs would trigger Information Collection Request (ICR) rules. Page 33 ------- June 2008 FEATURES OF AN ACTIVE AND EFFECTIVE PROTECTIVE PROGRAM FOR WATER AND WASTEWATER UTILITIES :tion The water sector has developed the Features of an Active and Effective Protective Program to assist owners and operators of drinking water and wastewater utilities (water sector) in preventing, detecting, responding to, and recovering from all-hazards, including terrorist attacks or natural disasters. The features are based on the National Drinking Water Advisory Council's recommendation: 14 Features of an Active and Effective Security Program. The features contained in this version update the original 14 to: Capture the water sector's post Hurricane Katrina emphasis on "all hazards" preparedness; and Establish explicit alignment with the Water Sector-Specific Plan for Critical Infrastructure Protection (Water Sector SSP) prepared under the framework of the National Infrastructure Protection Plan (NIPP). The features describe the basic elements for establishing a "protective program" for owners/operators of utilities to consider as they develop utility-specific approaches. Note: Throughout this document, the terms "protective program," "protection," or "protective" are used to describe activities that enhance resiliency and promote continuity of service regardless of the hazard a utility might experience. These activities address the physical, cyber, and human elements of prevention, detection, response, and recovery. I res of an Active ai 1 1 ptective Program 1. Encourage awareness and integration of a comprehensive protective posture into daily business operations to foster a protective culture throughout the organization and ensure continuity of utility services. (Most strongly aligned with SSP Goal 1, Objective 1.) Senior leadership makes an explicit, easily communicated commitment to a program that incorporates the full spectrum of protection activities. Incorporate protection concepts into organizational culture. Page 34 ------- June 2008 Foster attentiveness to protection among front line workers and encourage them to bring potential issues and concerns to the attention of others; establish a process for employees to make suggestions for protection improvements. Identify employees responsible for implementation of protection priorities and establish expectations in job descriptions and annual performance reviews. Designate a single manager (even if it is not a full time duty) responsible for protective programs. Establish this responsibility at a level to ensure protection is given management attention and made a priority for line supervisors and staff. Keep current on improvements and good protective practices adopted by other utilities. Monitor incidents and available threat-level information; escalate procedures in response to relevant threats and incidents. 2. Annually identify protective program priorities and resources needed; support priorities with utility-specific measures and self-assess using these measures to understand and document program progress. (Most strongly aligned with Goal 1, Objective 1.) Annually identify and dedicate resources to protective programs in capital, operations, and maintenance budgets; and/or staff resource plans. Tailor protective approaches and tactics to utility-specific circumstances and operating conditions; balance resource allocations and other organizational priorities. Annually review protection commitments and improvement priorities with top executives. Develop measures appropriate to utility-specific circumstances and operating conditions. Self-assess against the measures developed to understand and document program progress. 3. Employ protocols for detection of contamination while recognizing limitations in current contaminant detection, monitoring, and public health surveillance methods. (Most strongly aligned with Goal 1, Objectives 2 and 3.) Recognize that water quality monitoring, consumer complaint surveillance, sampling and analysis, enhanced security monitoring, and public health syndromic surveillance are different, but related, elements of an overall contamination warning system. The effectiveness of these components may vary from system to system. Establish sampling and testing protocols for events (and suspected events) and understand availability of, and be prepared to access, specialized laboratory capabilities that can handle both typical and atypical contaminants. Page 35 ------- June 2008 Track, characterize, and consider customer complaints to identify potential contamination events. Use security monitoring methods (e.g., intrusion detection devices such as alarms or closed circuit television) to aid in determining whether a suspected contamination event is the result of an intentional act. (Also see feature 5) Establish working relationship with local, state, and public health communities to detect public health anomalies and evaluate them for contamination implications. 4. Assess risks and periodically review (and update) vulnerability assessments to reflect changes in potential threats, vulnerabilities, and consequences. (Most strongly aligned with Goal 2, Objectives 1-3, although is a critical contributor to Goal 1, Objective 1.) Maintain current understanding and assessment of threats, vulnerabilities, and consequences. Utilities will need to adjust continually to respond to changes in threats, vulnerabilities, and consequences. Establish and implement a schedule for review of threats, vulnerabilities, and consequences and their impact on the vulnerability assessment at least every three to five years to account for factors such as, but not limited to, facility expansion/upgrades, community growth, etc.. Reassess threats, vulnerabilities, and consequences after incidents and incorporate lessons into protective practices. Individuals who are knowledgeable about utility operations should conduct the reviews. Include an executive in the review process to provide an ongoing conduit of information to/from management. Use a methodology that best suits utility-specific circumstances and operating conditions; however, ensure the selected method supports the criteria outlined in the National Infrastructure Protection Plan (NIPP). 5. Establish physical and procedural controls to restrict access only to authorized individuals and to detect unauthorized physical and cyber intrusions. (Most strongly aligned with Goal 2, All Objectives.) Identify critical facilities, operations, components, and cyber systems (such as SCAD A). Develop and implement physical and cyber intrusion detection and access control tactics that enable timely and effective detection and response. Utilize both physical and procedural means to restrict access to sensitive facilities, operations, and components; including treatment facilities and supply/di stribution/collection networks. Page 36 ------- June 2008 Define, identify, and restrict access to security-sensitive information (both electronic and hard copy) on utility operations and technical details. Establish means to readily identify all employees (e.g. ID badges). Verify identity of all employees, contractors and temporary workers, with access to facilities, through background checks as appropriate per local/state law and/or labor contract and other agreements. Test physical and procedural access controls to ensure performance. 6. Incorporate protective program considerations into procurement, repair, maintenance, and replacement of physical infrastructure decisions. (Most strongly aligned with Goal 2, All Objectives) Bring forward protective program considerations early in the design, planning, and budgeting processes to mitigate vulnerability and/or potential consequences and improve resiliency over time. Design and construction specifications should address both physical hardening of sensitive infrastructure; and adoption of inherently lower risk technologies and approaches where feasible. Design choices should consider ability to rapidly recover and continue services following an incident. 7. Prepare emergency response, recovery, and business continuity plan(s); test and review plan(s) regularly, update plan(s) as necessary to ensure NIMS compliance and to reflect changes in potential threats, vulnerabilities, consequences, physical infrastructure, utility operations, critical interdependencies, and response protocols in partner organizations. (Most strongly aligned with Goal 3, Objectives 1 and 3.) Understand the National Incident Management System (NIMS) guidelines established by DHS (as well as community and state response plans and FEMA Public Assistance procedures); and incident command systems (ICS). At a minimum, utility response and recovery planning should be NIMS compliant. Coordinate emergency plan(s) with community emergency management partners: o Establish interoperable communications systems where feasible to maintain contact with police, fire, and other first responder entities, o Establish internal protocols to maintain communications with employees to ensure safety and to coordinate response activities. Implement backup plans and strategies for critical operations, including water supply and treatment (to mitigate the potential public health, environmental, and economic consequences of events), power, and other key components. Page 37 ------- June 2008 Maintain plan(s) that are exercised at least annually, identify circumstances that prompt implementation, and identify individuals responsible for implementation. o Provide employees with appropriate security and preparedness training and education opportunities. o At least annually review plan(s) and conduct exercises that address the full range of threats relevant to the utility. o Update plan(s), as necessary, to incorporate lessons from training, exercises, and incident responses. Ensure plan(s) identify critical and time sensitive applications, vital records, processes, and functions that need to be maintained; and the personnel and procedures necessary to do so until utility has recovered. At a minimum, plan(s) should include a business impact analysis and address need for power, communication (internal and external), logistics support, facilities, information technology, and finance and administration-related functions; including necessary redundancy and/or timely access to backup systems and cash reserves. 8. Forge reliable and collaborative partnerships with first responders, managers of critical interdependent infrastructure, other utilities, and response organizations to maintain a resilient infrastructure. (Most strongly aligned with Goal 3, Objectives 2 and 4.) Partnerships should be forged in advance of an emergency, ensuring utilities and key partners are better prepared to work together if an emergency should occur. Partnerships with other local utilities, peers, and associations should emphasize formation of, and participation in, mutual aid and assistance agreements such as a Water and Wastewater Agency Response Network (WARNs). Maintain awareness of industry best practices and available protective program-related tools and training. Establish relationship with critical customers (hospitals, manufacturing, etc.) to identify interdependency issues that may impact business continuity. Participate in joint exercises with identified partners as appropriate. 9. Develop and implement strategies for regular, ongoing communication about protective programs with employees, customers, and the general public to increase overall awareness and preparedness for response to an incident. (Most strongly aligned with Goal 4, Objective 1, although is critically supportive of Goal 1, Objectives 1 and 2.) Establish public communications protocol, including pre-prepared public announcement templates, to share critical information; and implement mechanisms for receiving community feedback. Public communication strategies should: Page 38 ------- June 2008 o Identify means to reach customers and the general public with incident information; o Provide a mechanism for customers and the public to communicate with appropriate personnel about unusual or suspicious events; o Inform customers about appropriate actions to enhance their preparedness for potential incidents that may impact services; and Internal communication strategies should: o Increase and/or maintain employee awareness of protective program; o Motivate staff to support protective program strategies and goals; o Provide ways for staff to notify appropriate personnel about unusual or suspicious activities; o Ensure employees understand nature of, and restrictions on, access to security sensitive information and/or facilities; and o Ensure employee safety during an event or incident and enable effective employee participation during response and recovery efforts. Evaluate effectiveness of communication mechanisms over time. 10. Monitor incidents and available threat-level information; escalate procedures in response to relevant threats and incidents. (Most strongly aligned with Goal 4, Objective 2, although a critical contributor to Goal 1, Objective 1 and Goal 3, Objective 3.) Develop standard operating procedures to identify and report incidents in a timely way and establish incident reporting expectations. o In the specific context of intentional threats and acts, ensure staff can distinguish between normal and unusual activity (both on/off site) and know how to notify management of suspicious activity. Develop systems to access threat information, identify threat levels, and determine the specific responses to take. o Investigate available information sources locally, and at the state or regional level (e.g., FBI Infraguard and Water ISAC). o Where barriers to accessing information exist, make attempts to align with those who can, and will, provide effective information to the utility. Make monitoring threat information a regular part of the protective program designee's job and share utility-, facility- and region-specific threat levels and information with key staff and those responsible for protection. Page 39 ------- June 2008 ATTACHMENT 1: WORKGROUP CHARTER The following charter was adopted by the Workgroup on February 28, 2007. I. Establishment and Designation The CIPAC Metrics Workgroup is convened by the Water Sector Coordinating Council (SCC) and Government Coordinating Council (GCC) to develop a national performance measurement system. As part of the process of developing the performance measurement system, the CIPAC Metrics Workgroup intends to update the 14 Features of an Active and Effective Water Security Program to encompass an all-hazards approach and align them with the goals and objectives of the SSP.2 The Secretary of the Department of Homeland Security exempted CIPAC and its workgroups (including the Metrics Workgroup) from the requirements of the Federal Advisory Committee Act (FACA).3 Objectives The CIPAC Metrics Workgroup is expected to focus on the following objectives: Objective (1) Development of a national performance measurement system. Specifically: Developing measures that align and support the goals and objectives of the Water Sector Specific Plan (SSP); How to track measures; How to structure reporting; and Who will collect and retain information and how it will be protected. Objective (2) Aligning the 14 features of an active and effective security program with the Water SSP goals and objectives. Specifically: Determine how the features support the various goals and objectives of the Water SSP; Ensure that the features explicitly and adequately address the concepts of response, recovery, and all-hazards; and Streamline or combine the features as appropriate. 2 "performance measurement system" is a term used to summarize all the facets of collecting measurement data including, but not limited to, the data elements to be reported, how the data will be reported, who will collect the data, and how the data will be protected from public disclosure. 3 For more information, see: http://www.dhs.gov/cipac Page 40 ------- June 2008 Sco . 1 ivities The CIPAC Metrics Workgroup is expected to spend the bulk of its time on establishing a national performance measurement system. The 14 features alignment with the Water SSP should take no more than one multi-day in-person meeting and a minimum of one conference call. Development of a national performance measurement system should take three in-person meetings and several conference calls. The scope of the activities includes: Objective (1) Development of a national performance measurement system: Assumptions o Reporting of utility level data will be voluntary. o Data will be released to the public at the national level only in aggregate form. Therefore, no utility-specific security-sensitive data will be made available to the public without the utility's express consent, o Progress data from individual utilities submitted to the government will be protected from public disclosure (i.e., FOIA). o Decisions on national performance measures should be consistent with the Water SSP's vision, goals, and objectives. o CIPAC Workgroup efforts will be coordinated with DHS' National Infrastructure Protection Plan (NIPP) core-metric development. The Workgroup will deliberate for 6-8 months by having three 2-3 day in-person meetings, in addition to conference calls and video conferencing as needed. The final performance measurement system will be documented in a report, reviewed by the Workgroup, and finalized by the full CIPAC. The final report will be provided to EPA and DHS for use in the SSP in support of the NIPP. Objective (2) Aligning the 14 features of an active and effective security program with the Water SSP goals and objectives: Assumptions o The Workgroup should optimize the existing features as much as possible, o The Sector Specific Plan will not be re-written in this process. A detailed scope and agenda for the features update meeting will be developed before the meeting. Page 41 ------- June 2008 The Workgroup will meet once for 2-3 days to finalize updates to the features by the conclusion of the meeting. These updates could then be quickly rolled out to the water sector. The finalized features, decided upon at the meeting, will be documented in a report, reviewed by the Workgroup, and finalized by the full CIPAC. The final report will be provided to EPA and DHS for use in the SSP. The following documents will serve as the starting place, and basis for, objectives 1 and 2 of the CIPAC Metrics Workgroup deliberations: o Water SSP, in particular the vision, goals, and objectives; o NDWAC recommendations on 14 Features of Active and Effective Security Programs and three aggregate measures of sector performance; and o Findings of the Measures Testing Group (MTG) for National Aggregate Measures of Water Security. IV. Membership The Water Sector Coordinating Council (SCC) will select representatives from sitting members of the Council, association staff and/or their membership. The Government Coordinating Council (GCC) will choose government representatives for the metrics Workgroup. The SCC will strive to have 8 to 10 representatives on the Workgroup; the GCC will strive to have 4 to 5. V. Operating Procedures and Groom ;s The CIPAC Metrics Workgroup is expected to follow the Workgroup Operating Procedures and Ground Rules. Page 42 ------- June 2008 ATTACHMENT 2: WORKGROUP MEMBERSHIP AND CONTACT INFORMATION Jane Byrne, PhD Director of Water Treatment Hanahan Water Treatment Plant 1104 Hanahan Road Hanahan, South Carolina 29406 Ph: 843.863.4014 Cell: 843.297.1071 ByrneJF@CharlestonCPW.com Nick Catrantzos Security Unit Manager Metropolitan Water District of Southern California 700 N. Alameda Street Los Angeles, California 90012 Ph: (0)213.217.7134 ncatrantzos@mwdh2o.com Cynthia Finley Director, Regulatory Affairs National Association of Clean Water Agencies 1816 Jefferson Place, N.W. Washington, DC 20036-2505 Ph: 202.296.9836 cfinley@nacwa.org Damon Guterman Drinking Water Program Massachusetts Department of Environmental Protection 1 Winter Street, 5th Floor Boston, MA 02108 Ph: 617.574.6811 damon.guterman@state.ma.us William Komianos, co-chair Director, Operational Risk Management American Water Works Service Co., Inc. 1025 Laurel Oak Road Voorhees, NJ 08043 Ph: 856.309.4519 William.Komianos@amwater.com John Laws Water/Dams Infrastructure Specialist Infrastructure Partnership Division Department of Homeland Security 3801 Nebraska Avenue, Bldg 20, 2nd floor Washington, D.C. 20528 Ph: 202.447.3042 Cell: 202.680.4373 john.laws2@dhs.gov Kevin Morley Regulatory Analyst & Security Committee, Staff Secretary American Water Works Association 1300 Eye Street NW Suite 701W Washington, DC 20005-3314 Ph: 202.628.8303 Fax: 202.628.2846 kmorley@awwa.org Lucienne Nelson CIP Program Manager Department of Health and Human Services 200 Independence Ave. S.W. Washington, DC 20201 Lucienne.Nelson@hhs.gov Ph: 202.205.5781 Fax: 202.690.6056 Page 43 ------- June 2008 Debbie Newberry, co-chair Chief, Security Assistance Branch, Water Security Division Environmental Protection Agency 1200 Pennsylvania Avenue, NW Mail Code: 4601 M Washington, DC 20460 Ph: 202.564.1415 newberry.debbie@epa.gov Bridget O'Grady Policy and Legislative Affairs Manager Association of State Drinking Water Administrators 1401 Wilson Blvd, Suite 1225 Arlington, VA 22209 Ph: 703.812.4772 Fax: 703.812.9506 bogrady@asdwa.org Roger D. Selburg, PE Manager, Division of Public Water Supplies Illinois EPA PO Box 19276 Springfield, IL 62794 Ph: 217.782.1722 Fax: 217.782.0075 roger. selburg@Illinoi s. gov David Siburg General Manager Kitsap Public Utility District PUD #1 of Kitsap County 1431 Finn Hill Road P.O. Box 1989 Poulsbo, Washington 98370-0933 Ph: 360.626.7703 Cell: 360.620.7680 dave@kpud.org Jim Sullivan Water Environment Federation 601 Wythe Street Alexandria VA 22314 Ph: 703.684.2436 Fax: 703.684-2413 j sullivan@wef. org Scott L. Szalkiewicz, C.H.E.S. Health Program Supervisor Office of Public Health Preparedness CT Department of Public Health 410 Capitol Ave., MS# 12PHP P.O. Box 340308 Hartford, CT 06134-0308 Ph: 860.509.8100 Fax: 860.509.7987 scott. szalkiewicz@po. state.ct.us Vance Taylor Association of Metropolitan Water Agencies 1620 I Street, NW, Suite 500 Washington, DC 20006 Ph: (O) 202.331.2820 taylor@amwa.net Ed Thomas National Rural Water Association 101 Constitution Ave, NW Suite 900 Washington DC 20001 Ph: 202.742.4413 Cell: 443.739.1358 thomas@rural water. org Page 44 ------- June 2008 Subject Matter Experts Cade Clark, staff to Bill Komianos Director of State Relations National Association of Water Companies 1725 K Street, NW Suite 200 Washington, DC 20006 Ph: 202.466.3331 cade@nawc.com Lydia Duckworth, alternate for Lucienne Nelson Center for Enterprise Modernization The MITRE Corporation Ph: 301.429.2241 1 duckworth@mitre. org Laura Flynn, staff to Debbie Newberry Environmental Protection Agency 1200 Pennsylvania Avenue, N. W. Mail Code: 4601M Washington, DC 20460 Ph: 202.564.4611 flynn.laura@epa.gov Tanya Mottley Associate Director, Water Security Division Environmental Protection Agency 1200 Pennsylvania Avenue, N. W. Mail Code: 2722A Washington, DC 20460 Ph: 202.566.0818 mottley.tanya@epa.gov Alan Roberson Director of Security and Regulatory Affairs American Water Works Association 1300 Eye Street NW, Suite 701W Washington, DC 20005-3314 Ph: 202.628.8303 aroberson@awwa.org Marc Santora, staff to Debbie Newberry Office of Groundwater and Drinking Water Environmental Protection Agency 1200 Pennsylvania Avenue, NW Mail Code: 4601 M Washington, DC 20460 Ph: 202.564.1597 Fax: 202.564.8513 santora.marc@epa.gov Greg Spraul, staff to Debbie Newberry Environmental Protection Agency 1200 Pennsylvania Avenue, NW Mail Code: 4601M Washington, DC 20460 Ph: 202.564.0255 spraul. greg@epa. gov John Whitler, staff to Debbie Newberry Environmental Protection Agency 1200 Pennsylvania Avenue, NW Mail Code: 4601M Washington, DC 20460 Ph: 202.564.1929 whitler.john@epa.gov Patti-Kay Wisniewski, staff to Debbie Newberry Environmental Protection Agency, Region 3 1650 Arch Street Mail Code: 3WP21 Philadelphia, PA 19103-2029 Ph: 215.814.5668 wisniewski.patti-kay@epa.gov Page 45 ------- June 2008 ATTACHMENT 3: WORKGROUP OPERATING PROCEDURES AND GROUND RULES WORKGROUP OPERATING PROCEDURES The following operating procedures were adopted by the Workgroup on February 28, 2007. 1. Participation ml CIPAC Metrics Workgroups will consist of water utility representation, association staff and federal, state and local government representatives. The SCC and the GCC will each select their representatives for the workgroup. The number of representatives attending a particular meeting is expected to vary depending on the meeting agenda. The CIPAC Metrics Workgroup will have two co-chairs (one water sector representative and an EPA representative). Expectations Direct participation of all members is essential to the success of the CIPAC Metrics Workgroup. For that reason, members are asked to make every effort to attend in-person meetings and participate in conference calls. All members are expected to participate throughout the duration of the process. However, any member may withdraw from a CIPAC Metrics Workgroup at any time. In the event a member decides to withdraw from the process, he or she will be asked to document the reasons for their withdrawal and may be replaced by the Coordinating Councils with another representative of similar expertise and interest. Further expectations are described in the Ground Rules. Alternates In the rare event that a designated member is unable to participate in a particular meeting or conference call, another person from that member's organization (i.e., utility, Agency, state, or association) may attend the meeting in his or her place as an alternate. It is the responsibility of the workgroup member to ensure that any alternate is fully briefed and prepared to participate in workgroup deliberations and decision making on behalf of the member and the member's organization. Page 46 ------- June 2008 Co-Chairs To facilitate close coordination with the Water SCC and GCC throughout the process one co- chair will also be a full voting member of the SCC and the other co-chair will be from EPA and represent the GCC. The co-chairs will strive to represent not only their own views but also the views of their colleagues from the SCC or GCC, respectively, and the views of their colleagues on the workgroup. The role of the Workgroup co-chairs is to: Open and close meetings; Work with the facilitation team to run meetings and keep deliberations on point and on schedule; Assist in consensus building; Make decisions about subject matter experts; Make final decisions about process, scope, and schedule in accordance with the Charter; Ensure coordination between the workgroup and the SCC and GCC; and Work with the facilitation team between meetings. Subject Matter Experts Subject matter experts may participate in CIPAC Metrics Workgroups, as needed. Subject matter experts advise the CIPAC Metrics Workgroup, but do not participate in workgroup decision making. Any CIPAC Metrics Workgroup member may request a subject matter expert. However, the final decision on whether to provide particular subject matter experts is to be made by the co-chairs. The DHS CIPAC office will be notified of any subject matter experts. Decision Making Process Consensus The CIPAC Metrics Workgroup intends to use a collaborative, problem-solving approach in their work. The workgroup will strive for consensus among participating members. Consensus is defined as decisions that all participants can "live with." Consensus will be assessed using a variety of techniques including discussion, "straw polling," and review/acceptance of written documents. If the CIPAC Metrics Workgroup has trouble reaching consensus on a particular issue, the co- chairs will work with the membership to seek common ground. If common ground cannot be achieved after extensive discussion, the co-chairs will document the divergent views and forward them to the SCC and GCC for resolution. After the divergent views are forwarded to the SCC Page 47 ------- June 2008 and GCC, each Council would first come to resolution independently, the SCC would use their decision making process and the GCC would use theirs. After each Council resolves the issue within their own body, the SCC and GCC would come together to reach consensus and a final resolution. Rules of Engagement Successful consensus building depends on mutual respect and careful listening among members. Meetings and conference calls will be structured to support a respectful atmosphere, encourage the development of trust and understanding, and provide for participation of all CIPAC Metrics Workgroup members. Workgroup members are encouraged to frame observations in terms of needs and interests (e.g., it is critically important to my utility that security sensitive information is kept confidential) rather than positions (e.g., it is not acceptable under any conditions to release security sensitive information from this utility). Opportunities for finding solutions increase dramatically when discussion focuses on needs and interests. Meetings Meetings of the CIPAC Metrics Workgroup will be closed to the public. A schedule of meeting dates and times will be developed by the facilitator who will work towards scheduling meetings at times when all workgroup members can attend. Reporting The CIPAC Metrics Workgroup will develop a report documenting their process and decisions. This document will be provided to the full CIPAC. Once the full CIPAC concurs with the report, it will forward the document to EPA and DHS for use with the Water SSP/NIPP framework. ilitation A neutral, third-party facilitation team will support the CIPAC Metrics Workgroup. The facilitation team will work with the CIPAC Metrics Workgroup Co-Chairs to: Develop draft meeting agendas, materials, and summaries, draft reports based on the workgroups decisions and develop supporting documents; Facilitate workgroup meetings to ensure that the perspectives of all members come forward, to maintain a respectful atmosphere, and keep discussions on track and on schedule; Work with members between meetings and conference calls to support understanding and consensus building; Page 48 ------- June 2008 Work with members to identify, organize, synthesize, and provide information and other material needed to support deliberations; Support any necessary decision making; and Coordinate activities with the DHS - NIPP PMO. IV. Meeting Materials and Documentation The facilitation team will strive to distribute meeting agendas and supporting materials at least one week before meetings and conference calls. Summaries of key discussion points, tentative areas of agreement and action items will be prepared by the facilitation team and provided to members for review. These summaries should be distributed within two weeks of meetings and conference calls. Final summaries will be distributed after incorporation of member's comments. Documents shared in CIPAC Metrics Workgroup meetings may be subject to the Freedom of Information Act. All documents produced by or on behalf of the CIPAC Metrics Workgroup are to be handled in accordance with Chapter 3.0 of the CIPAC Operational Guidance, "Document Handling and Protection." Electronic communication mechanisms (largely email) will be used to the greatest extent possible to distribute meeting materials, summaries, and references. V. 1 . siti1 ?rmation Definition of Security-Sensitive Information For purposes of Workgroup deliberations, security-sensitive information is: (1) information on system-specific, attributable tactical security procedures; and (2) integrated or aggregated detail on security (e.g., by aggregating information from previous un-aggregated sources) that creates a clear picture of a specific strike opportunity. Information that is already available in the public domain in the same form and at the same level of detail discussed by the CIPAC Metrics Workgroup is not security sensitive. Procedures for Discussion of Security-Sensitive Information The following procedures will be used for discussion of security-sensitive information. Workgroup members who choose to raise or discuss security-sensitive information will indicate that they consider the information they are sharing security sensitive. Unless permission is given, Workgroup members will not discuss such information outside Workgroup meetings. Page 49 ------- June 2008 The general topics of discussion covered during the meeting will be documented in the meeting summary; discussion details will not be summarized. Any security sensitive meeting materials that are distributed during the meeting will be collected at the end of the meeting unless the Workgroup decides that the materials are suitable for public disclosure. The Workgroup will evaluate discussions at the end of the meeting and determine if security-sensitive information that was discussed requires protection going forward. A low threshold for identification of security-sensitive information is appropriate, and any participant can distinguish information as security sensitive. Limit 3 of Security-Sensitive Information To maximize the usability of their report, the Workgroup will strive to limit inclusion of security sensitive information in the written materials they consider and produce. ฅ1. Communication with tl The way in which workgroup deliberations are publicly characterized will affect the group's ability to function effectively. Workgroup members should refer inquiries from the press to the co-chairs of the CIPAC Metrics Workgroup or to final meeting summaries or other final workgroup materials. Individuals who choose to speak with the press should limit their remarks to personal views and to refrain from characterizing the views of, or attributing comments to, the full workgroup, other individual members, or the SCC or the GCC. WORKGROUP GROUND RULES 1. All members of the CIPAC Metrics Workgroup have equal representation and equal opportunities to participate. 2. Discussions will stay within the objectives and scope of the CIPAC Metrics Workgroup Charter, dated February 28, 2007; conduct and protocols at meetings will be consistent with the CIPAC Metrics Workgroup operating procedures dated February 28, 2007. 3. Collaborative problem solving depends on mutual respect and careful listening among participants and on active participation by all. Participants will strive for honest and direct communication and a focus on interests and needs (e.g., it is critically important to my utility that we maintain as confidential security sensitive information) rather than positions (e.g., it is not acceptable under any conditions to release security program-related information from this utility). Page 50 ------- June 2008 4. Participants will allow for open discussion and the right to disagree, and will look for opportunities to find common interests, agreements, and solutions. 5. Participants will focus on clarifying their own views and interests; they will refrain from characterizing the views of other participants especially in conversations with the press. 6. Participants and/or the facilitator may request a caucus break at any time during a meeting. In order to keep the flow of meetings on track, individual caucus breaks may not exceed 15 minutes 7. The facilitator is a neutral third party with no stake in the outcome of the project. Ross & Associates will structure meetings to support a respectful atmosphere and the development of trust among participants. 8. Meetings are expected to start and end on time. Page 51 ------- June 2008 ATTACHMENT 4: RECOMMENDED UTILITY MEASURES Attachment 4 contains the full suite of utility measures recommended by the Workgroup. The Workgroup developed utility measures through a process recommended by the Water SCC. The process began with examining the Water SSP to identify the key partners, resources, outputs and outcomes associated with each Goal and Objective. The Workgroup recommends the following measures of utility progress. The measures are presented in the form of questions that utilities would answer. Most are simple and call for a binary, "yes/no" response. The Workgroup believes this simple approach is an appropriate way to begin a measurement system. Over time, the sector may desire to move towards a performance progress structure, where degrees of progress can be communicated. A few of the recommended measures use this more detailed approach. Key terms that require further information and/or definition are identified in an "Other Observations" section associated with each measure. UTILITY ACTIVITY MEASURES The following are the 16 activity-based utility measures that were previously recommended by the Workgroup and approved by the WSCC7WGCC in October 2007. The Workgroup has some minor word changes to the measures to improve clarity, but not to change the intent of the measures previously approved. Ul. Measure: Number and percentage of utilities that have integrated security and preparedness into budgeting, training, and manpower responsibilities. Question: Have you integrated security and preparedness into budgeting, training, and manpower responsibilities (Y/N)? U2. Measure: Number and percentage of utilities that incorporate security into planning and design protocols applying to all assets and facilities. Question: Have you incorporated security into planning and design protocols applying to all assets and facilities (Y/N)? Additional Workgroup Observations: "Planning and design protocols" needs to be defined. The Workgroup intended this measure to cover all parts of the facilities, including the collection and distribution systems. Page 52 ------- June 2008 U3. Measure: Number and percentage of utilities that routinely conduct supplemental monitoring or more in-depth analysis beyond what is required to identify abnormal water quality conditions. Question: Do you routinely conduct supplemental monitoring or more in-depth analysis beyond what is required to identify abnormal water quality conditions (Y/N)? Additional Workgroup Observations: The phrase "beyond what is required to identify abnormal water conditions" is imprecise and raises questions as to what the question is referring to. Clarification will be needed. U4. Measure: Number and percentage of utilities that have established relationships with public health networks to interpret public health anomalies for the purposes of identifying waterborne public health impacts. Question: Have you established relationships with public health networks to interpret public health anomalies for the purposes of identifying waterborne public health impacts (Y/N)? Additional Workgroup Observations: The phrase "established relationships" is very open-ended and could be defined in a number of ways. For instance, a one-time contact does not necessarily qualify as a relationship. There should be some kind of periodic ongoing contact to qualify as a "relationship." U5. Measure: Number and percentage of utilities that monitor and evaluate customer complaints for possible indications of water quality or other security threats. Question: Do you monitor and evaluate customer complaints for possible indications of water quality or other security threats (Y/N)? U6. Measure: Number and percentage of utilities that have established protocols (e.g., consequence management plans) for interpreting and responding to indications of water quality anomalies. Question: Have you established protocols (i.e., consequence management plans) for interpreting and responding to indications of water quality anomalies (Y/N)? Additional Workgroup Observations: "Consequence management plans" will need to be defined. The Water Security Initiative currently uses this term, and the Workgroup believed consistency would be helpful. Page 53 ------- June 2008 U7. Measure: Number and percentage of utilities that annually review and periodically update vulnerability assessments. Questions: Do you review your vulnerability assessment (VA) annually (Y/N)? How frequently do you update your VA to adjust for changes in your system that may alter the risk profile of your utility? (never update; annually; every 2-3 years; every 3-5 years; every 5-10 years; no defined cycle)? Additional Workgroup Observations: The difference between VA review and VA update will need to be defined. U8. Measure: Number and percentage of utilities that receive screened, validated, and timely (e.g., in time to inform decisions or take action) threat information from one or more trusted sources such as WaterlSAC, the FBI, local police, or DHS. Question: Does your utility receive screened, validated, and timely (e.g., in time to inform decisions or take action) threat information from one or more of the following sources (Y/N)? Please check all that apply. - WaterlSAC - FBI - Local police - DHS U9. Measure: Number and percentage of utilities that have a plan in place to increase utility security in response to a threat. Question: Do you have a plan in place to increase utility security in response to a threat (Y/N)? Additional Workgroup Observations: There will be a need to define "threat" here. It would be easy to envision very different interpretations of the kinds of things that might constitute a threat. U10. Measure: Number and percentage of utilities that have a written business continuity plan. Question: Do you have a written business continuity plan (Y/N)? Additional Workgroup Observations: Page 54 ------- June 2008 The term "business continuity plan" needs to be clearly defined (e.g., does it incorporate emergency response plans?). One option for a definition of "business continuity" could be: "A comprehensive managed effort to prioritize key business processes, identify significant threats to normal operation, and plan mitigation strategies to ensure effective and efficient organizational response to the challenges that surface during and after a crisis and establish minimum requirements for sustaining essential business operation while recovering from a significant disruption." This definition is derived from Subgroup deliberations. Ull. Measure: Number and percentage of utilities that: Have an emergency response plan (ERP) Conduct training on their emergency response plan (ERP) Carry out exercises on their ERP Review and update their ERP on a periodic basis. Questions: Do you: Have an emergency response plan (ERP) (Y/N)? Conduct training on the ERP (Y/N)? Carry out exercises on the ERP (Y/N)? Review and update the ERP on a periodic basis (Y/N)? Additional Workgroup Observations: The ERP may be part of an overall business continuity plan. The term "emergency response plan" needs to be clearly defined. There will be a need to clarify under what conditions a respondent will get "credit" - will it be if these exercises have ever been done, or will the question refer to a particular discrete time frame? U12. Measure: Number and percentage of utilities that have adopted the National Incident Management System (NIMS) as part of emergency response planning. Question: Has your utility adopted NIMS as part of its emergency response plan (Y/N)? Additional Workgroup Observations: "NIMS" needs to be clearly defined. The reporting tool must identify NIMS activities (e.g., are you ready to respond to an incident, do you fit into the local, state, and national response framework [i.e., Incident Command System]). Page 55 ------- June 2008 Reporting tool should include text that explains why NIMS activities are important (e.g., allows a utility to see where they fit in the local, state, and national response framework, better enables a utility to respond to incidents, increases a utility's ability to capture federal funding). U13. Measure: Number and percentage of utilities that are signatories, or are in the process of becoming signatories, to written agreements for requesting aid or assistance, such as a mutual aid or assistance agreement or Water/Waste water Agency Response Network (WARN) membership. Questions: Is your utility a signatory to written agreements for requesting aid or assistance, such as a mutual aid or assistance agreement or Water/Wastewater Agency Response Network (WARN) membership (Y/N)? If no, are you in the process of creating an agreement (Y/N)? Additional Workgroup Observations: "WARN" needs to be clearly defined. The differences between "Mutual aid" and "mutual assistance" need to be clearly defined. U14. Measure: Number and percentage of utilities that have responded to an emergency request to provide mutual aid and assistance. Question: Has your utility responded to an emergency request to provide mutual aid and assistance (Y/N)? U15. Measure: Number and percentage of utilities that have plans to handle communications during a crisis. Question: Do you have a crises communication plan (Y/N)? U16. Measure: Number and percentage of utilities that engage in networking activities regarding emergency preparedness and collaborative response in the event of an incident. Question: Do you engage in networking activities regarding emergency preparedness and collaborative response in the event of an incident (Y/N)? Additional Workgroup Observations: Virtually every utility could claim that it "networks" to some greater or lesser extent. This measure will produce a more meaningful response with some better delineation. Page 56 ------- June 2008 HAZARDOUS CHEMICALS SECURITY MEASURES Hazardous Chemicals Measure 1: Number and percent of utilities with physical and/or procedural controls in place to safeguard hazardous chemicals. Questions: If you use hazardous chemicals, do you have physical and/or procedural controls in place to safeguard them(Y/N)? If yes, do they include some or all of the following? (please indicate) A. Restrict Area Perimeter. Have you secured and do you monitor the perimeter of areas containing hazardous chemicals (Y/N)? B. Screen and Control Access. Have you controlled access to restricted areas within the facility by screening and/or inspecting individuals and vehicles as they enter (Y/N)? C. Shipping, Receipt, and Storage. Do you secure and monitor the shipping, receipt, and storage of hazardous materials for the facility (Y/N)? D. Elevated Threats. Do you escalate the level of protective measures for periods of elevated threat (Y/N)? E. Other physical or procedural controls (Y/N)? (For examples of physical and procedural controls that can be used to safeguard hazardous substances, please see the Department of Homeland Security risk-based performance standards as attached to this survey as a sidebar.)4 Additional Workgroup Observations: For Question "C," it is difficult to imagine any facility, no matter what size, answering "no" to this question. Hazardous Chemicals Measure 2: Number and percentage of utilities that include gaseous chlorine in their hazardous chemicals use. Question: If you use hazardous chemicals, does your chemical use include gaseous chlorine (Y/N)? 4 The 18 performance standards of which the A-D drop-down are a subset would then be listed somewhere in a sidebar or with other reference information to help respondents. Wording for A-D and sidebar information would be updated, as necessary, to be consistent with DHS materials. Page 57 ------- June 2008 Hazardous Chemicals Measure 3: Number and percentage of utilities that have evaluated their disinfection methods considering water quality, public health, and security issues. Question: Have you evaluated your disinfection methods considering water quality, public health, and security issues (Y/N)? Additional Workgroup Observations: It is difficult to imagine any facility, no matter what size, answering "no" to this question. RISK REDUCTION OUTCOME MEASURES Rl. Measure for Physical Security Capability: Percent of critical assets with physical access controls in place. Questions: What percent of your critical assets are currently protected by physical access controls? What percent of your critical assets were protected by physical access controls on date X? Additional Workgroup Observations: Physical access controls include fences, gates, door locks, and other similar structural barriers. Without more definition, this question will offer little value added as every water utility has some type of physical access control: door, lock, gate. As currently presented, the question allows an opportunity to misinterpret just to get to a "yes" answer, making results unhelpful. R2. Measure for Intruder Detection Capability: Percent of critical assets with enhanced capability to detect intruders. Question: What percent of your critical assets are protected by enhanced detection capability? Additional Workgroup Observations: Enhanced detection capability includes physical monitoring such as cameras and other alarms/sensors, guards or other human monitoring (such as neighborhood and customer watch efforts), and combinations of physical changes and procedural changes (e.g., installation and use a door peep hole). Page 58 ------- June 2008 This question has the potential to imply that smaller systems either should or must invest in some type of intruder alarm. In reality, this may not be the best investment of their limited resources. The measure also needs to clarify whether it relates to total number of assets, a percentage of the dollar value of all assets, or some other basis. The terms 'critical assets' and 'enhanced' will need to be defined. R3. Measure of Water Contamination Decision Making Capability: Percent of utilities that have protocols in place to complete site characterizations and make credibility determinations eight hours or less after becoming aware of a potential water contamination event (eight hour time frame based on Response Protocol Toolbox recommendati on). Questions: What is your current capability to make a water contamination threat credibility determination? (within 20-30 hours, 8-20 hours; in 8 hours or less)? What was it on date X? Additional Workgroup Observations: Site characterizations and credibility determinations are as defined by the EPA Response Protocol Toolbox. Site characterization generally includes in-person site evaluation and may include field testing/screening of water and/or monitoring of baseline water quality data. The purpose of this process is to determine if a contamination threat is credible and, therefore, initiate additional response activities - it is not to identify the specific nature and extent of any contamination that may be present. R4. Measure for Information Protection Capability: Percent of utilities that have a process in place for reviewing requests for and restricting access to critical infrastructure information. Questions: Does your utility have a process in place for reviewing requests for and restricting access to critical infrastructure information? (Yes established process in place; No process is being developed; or Informal/ad hoc review) How would you have answered on date X? Additional Workgroup Observations: Critical infrastructure information is as defined by DHS. In implementing this question, it may be helpful to focus on highlighting whether utilities have further limited the type of information they provide (e.g.. "Have you initiated restrictions or tightened access..."). Page 59 ------- June 2008 R5. Measure for SCADA Protection Capability: Percent of SCADA data transmission networks that are segregated from telephony or Internet networks. Questions: What percent of your SCADA data transmission network is segregated from public telephony or Internet networks? What was the percentage on date X? Additional Workgroup Observations: Need definition/guidance on what are "segregated connections." This measure could easily be misinterpreted as a critical driver by a smaller community. R6. Measure for Employee Security Investment: Percentage of time permanent employees dedicate to security tasks. Questions: What is your current annual FTE commitment to security tasks? What was it on date X? Additional Workgroup Observations: "Security tasks" are defined narrowly as tasks related to asset protection, hardening, and other direct security related work. This is not an attempt to capture efforts focused on improving broader resiliency or preparing for natural disasters; emergency response planning and exercise time would not be counted here. There is no good way for many smaller water systems to answer this question. They may only have one or two employees and would find it difficult to allocate specific FTEs to particular security activities. This measure also conflicts with the long term SDWA goal to integrate security into planning, design, and implementation actions for drinking water treatment that results in water safe to drink. Even the largest of water utilities should be integrating "security" actions into their daily activities. This measure "stovepipes" water security activities. Additionally, since the total number of employees engaged in security tasks is not known the data we obtain from this measure may be highly misleading. For example, if a utility has one staff person they could report a high value - say 20%, yet a larger utility with twenty people on staff may find that although everyone spends some time on security (our goal) the percentage of each individual's time may be low - say 2%. This measure/question could be construed as too narrowly defined unless the question is asked in a way to capture the broader activities related to training and exercise time. R7. Measure for Raw Water Source Supply Resiliency: Percent of utilities that can meet 100% of minimum daily demand with their primary raw water source unavailable. Page 60 ------- June 2008 Questions: What improvements have you seen in your ability to meet 100% of minimum daily water demand with your primary raw water source unavailable? Not counting in process or finished water storage, can you meet 100% of minimum daily demand with the primary raw water source unavailable for 24 hours (Y/N), for 48 hours (Y/N), for 7 days (Y/N), or other (please specify)? How does this compare with date X - e.g., previously could meet 100% of minimum daily demand for 24 hours, or 7 days, or never? Additional Workgroup Observations: "Minimum daily demand" is the average daily demand for the lowest production month of the year. R8. Measure for Finished Water Storage Resiliency: Average amount of time a utility can meet 100% of minimum daily demand with stored finished water. Questions: How long can you currently meet 100% of minimum daily demand with stored finish water? How does this compare with date X - how long could you have met 100%) of minimum daily demand with stored finish water on date X? Additional Workgroup Observations: "Minimum daily demand" is the average daily demand for the lowest production month of the year. R9. Measure for Power Resiliency: Percent of utilities that have backup power for critical operations. Question: Does your utility have backup power for critical operations for: 24 hours? 48 hours? 96 hours? R10. Measure for Production Resiliency: Percent of utilities that can meet minimum daily demand with their primary production/treatment plant non-functional. Question: What percent of minimum daily demand can your utility meet with your primary production/treatment plant non-functional for: 24 hours? 48 hours? 96 hours? Page 61 ------- June 2008 Additional Workgroup Observations: "Minimum daily demand" is the average daily demand for the lowest production month of the year. For all 4 measures above (R7, R8, R9, RIO), the questions seem to imply that meeting 100% of minimum daily demand is a reasonable performance expectation. It is not clear that such an expectation exists, and it may not be consistent with some state regulations (and certain states may have specific or different timeframes that apply). Creating such a performance expectation will have resource implications for EPA and DHS, who may be expected to find funds to assist utilities achieve this level of performance. The concept of "minimum daily demand" (average daily demand for lowest production month of the year) assumes that the higher demands at other times of the year are due solely to discretionary uses (e.g. lawn watering). Although this may be true in some utilities, it is not universal. R8 speaks to "average amount of time" for using stored water; the other resiliency questions address percent of utilities that can accomplish a certain performance level. RIO requires clarity around whether the plant is unable to deliver water or whether it is unable to treat it appropriately. The question needs to clarify whether it is getting at the existence of redundant plants or redundant pump capacity. Rll. Measure for Equipment Resiliency: For critical parts/equipment, the longest lead time for repair/replacement. Questions: For critical parts/equipment (as defined in your Vulnerability Assessment) what is your current longest lead-time for repair or replacement? How does this compare with date X (e.g., what was longest lead-time for repair or replacement)? R12. Measure for Personnel Resiliency: Average number of excess (backup) response- capable people available for critical operation and maintenance positions. Questions: What is your current average number of response capable backup people for critical operation and maintenance positions? What was it on date X? Additional Workgroup Observations: "Response-capable" means the person has the knowledge, experience, and proficiency to perform the work immediately. Need guidance to utilities on how to reflect their definition of "critical operation and maintenance positions" to maintain reasonable reporting consistency (e.g., positions required to meet core mission capability such as water plant operators and maintenance workers). Page 62 ------- June 2008 For question Rll, the term "lead time" could be thought of differently by different people. For question R12, there is a need to clarify whether the question refers to the average number of back-up folks who are available at any given time or the total number of response-capable people that exist within the organization, (e.g., can a utility take into consideration parts/equipment [for Rll] and people [for R12] potentially available via WARN-type agreements). Finally, R12 will need to explicitly take into account the need for individuals to hold appropriate licenses to operate facilities. R13. Measure for Treatment Resiliency: Where chemicals are necessary to meet the Safe Drinking Water Act standards for acute contaminants (i.e., E.coli, fecal coliform, nitrate, nitrite, total nitrate and nitrite, chlorine dioxide, turbidity - as referenced in the list of situations requiring a Tier 1 Public Notification under 40 CFR 141.202), the average number of days that utilities can deliver 100% of minimum daily demand treated to meet this subset of SDWA standards without any additional chemical deliveries. Questions: Where chemicals are necessary to meet Safe Drinking Water Act standards for acute contaminants (i.e., E.coli, fecal coliform, nitrate, nitrite, total nitrate and nitrite, chlorine dioxide, turbidity - as referenced in the list of situations requiring a Tier 1 Public Notification under 40 CFR 141.202), what is the current number of days you can deliver 100% of the minimum daily demand treated to meet this subset of SDWA standards without any additional chemical deliveries? What was it on date X? Additional Workgroup Observations: Will need a refined list of which SDWA standards are based on "acute effects." This question can imply that all PWS should stockpile critical chemicals for extended periods of time, while not providing guidance for how long is "reasonable" or what the performance expectation is to provide water that is safe to drink. It will also be important to consider that a utility may be allowed to operate under special conditions without these treatments being in operation (e.g. under a boil order). The term "acute effects" needs to be distinguished from acute contaminants. The former is possible for almost all contaminants at high levels (i.e., multiples of the MCL/MRDL) the latter is typically used to describe a small subset of contaminants that can cause adverse health effects at low levels over short exposure periods (see Tier 1 Public Notification list for drinking water utilities). The language here is limited to SDWA; a CWA dimension should be considered. R14. Measure for Overall Response and Recovery Capability. Percent of utilities with increased capability to respond to real events and exercises consistent with their emergency response, business continuity, or other appropriate response plans. Page 63 ------- June 2008 Questions: How confident are you in your ability to respond to real events and exercises consistent with your emergency response, business continuity, or other response plans? (Measurement would be on a scale from very low to very high with an "I don't know" option.) R15. Measure for Reduced Service Event Capability: Number/percent of utilities that have a protocol and necessary equipment and infrastructure in place to ensure continued water availability to critical customers during a reduced-service event. Questions: To what extent have you set priorities and planned for a reduced service event? (established protocol; equipment and infrastructure in place; plan in place, protocol, equipment and infrastructure being developed; no formal plan) How has this changed since date X? Additional Workgroup Observations: This would involve establishing critical customer service delivery priorities and associated strategies (e.g., backup equipment, alternative supply, etc.). "Critical customers" should be identified based on direct life safety, homeland defense, and continuity of government considerations. Focus is on establishing a utility's ability to curtail service for non-critical customers to ensure critical care facilities (e.g., hospitals) and military\national guard facilities have sufficient water quality and supply to remain functional during and immediately after an emergency. For R14, it is not clear in relation to what basis "Increased capability" is being compared. For R15, the reduced service event protocol does not appear to cover the provision of bottled water to residential customers. If this is the case, the critical customers (hospitals, nursing homes) may be inundated with additional people as many elderly and ill residents may not be able to obtain their own water supply. Overall, R14 seems like a very subjective question (how confident are you). Page 64 ------- June 2008 ATTACHMENT 5: DRAFT SMALL SYSTEM METRIC CROSSWALK The following table presents a crosswalk of the 16 utility activity-based measures identified by the CIPAC Metrics Workgroup with the structure included in the tool that has been used by many small utilities to conduct security self-assessments and develop emergency response plans. The crosswalk is intended to highlight commonalities between the two question sets and to enhance small systems' abilities to respond to and have confidence in the data gathering process. Possible additional questions that could be added to this tool were identified in the crosswalk to more fully flesh out specifics on certain measures. y Measures SSP Goal 1 Small Utility Goal Possible Questions Ul. Number and percentage of utilities that have integrated security into budgeting, training, and manpower responsibilities. Ul. VA- Sec Assessment #34 VA Report - Security needs and costs Appendix C U2. Number and percentage of utilities that incorporate security into planning and design protocols. U2. VA - Sec Assessment #14 U3. Number and percentage of utilities that routinely conduct supplemental monitoring or more in-depth analysis beyond what is required to identify abnormal water quality conditions. U3. VA - Sec Assessment #23 U4. Number and percentage of utilities that have established connections with public health networks to detect and interpret public health anomalies for the purposes of identifying waterborne public health impacts. U4. VA - Sec Assessment #43 ERP - Coordination U5. Number and percentage of utilities that monitor and evaluate customer complaints for possible indications of water quality or other security threats. U5. VA - Sec Assessment #41 and #45 U6. Number and percentage of utilities that have established protocols (i.e., consequence management plans) for interpreting and responding to indications of water quality anomalies. U6. VA - Sec Assessment #41, #43, and #44 ERP - LEPC and Coordination Page 65 ------- June 2008 SSP Goal 2 Small Utility Goal Possible Questions U7. Number and percentage of utilities that annually review and periodically update vulnerability assessments (VAs). U7. ERP - System Identification U7. Do you review and update your VA and ERP regularly? Or refer to Ul. U8. Number and percentage of utilities that receive screened and validated timely (e.g. in time to inform decisions or take actions) threat information from one or more trusted sources such as WaterlSAC, the FBI, local police, or DHS. U8. VA - Sec Assessment #2 and #8 ERP - Coordination - FBI and local police U8. Do you receive security updates from ISAC, water associations, or other real time security information networks? U9. Number and percentage of utilities that have a plan in place to increase utility security in response to a threat. U9. VA - Supplemental Documents (EPA - Guarding against Terrorist and Security Threats) SSP Goal 3 Small Utility Goal Possible Questions U10. Number and percentage of utilities that have a written business continuity plans. U10. ERP - Completed Ull. Number and percentage of utilities that: Have an emergency response plan (ERP) Conduct training on their ERP Ull. ERP - Coordination and System Specific Information Ull. Do you exercise your ERP or practice using the potential threat scenarios unique to your community? Carry out exercises on their ERP Review and update their ERP on a periodic basis U12. Number and percentage of utilities that have adopted NIMS. U12. SEMS NIMS Implementation module approved by DHS NIMS Integration Center - Completed U13. Number and percentage of utilities that are signatories, or are in the process of becoming signatories, to written agreements for requesting aid or assistance, such as a mutual aid and assistance agreement or WARN membership. U13. ERP - Notification Information and Alternative Water/Wastewater Source U13. Have you been notified about the water utility mutual aid networks in your state? Page 66 ------- June 2008 U14. Number and percentage of utilities that have responded to an emergency request to provide mutual aid and assistance. U14. U14. Have you responded to an emergency request from another utility? SSP Goal 4 Small Utility Goal Possible Questions U15. Number and percentage of utilities that have plans to handle communications during a crisis. U15. VA- Security Assessment #44 and #45 ERP - Coordination (Public Notification plan) and Communication and Notification U16. Number and percentage of utilities that engage in networking activities regarding emergency preparedness and collaborative response in the event of an incident. U16. ERP - Coordination and Alternative Water/Wastewater Source Have you been notified about the water utility mutual aid networks in your state? Page 67 ------- June 2008 ATTACHMENT 6: ATTRIBUTE DATAAND BANDING RULES :tion In its final report, the CIPAC Metrics Workgroup for Water (the Workgroup) recommended attribute data for collection as part of the national metrics reporting effort. Specifically, the Workgroup recommended that "state location, population served (size), utility type (drinking water, wastewater, combined, community, transient non-community, non-transient non- community), and utility source/receiving water type should be collected as attribute data..." Additionally, the Workgroup recommended that "specific requirements for data banding and/or other data management rules (be developed to) protect inappropriate combinations/reporting of attribute data..This document specifically articulates the attribute data proposed for collection as part of the national reporting tool (see Section 1), and proposes a set of data management protocols (see Section 2) to ensure data analysis and aggregate reporting do not provide information to the public that would allow the identification of an individual utility. Section 1 - Attribute Data Listed below is a detailed articulation of the attribute data proposed for collection as part of the water sector national metrics reporting tool. These data specifically mirror those recommended by the Workgroup, but also further articulate the data, fill in gaps where deemed needed, and indicate a data definition source that will be relied upon for providing definitions in the reporting tool. In a few instances, to develop consistency between drinking water and wastewater data attributes, some additional data elements have been added. These are clearly marked. It is anticipated that, when first entering the reporting tool, the respondent will indicate that the information is for a drinking water utility or a wastewater utility. Combined utilities will be asked to complete two separate responses: one for the drinking water operations; and one for the wastewater operations. The rationale behind eliminating the "combined" choice suggested by the Workgroup is the distinctly different regulatory and other environments the two types of utilities operate under (in particular, the Bioterrorism Act coverage of drinking water, but not wastewater utilities). The combined category also would potentially create difficulties for data analysis, particularly for any questions that arise pertaining to a count of either water or wastewater utility respondents - a "combined" response (which is ambiguous regarding whether it refers to the water side, wastewater side, or both sides of the utility) would not allow for a fully clean articulation of these counts from the data. Page 68 ------- June 2008 Provided below is the attribute data structure and associated data elements for a drinking water utility and a wastewater utility. 1. Drinking Water Utility Attribute Data a. Operation Type Response Options (drawn from SDWIS categories) (choose one) i. Community Water System: A public water system that supplies water to the same population year-round. ii. Non-Transient Non-Community Water System: A public water system that regularly supplies water to at least 25 of the same people at least six months per year, but not year-round. Some examples are schools, factories, office buildings, and hospitals which have their own water systems. iii. Transient Non-Community Water System: A public water system that provides water in a place such as a gas station or campground where people do not remain for long periods of time. b. Size Options (Bioterrorism Act consistent, definitions from SDWIS - number of people present in the service area) (choose one) i. Large: system serves a population of 100,000 or more ii. Medium: system serves a population of 50,000 or more but less than 100,000 iii. Small: system serves a population of more than 3,300 but less than 50,000 iv. Very Small: system serves a population of 3,300 or less c. Source Water Options (SDWIS categories and definitions) (choose "primary" source) (Note: the "source water" attribute came from the CIPAC, but the articulation of specific data element choices has been drawn from SDWIS) i. Surface water ii. Purchase surface water iii. Ground water under the influence of surface water iv. Purchased ground water under the influence of surface water v. Ground water vi. Purchased ground water d. Location - State/territory drop down menu (choose one) 2. Wastewater Utility Attribute Data a. Operation Type Response Options (Needs Survey consistent categories) (check all that apply) (Note: these attributes added to provide consistency with the Page 69 ------- June 2008 drinking water utility approach and to provide for the distinction between collection only and other wastewater utilities) i. Collection System (Combined and/or Separate Sewers) ii. Treatment Plant(s) iii. Biosolids Handling Facility b. Size Options(Bioterrorism Act consistent, definitions from Needs Survey - number of people present in the service area) (choose one category) i. Large: system serves a population of 100,00 or more ii. Medium: system serves a population of 50,000 or more but less than 100,000 iii. Small: system serves a population of more than 3,300 but less than 50,000 iv. Very Small: system serves a population of 3,300 or less c. Receiving Water Options (Needs Survey Consistent Categories) (choose primary discharge) (Note: "receiving water" attribute derives from the CIPAC, but the data element choices derive from the Needs Survey) i. Outfall to surface water ii. Ocean Discharge iii. Reuse iv. Discharge to Groundwater v. Evaporation vi. Spray Irrigation vii. Deep Well viii. Discharge to Another Facility ix. Overland Flow x. Other (specify) d. Location - State/territory drop down menu (choose one) tion 2: Data Manageme ndi ules The CIPAC Metrics Workgroup for Water specifically directed that explicit data management (banding) rules be developed to protect the anonymity of reporting tool respondents. The purpose of the data management rules is to ensure that any reporting tool results made publicly available will not reveal, through interpretation, the individual identity of a reporting tool respondent. Theoretically, in the absence of data management rules, an aggregation of reporting tool responses by state and size attribute data could identify only one or two respondents in a state's "large size" category. If there are only two large systems in that state, it would be easy to Page 70 ------- June 2008 "connect the dots" and specifically identify who the respondents are. The two recommended data management protocols presented below are designed to assure this type of inadvertent identification of respondents will not occur. Rule 1 (State/Size Data Set): In order to have a data set showing reporting tool responses sorted by both state and size attribute data, and in order to ensure that individual utility identity is not revealed, the following rule regarding the display of the state/size data set is proposed: If a state has five or fewer (total existing) utilities (based on SDWIS data for drinking water utilities and Needs Survey data for wastewater utilities) of a certain type (drinking water or wastewater) in any given size category, then all respondents for that type/size category will be merged with the next lower size category. Merging will continue until the merger of existing utilities produces a state-based size category populated with five or more utilities. Rule 2 (Other Data Sets): Given the large number of potential data sorts using combinations of attribute data, our ability to screen potential data sorts in advance to understand similar problems regarding the protection of utility identity is limited. As such, the following rule is proposed. If any combination (aggregation) of submitted data produces an output containing the data from five or fewer individual utilities, the third party responsible for data collection will reference external databases (e.g., SDWIS, Needs Survey) to determine the total number of utilities to which the combination of attribute data applies (i.e., not just those utilities that submitted data). If five or fewer total utilities exist, the information will not be provided for public consumption. However, if six or more total utilities exist, then the information could be provided publicly. If the third party is unable to verify external conditions using these databases for any combination of attribute data that produces an output containing the data from five or fewer individual utilities, then that data sort will not be used for public display purposes. For example, if a data sort portraying the number of large, community water systems, utilizing surface water in EPA Region 8 (the states of Colorado, Montana, North Dakota, South Dakota, Utah, and Wyoming) produces data on three utilities, and an identical sort of SDWIS data indicates there are only four utilities that fit this description, then the original reporting tool data sort will not be available publicly. On the other hand, if the SDWIS data indicated more than five utilities fit the description, then the reporting tool data would be made available. Page 71 ------- |