U.S. ENVIRONMENTAL PROTECTION AGENCY
CUSTOMER SERVICE * INTEGRITY ~ ACCOUNTABILITY
Ensuring clean and safe water
Compliance with the law
The EPA Met 2018 Water
Security Requirements
but Needs to Improve
Oversight to Support Water
System Compliance
Report No. 23-P-0003 November 21, 2022
-------
Report Contributors: Jaya Brooks
Michael D. Davis
Julie Hamann
Kathryn Hess
Nii-Lantei Lamptey
Abbreviations:
AWIA
America's Water Infrastructure Act of 2018
EPA
U.S. Environmental Protection Agency
GAO
U.S. Government Accountability Office
OIG
Office of Inspector General
SDWA
Safe Drinking Water Act
U.S.C.
United States Code
Cover Images:
Left to right: Cybersecurity concerns; operator monitoring computerized
systems at a water system; and household drinking water. (EPA photos)
Are you aware of fraud, waste, or abuse in an
EPA program?
EPA Inspector General Hotline
1200 Pennsylvania Avenue, NW (2431T)
Washington, D.C. 20460
(888) 546-8740
(202) 566-2599 (fax)
OIG Hotline@epa.gov
Learn more about our OIG Hotline.
EPA Office of Inspector General
1200 Pennsylvania Avenue, NW (2410T)
Washington, D.C. 20460
(202) 566-2391
www.epa.gov/oiq
Subscribe to our Email Updates.
Follow us on Twitter @EPAoig.
Send us your Project Suggestions.
-------
Office of Inspector General
U.S. Environmental Protection Agency
At a Glance
23-P-0003
November 21, 2022
Agency Office of Inspector General
conducted this audit to assess the
adequacy of the cybersecurity
baseline information that the EPA
developed to meet the
requirements of section 2013 of the
America's Water Infrastructure Act
of 2018, as well as to determine
how community water systems
used this information. We also
sought to assess the adequacy of
EPA oversight to ensure that the
water systems are complying with
the Act.
Section 2013 requires that the EPA
provide baseline information on
malevolent acts of relevance to
water systems and collect
certifications of compliance with the
Act. Water systems are to assess
their risk and resilience; prepare
emergency response plans; certify
to the EPA that they completed the
initial assessment and plan; and
certify to the EPA every five years
thereafter that they reviewed, and
updated as necessary, their
assessments and plans.
This audit supports the following
EPA mission-related efforts:
• Ensuring clean and safe water.
• Compliance with the law.
This audit addresses these top EPA
management challenges:
• Protecting information technology
and systems against cyberthreats.
• Managing infrastructure funding
and business operations.
Address inquiries to our public
affairs office at (202) 566-2391 or
OIG WEBCOMMENTS@epa.gov.
List of OIG reports.
The EPA Met 2018 Water Security Requirements
but Needs to Improve Oversight to Support Water
System Compliance
What We Found
The EPA met the requirements of
section 2013 of the America's
Water Infrastructure Act of 2018, or
AWIA, to consult with stakeholders
and develop malevolent acts
baseline information by
August 2019. The EPA updated its
baseline information 18 months
later in response to an increase in
If water systems do not complete
risk and resilience assessments or
emergency response plans, they
are more vulnerable to
cyberattacks and other malevolent
acts. The 19 percent of water
systems that did not certify
completion of these assessments
and plans serve 40 million people.
the frequency of cyberattacks.
However, the AWIA-imposed deadlines for medium and large water
systems to complete their risk and resilience assessments had passed and
the systems were not required to update their assessments.
Approximately 19 percent of water systems did not certify that they had
completed their risk and resilience assessments by the statutory deadlines.
These noncompliant water systems may not be aware of their vulnerability
to malevolent acts that could result in loss of service or unsafe drinking
water. Furthermore, 95 percent of the noncompliant water systems were
small water systems and noncompliant small water systems more likely
served disadvantaged communities than compliant systems.
The EPA did not provide adequate oversight to ensure the compliance of
water systems—particularly small water systems—with AWIA
requirements. Specifically, the EPA did not maintain accurate contact
information for water systems, publish guidance regarding enforcement
actions against noncompliant water systems, provide sufficient assistance
to support small water system compliance, or review the quality of the risk
and resilience assessments and emergency response plans. Water
systems may therefore fail to meet AWIA requirements and may not
understand their vulnerability to malevolent acts.
Recommendations and Planned Agency Corrective Actions
We recommend that the EPA (1) update and implement a plan to support
AWIA compliance, (2) update processes to maintain accurate contact
information for water systems and to record noncompliance with AWIA,
(3) review risk and resilience assessments and emergency response plans
to identify improvements, and (4) develop guidance that describes AWIA
requirements. The EPA disagreed with our recommendations. The
recommendations remain unresolved with resolution efforts in progress.
The EPA also provided technical comments. We revised our report as
appropriate.
-------
^£Dsrx
' O
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
THE INSPECTOR GENERAL
November 21, 2022
MEMORANDUM
SUBJECT: The EPA Met 2018 Water Security Requirements but Needs to Improve Oversight to
Support Water System Compliance
Report No. 23-P-0003
This is our report on the subject audit conducted by the U.S. Environmental Protection Agency Office of
Inspector General. The project number for this audit was OA-FY21-0240. This report contains findings
that describe the problems the OIG has identified and corrective actions the OIG recommends. Final
determinations on matters in this report will be made by EPA managers in accordance with established
audit resolution procedures.
Action Required
This report contains unresolved recommendations. EPA Manual 2750 requires that recommendations be
resolved promptly. Therefore, we request that the EPA provide us within 60 days its responses concerning
specific actions in process or alternative corrective actions proposed on the recommendations. Your
response will be posted on the OIG's website, along with our memorandum commenting on your response.
Your response should be provided as an Adobe PDF file that complies with the accessibility requirements
of section 508 of the Rehabilitation Act of 1973, as amended. The final response should not contain data
that you do not want to be released to the public; if your response contains such data, you should identify
the data for redaction or removal along with corresponding justification. The Inspector General Act of
1978, as amended, requires that we report in our semiannual reports to Congress on each audit or
evaluation report for which we receive no Agency response within 60 calendar days.
FROM: Sean W. O'Donnell
TO:
Radhika Fox, Assistant Administrator
Office of Water
We will post this report to our website at www.epa.gov/oig.
-------
The EPA Met 2018 Water Security Requirements
but Needs to Improve Oversight
to Support Water System Compliance
Report No. 23-P-0003
Table of C
Chapters
1 Introduction 1
Purpose 1
Background 1
Responsible Offices 3
Scope and Methodology 4
Prior Reports 5
2 The EPA Met Section 2013 Requirements and Updated the Malevolent Acts Baseline
Information After Initial Issuance 6
Section 2013 Required the EPA to Provide Malevolent Acts Baseline Information 6
The EPA's August 2019 Issuance of the Malevolent Acts Baseline Information
Complied with Section 2013 6
The EPA Updated the Malevolent Acts Baseline Information in February 2021
to Increase Cybersecurity Threat Likelihoods 8
Conclusions 9
Agency Response and OIG Assessment 10
3 The EPA Should Improve Oversight to Increase Water System Compliance
with AWIA Requirements 11
AWIA Requirements and Enforcement 11
Variability in Water System Compliance with Section 2013 12
The EPA Worked to Help Noncompliant Water Systems Become Compliant 17
The EPA Needs to Improve Its Oversight of Section 2013 Requirements 19
Conclusions 21
Recommendations, Agency Response, and OIG Assessment 22
Status of Recommendations 24
Appendixes
A. Agency Response to Draft Report 25
B. Distribution 31
-------
Chapter 1
Introduction
Purpose
The U.S. Environmental Protection Agency Office of Inspector General initiated this audit to assess the
adequacy of:
• The cybersecurity baseline information that the EPA developed to meet the requirements of
section 2013 of the America's Water Infrastructure Act of 2018, or AWIA, as well as determine
how community water systems used this information.
• EPA oversight to ensure that community water systems comply with section 2013 of AWIA.
Top Management Challenges Addressed
This audit addresses the following top management challenges for the Agency, as identified in OIG
Report No. 22-N-0004. EPA's Fiscal Year 2022 Top Management Challenges, issued November 12, 2021:
• Protecting information technology and systems against cyberthreats.
• Managing infrastructure funding and business operations.
Background
Community water systems provide drinking water to their communities. Safe water is essential for public
health and economic strength. Water systems, as critical infrastructure, require protection from natural
and malevolent threats.
Networked computer resources at water systems, which are the computer
systems used in conducting business, such as billing, and in their
operation, such as treating and delivering drinking water, face increasing
threats from cybercriminals and others. Several cyber intrusions affecting
U.S. water systems highlight the vulnerabilities of this critical
infrastructure:
• In February 2021, a hacker altered the chemical levels at a water system in Florida. The intrusion
was quickly detected by an observant water system employee, who reversed the alterations.
• In February 2020, a threat actor—after breaching the computing networks at SolarWinds, a
network management software company—injected hidden code into a software update. This
compromised update gave the threat actor access to the computer systems of SolarWinds
customers, including water systems.
• In March 2019, a former employee at a Kansas water system threatened drinking water safety
after using credentials, which had not been revoked, to remotely access a system computer.
A community water system
is a public water system that
supplies water to the same
population year-round. In
this report, we refer to
community water systems
generally as water systems.
23-P-0003
1
-------
• In March 2018, a ransomware attack on the City of Atlanta disrupted city utilities and other
services. Employees with Atlanta's water system were unable to turn on their computers or gain
wireless internet access.
Safe Drinking Water Act
The Safe Drinking Water Act, or SDWA, and its regulations require water systems to deliver drinking
water that meets water quality standards to the people and businesses they serve. The EPA delegates
primary implementation and enforcement responsibility for public drinking water systems to states,
territories, and tribes that meet certain requirements. These delegated entities are known as "primacy
agencies." All but one state, all territories, and the Navajo Nation are primacy agencies.1 The EPA retains
overall responsibility for the national implementation of SDWA and oversees SDWA administration and
enforcement by the primacy agencies.
SDWA and its regulations require water systems to routinely monitor drinking water quality and to
report their monitoring results to their primacy agency for evaluation. The primacy agencies are
required to record SDWA monitoring activity and report water system violations in the federal version of
the EPA's Safe Drinking Water Information System database.
America's Water Infrastructure Act
In a risk and resilience assessment,
water system owners and operators
evaluate the system's vulnerabilities,
threats, and consequences from
potential hazards. In an emergency
response plan, they describe their
system's strategies, resources, plans,
and procedures to prepare for and
respond to an incident, natural or
human-induced, that threatens life,
property, or the environment.
Enacted on October 23, 2018, AWIA was the most comprehensive
revision to SDWA since 1996. Section 2013 of AWIA amended
SDWA section 1433, 42 U.S.C. § 300i2, to improve drinking water
system compliance capacity and sustainability.2 Section 2013
requires each water system serving more than 3,300 people to
assess the risk to the water system from malevolent acts and
natural hazards and develop an emergency response plan based
on that assessment. Section 2013 also requires each water system to certify to the EPA that it
completed its risk and resilience assessment and emergency response plan, as well as established
deadlines for these certifications. Figure 1 shows that the initial certification deadlines varied based on
water system size.
Figure 1. Deadlines set by section 2013 for initial certifications of completion
£4 i
Community water
system size
Population served
Risk and resilience
assessment
deadlines
Emergency response
plan
deadlines
Large
>100,000
March 31,2020
September 30, 2020
Medium
50,000 - 99,999
December 31, 2020
June 30, 2021
Small
3,301 -49,999
June 30, 2021
December 31, 2021
Source: OIG summary of certification deadlines set by section 2013 of AWIA. (EPA OIG image)
1 The EPA serves as the primacy agency for Wyoming, the District of Columbia, and all but one tribe.
2 Throughout this report we refer to this provision of AWIA as section 2013.
23-P-0003
2
-------
The EPA directly implements and oversees section 2013. Unlike other SDWA requirements, AWIA did
not authorize the EPA to delegate implementation of requirements to states, territories, and tribes.
Instead, the EPA issued guidance directly to water systems on the requirements, developed the
certification system, and tracked compliance. Each EPA region worked with the water systems within its
borders and had discretion over providing assistance and enforcement.
Under section 2013, the EPA also was responsible for providing, by August 2019, what the statute called
"baseline information on malevolent acts" of relevance to water systems. The EPA issued this baseline
information in August 2019 and updated it in February 2021. Figure 2 presents an overview of the
actions and deadlines required by section 2013.
Figure 2: Timeline of section 2013-related activities and deadlines
Note: RRA = Risk and Resilience Assessment; ERP = Emergency Response Plan.
Source: OIG analysis of section 2013 of AWIA-related dates. (EPAOIG image)
Presidential Policy for Critical Infrastructure
On February 12, 2013, Presidential Policy Directive 21, Critical Infrastructure Security and Resilience,
designated the EPA as the agency responsible for the critical water and wastewater infrastructure
sector. According to the directive, the EPA is to provide, support, or facilitate technical assistance and
consultations for water systems to identify vulnerabilities and help mitigate incidents. It also states that
"[c]ritical infrastructure must be secure and able to withstand and rapidly recover from all hazards."
These hazards include:
[A] threat or an incident, natural or manmade, that warrants action to protect life,
property, the environment, and public health or safety, and to minimize disruptions
of government, social, or economic activities. It includes natural disasters, cyber
incidents, industrial accidents, pandemics, acts of terrorism, sabotage, and
destructive criminal activity targeting critical infrastructure.
Responsible Offices
The EPA Office of Water manages water security programs and implements and oversees section 2013
requirements. The EPA Office of Enforcement and Compliance Assurance is responsible for overseeing
compliance with and enforcing environmental laws and regulations.
23-P-0003
3
-------
Scope and Methodology
We conducted this performance audit from July 2021 through June 2022 in accordance with generally
accepted government auditing standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions
based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives.
We assessed the internal controls necessary to satisfy our audit objectives.3 In particular, we assessed
internal control components—as outlined in the U.S. Government Accountability Office's Standards for
Internal Control in the Federal Government—significant to our audit objectives. Any internal control
deficiencies we found are discussed in this report.
To address our objectives, we reviewed relevant laws, policies, and guidance. We interviewed:
• Office of Water staff and managers responsible for developing the malevolent acts baseline
information and overseeing water system compliance with section 2013.
• Office of Enforcement and Compliance Assurance staff and managers responsible for
establishing EPA policy on enforcement of section 2013.
• Regional drinking water program and enforcement staff and managers in EPA Regions 2, 4, 5, 6,
and 8 to understand how regions assisted water systems and enforced section 2013
requirements.
• Representatives of drinking water trade organizations, including the American Water Works
Association, the Association of State Drinking Water Administrators, and the National Rural
Water Association.
• Representatives from ten water systems to ascertain their processes for certifying completion of
their risk and resilience assessments and emergency response plans, to understand how they
used the EPA's malevolent acts baseline information to conduct their risk and resilience
assessments, and to gather information on the assistance provided by the EPA. These water
systems varied in size—six small, two medium, and two large. Two of the small systems served
tribal communities. All ten systems had submitted their initial risk-and-resilience-assessment
certifications by the appropriate statutory deadline.
We analyzed Agency documentation regarding how the EPA developed the malevolent acts baseline
information for its August 2019 issuance and its February 2021 update. We also analyzed data from the
Office of Water about the total number of water systems required to comply with section 2013 and the
compliance status of each of those water systems. We matched SDWA violation data with AWIA
compliance data to understand whether water systems that struggle to comply with AWIA requirements
have higher rates of noncompliance with SDWA requirements. We also compared the characteristics of
3 An entity designs, implements, and operates internal controls to achieve its objectives related to operations,
reporting, and compliance. The U.S. Government Accountability Office sets internal control standards for federal
entities in GAO-14-704G, Standards for Internal Control in the Federal Government (also known as the "Green
Book"), issued September 10, 2014.
23-P-0003
4
-------
communities served by section 2013-compliant small water systems to the characteristics of
communities served by section 2013-noncompliant small water systems.
Prior Reports
From 2013 through 2022, the OIG and the U.S. Government Accountability Office, or GAO, issued four
reports that are of significant relevance to this audit:
• OIG Report No. 13-P-0349, EPA Can Better Address Risks to the Security of the Nation's Drinking
Water Through New Authorities, Plans, and Information, issued August 21, 2013. Although the
EPA implemented a number of activities to promote drinking water system security, the Agency
needs to strengthen the water security program's strategic planning and internal controls to
facilitate measurement of drinking water systems' preparedness, prevention, response, and
recovery capabilities. We recommended that the EPA develop a comprehensive strategic plan
for its water security program, assess water security by gathering available data and
incorporating measures into national guidance, and improve internal controls by developing a
program review strategy and multiyear review plan. We also recommended that the EPA seek
additional authority from Congress to develop a baseline and outcome measures. The Agency
reported that it implemented corrective actions to address all recommendations.
• GAO Report No. GAO-18-211, Critical Infrastructure Protection: Additional Actions are Essential
for Assessing Cybersecurity Framework Adoption, issued February 15, 2018. The GAO
recommended that the EPA develop methods to determine the level and type of cybersecurity
framework adopted by entities across the water sector. The GAO determined that the EPA's
actions satisfied the intent of the recommendation.
• GAO Report No. GAQ-20-299. Critical Infrastructure Protection: Additional Actions Needed to
Identify Framework Adoption and Resulting Improvements, issued February 25, 2020. The GAO
recommended that the EPA collect and report improvements from using the cybersecurity
framework across the water and wastewater sector. The GAO determined that the EPA's actions
satisfied the intent of the recommendation.
• GAO Report No. GAQ-22-105103, Critical Infrastructure Protection: Agencies Need to Assess
Adoption of Cybersecurity Guidance, issued February 9, 2022. According to this report, the EPA's
Office of Groundwater and Drinking Water officials stated that the water and wastewater sector
"is in the beginning of cybersecurity adoption. For instance, officials noted that many utilities
have not yet integrated cybersecurity into their daily operations and maintenance, and thus had
not created a cybersecurity culture." The GAO report discussed prior GAO recommendations
related to water security but made no new recommendations.
23-P-0003
5
-------
Chapter 2
The EPA Met Section 2013 Requirements
and Updated the Malevolent Acts Baseline
Information After Initial Issuance
The EPA met the requirement of section 2013 to issue malevolent acts baseline information by the
statutory deadline of August 2019. The EPA included estimates of the likelihood of occurrence for nine
threats, including two types of cyberattacks. In February 2021, the EPA updated the malevolent acts
baseline information to increase the cybersecurity threat likelihoods from 30 percent or lower to
100 percent. However, this update was too late to be of use to medium and large water systems, as the
deadlines to certify completion of their risk and resilience assessments were in 2020. These systems
were not required to update their 2020 assessments to consider the higher cybersecurity threat
likelihoods, which may have affected how water systems assessed their risk and resilience.
Section 2013 Required the EPA to Provide Malevolent Acts
Baseline Information
Section 2013 required that the EPA develop "baseline information on malevolent acts" by August 1,
2019, and that the EPA consider acts that may "(A) substantially disrupt the ability for a system to
provide safe and reliable water; or (B) otherwise present significant public health or economic concerns
to the community served by the system." The section further states that the EPA should consult with
state and local governments, as well as other appropriate federal departments and agencies, before
developing the required malevolent acts baseline information.
This baseline information is intended to be used as a starting point for water systems to conduct their risk
and resilience assessments. AWIA does not require that water systems use the EPA's malevolent acts
baseline information. AWIA does require that water systems prepare their risk and resilience assessments
and their emergency response plans to meet the specific requirements of section 2013.
The EPA's August 2019 Issuance of the Malevolent Acts Baseline
Information Complied with Section 2013
The EPA issued its Baseline Information for Malevolent Acts for Community Water Systems on
August 1, 2019, in accordance with the deadline set by section 2013. In compliance with the statute, the
EPA consulted with stakeholders—such as the Water Sector Government Coordinating Council; the
State, Local, Tribal, and Territorial Government Coordinating Council; and the U.S. Department of
Homeland Security—to develop the malevolent acts baseline information.
When developing the malevolent acts baseline information, the EPA contended with limited resources, a
tight deadline, and a federal government shutdown.4 AWIA did not allocate additional funds to the EPA
to cover the costs of developing the baseline information and educating the water sector on its use. As a
4 A federal government shutdown occurs when there is a lapse in appropriations. This lapse requires affected
agencies to shut down activities funded by annual appropriations.
23-P-0003
6
-------
result, the EPA reallocated existing resources to develop the baseline information and provide training.
The statutory deadline of August 1, 2019, meant that the EPA had a little over nine months to develop
the baseline information. The 35-day federal government shutdown from December 22, 2018, to
January 25, 2019, further reduced the time available to the EPA to develop the baseline information.
In the malevolent acts baseline information issued in August 2019, the EPA estimated the likelihood of
occurrence for nine threats that water systems face, including two types of cyberattacks. We present
the likelihood of these threats in Table 1. The
cybersecurity threat likelihoods were two of the highest
set by the EPA. Specifically, the EPA determined that the
likelihoods of cyberattacks on water systems' Business
Enterprise Systems and Process Control Systems were
30 and 10 percent, respectively. These threats were
assessed similarly to the threats of physical theft and of
accidental contamination of treated drinking water, both of which the EPA determined had a 20 percent
likelihood of occurring. The other five threat categories, such as sabotage and physical assault, were set
at much lower likelihood levels, from 0.0001 to 5 percent.
Table 1: The EPA's threat likelihoods in its 2019 baseline information issuance
EPA threat category
Threat likelihood,
in percent
Assault on utility - physical
0.0001
Contamination of finished water - accidental
20
Contamination of finished water - intentional
0.001
Theft or diversion - physical
20
Cyberattack on business enterprise systems
30
Cyberattack on process control systems
10
Sabotage - physical
5
Contamination of source water - accidental
5
Contamination of source water - intentional
0.0001
Source: OIG analysis of EPA information. (EPA OIG table)
After issuing the document, the EPA provided training on the baseline information and on the EPA's
tools for water systems to use when conducting their risk and resilience assessments and preparing their
emergency response plans.
In our interviews with representatives from ten water systems, seven stated that their water systems
used the EPA's malevolent acts baseline information as a starting point when assessing risk and
resilience. The water systems that did not use the baseline information relied on in-house expertise,
contractor assistance, previously prepared risk and resilience assessments, or American Water Works
Association guidance and standards to conduct their risk and resilience assessments.5 In general, the
water systems found the EPA's malevolent acts baseline information useful. The water systems shared
with us that they used the baseline information to:
• Serve as a starting point for their risk and resilience assessments.
5The American Water Works Association developed guidance and standards to help water systems understand
policies, comply with requirements, and implement best practices. In its May 2019 AWIA-related fact sheet, the
EPA recommended that water systems use standards, such as those issued by the American Water Works
Association, to complete risk and resilience assessments and emergency response plans.
Business Enterprise Systems include systems used
for computer-based communications, financial
processing, data storage, and record keeping.
Process Control Systems include systems used to
monitor and control water collection, treatment,
storage, and distribution.
23-P-0003
7
-------
• Determine system-specific threat likelihoods for the EPA-provided threat categories.
• Strategically align their existing security processes and controls with the EPA-suggested security
processes and controls.
The EPA Updated the Malevolent Acts Baseline Information in
February 2021 to Increase Cybersecurity Threat Likelihoods
According to the EPA, after the August 2019 issuance of the malevolent acts baseline information
document, the rate and severity of cyber incidents at water systems increased, as shown in Figure 3.
Figure 3: Cyber incidents at water systems
"O
OJ
D
l/l
l/l
-M
C
QJ
E
3
u
o
"O
OJ
c
l/l
ra
_Q
~ra
3 incidents over seven 41 incidents oversix
years years
i
ttD
o
.
..
¦ ¦ ¦ ¦
.
SolarWinds Incident
In a supply-chain-compromise
incident, generally referred to as
the SolarWinds incident, attackers
gained widespread access to
computer systems through a
cyberattack. Between October 2019
and December 2020, 73 water
systems were attacked.
2006
2O0S 2010
2012
2014
2016
2018
2020
Note: *Over 70 water systems were attacked in the SolarWinds incident.
Source: OIG analysis of EPA information. (EPA OIG image)
As a result, the EPA updated and reissued the malevolent acts baseline information document in
February 2021 to increase the cybersecurity threat likelihoods for Business Enterprise Systems and
Process Control Systems from 30 and 10 percent to 100 percent each, as shown in Table 2. These
increased cybersecurity threat likelihoods signal to all water systems that they need to prepare for a
cyberattack.
Table 2: The EPA's cybersecurity threat likelihoods, 2019 versus 2021
| Threat likelihood
Cybersecurity threat category
| 2019 | 2021
Cyberattack on business enterprise systems 30% 100%
Cyberattack on process control systems 10% 100%
Source: OIG analysis of EPA information (EPA OIG table)
However, the rate of incidents had significantly increased in the years preceding the EPA's initial release
of the baseline information document in 2019. As shown in Figure 3, the EPA recorded three incidents
from October 2006 through August 2013. In the subsequent six years the EPA recorded 41 incidents. In
addition, the Cybersecurity and Infrastructure Security Agency warned in 2018 that critical
infrastructure, including the water sector, was being targeted in cyberattacks. And as far back as 2010,
23-P-0003
-------
the American Water Works Association had set higher cybersecurity threat likelihoods in its standard.6
The association also had recommended to the EPA in July 2019 that the cybersecurity threat likelihoods
should be 100 percent. However, the EPA maintained that the 30 and 10 percent values were supported
by the data available at the time the malevolent acts baseline information was developed in 2019.
While the February 2021 updates to the cybersecurity threat likelihoods were substantial, with increases
in likelihoods from 30 and 10 percent to 100 percent, the overall impact on the water systems' risk and
resilience assessments is unknown. Six of the ten water system representatives we interviewed
informed us that they had already categorized the cybersecurity threat likelihoods as high, despite the
lower threat likelihoods the EPA included in its 2019 baseline information document. The impact of the
2021 updates on those six systems was therefore minimal. However, the deadlines to certify the
completion of the risk and resilience assessments were March 31 and December 31, 2020, for large and
medium water systems, respectively. As Figure 4 shows, those deadlines had passed by the time the EPA
updated the cybersecurity threat likelihoods, which means large and medium water systems may have
used the EPA's lower likelihood numbers for their risk and resilience assessments. The impact of using
those lower likelihoods would depend on the water system's vulnerabilities to cyberattacks. Higher
likelihoods may have affected how water systems assessed their risk and resilience and took action to
address vulnerabilities.
Figure 4: Baseline information development compared to risk-and-resilience-assessment
certification deadlines
Source: OIG analysis of section 2013 of AWIA-related dates. (EPAOIG image)
Conclusions
The EPA, despite tight deadlines and limited resources, met the requirements of section 2013 to consult
with stakeholders and develop malevolent acts baseline information, including threat likelihoods, by
August 1, 2019. The EPA updated the baseline information a year and a half later to increase the
cybersecurity threat likelihoods. However, this update was too late to be of use to medium and large
water systems, as the deadlines to certify completion of their initial risk and resilience assessments had
6 American Water Works Association, Risk Analysis and Management for Critical Asset Protection (RAMCAP)
Standard for Risk and Resilience Management of Water and Wastewater Systems, J-100, (July 1, 2010).
23-P-0003
9
-------
passed. Higher initial cybersecurity threat likelihoods may have affected how these water systems
assessed their risk and resilience and took action to address vulnerabilities.
Because the EPA has already issued and updated the malevolent acts baseline information, we make no
recommendations related to these findings.
Agency Response and OIG Assessment
On September 22, 2022, the EPA provided technical comments on this chapter. We revised the chapter
as appropriate.
23-P-0003
10
-------
Chapter 3
The EPA Should Improve Oversight to Increase Water
System Compliance with AWIA Requirements
The EPA did not provide adequate oversight to ensure that water systems were complying with
section 2013 requirements. Approximately 19 percent of all water systems did not certify completion of
their risk and resilience assessments by the statutory deadlines. These noncompliant water systems serve
40 million people. Furthermore, 95 percent of the noncompliant water systems were small water
systems. The noncompliant small water systems more likely served disadvantaged communities.
Although the EPA has sole responsibility for overseeing and enforcing water systems' compliance with
section 2013, the Agency had limited time and resources to fulfill this responsibility. Greater oversight by
the Agency could have resulted in higher water system compliance. Not completing risk and resilience
assessments and emergency response plans could leave risks unaddressed and water systems vulnerable
to cyberattacks, other malevolent acts, and natural threats; unaddressed risks could cause unsafe
drinking water or loss of service. By enhancing its oversight of water systems, the EPA could help improve
on-time section 2013 compliance for future risk and resilience assessments, decrease water system
vulnerability to attacks, and prevent risks to public health.
AWIA Requirements and Enforcement
Section 2013 requires each water system serving more than 3,300 people to conduct a risk and
resilience assessment and prepare or revise, where necessary, an emergency response plan based on
the assessment. The law specifies the required components of the risk and resilience assessments and
emergency response plans; we present these required components in Table 3.
Table 3: Required risk-and-resilience-assessment and emergency-response-plan components
Risk and resilience assessment must address: Emergency response plans must address:
Strategies and resources to improve the resilience of the
water system, including physical security and
cybersecurity.
Plans and procedures that can be implemented and the
identification of equipment that can be used if a
malevolent act or natural hazard threatens the ability of
the water system to deliver safe drinking water.
Actions, procedures, and equipment that can obviate or
significantly lessen the impact of a malevolent act or
natural hazard on the public health and the safety and
supply of drinking water.
Strategies that can be used to help detect malevolent acts
or natural hazards that threaten the security or resilience
of the water system.
Source: OIG summary of section 2013 of AWIA requirements. (EPA OIG table)
The EPA has sole responsibility for overseeing and enforcing AWIA's requirements for water systems.
This is different than other parts of SDWA that require primacy agencies to oversee and enforce drinking
water requirements and ensure proper operation of water systems.
• Risk to the water system from malevolent acts •
and natural hazards.
• Resilience of the pipes and constructed
conveyances; physical barriers; source water; •
water collection and intake; pretreatment,
treatment, storage, and distribution facilities; and
electronic, computer, or other automated systems.
• Monitoring practices of the water system. •
• Financial infrastructure of the water system.
• The use, storage, or handling of various
chemicals by the water system.
• The operation and maintenance of the water
system.
23-P-0003
11
-------
Section 2013 requires that each water system review its risk and resilience assessment at least once
every five years after the initial deadlines. It also requires that each system certify to the EPA that it
completed this review and updated, as needed, its emergency response plans. As of the date of this
report, the next certification deadlines are in 2025 or 2026, depending on the water system size. As
these certification requirements are ongoing, good governance principles established by the Office of
Management and Budget and the GAO dictate that the EPA's oversight of water system compliance with
section 2013 requirements is also ongoing.7
Variability in Water System Compliance with Section 2013
Overall, water systems had a high rate of compliance with section 2013. However, compliance rates
varied by water system size, state, and EPA region. In addition, noncompliant small water systems had a
higher number of SDWA violations than compliant small water systems. Communities served by
noncompliant small water systems had a lower median household income, a lower education level, and
a higher percentage of minority residents than communities served by compliant small water systems.
Most Water Systems Complied with AWIA Requirements
As we present in Table 4, nearly 81 percent of water systems complied with the AWIA's initial deadlines
for certifying completion of their risk and resilience assessments and emergency response plans. Water
systems used various strategies to achieve compliance. For example, some water system
representatives we spoke with said that they did not have the technical knowledge to complete the risk
and resilience assessments and therefore relied on technical providers or contractors for assistance.
Some water system representatives also told us that they attended EPA and third-party trainings and
accessed information resources provided by the EPA and other trusted sources, such as the American
Water Works Association.
Table 4: Water system compliance with section 2013 certification requirements at the initial
certification deadlines
Total
Compliant
Noncompliant
number of
Number of
Certification
water
Number of
people
requirement
systems
Number
Percent
people served
Number
Percent
served
Risk and resilience
10,150
8,177
80.6%
328 million
1,974
19.4
40.0 million
assessment
Emergency
10,150
8,197
80.8
325 million
1,953
19.2
43.2 million
response plan
Source: OIG analysis of EPA data. (EPA OIG table)
Following the October 2018 enactment of AWIA but before the initial certification deadlines, the EPA
took steps to inform water systems of their section 2013 requirements. In the fall of 2019, prior to the
first set of certification deadlines, the EPA hosted regular trainings on how to use its risk and resilience
assessment and emergency response planning tools, as well as how to identify and mitigate
cybersecurity and other malevolent threats. Prior to March 2020, the EPA's regional offices conducted
in-person trainings. In response to the coronavirus pandemic—that is, the SARS-CoV-2 virus and
7 Office of Management and Budget, Circular A-123, Management's Responsibility for Enterprise Risk Management
and Internal Control, and U.S. Government Accountability Office, GAO-14-704G, Standards for Internal Control in
the Federal Government.
23-P-0003
12
-------
resultant COVID-19 disease—the EPA held its post-March 2020 trainings on virtual platforms. The EPA
also made its training materials accessible on its website. As of November 2022, these materials were
still available to the public.
In addition, in some cases, the EPA regions worked closely with small water systems and tribal water
systems, providing technical assistance regarding AWIA compliance. The EPA provided resources, such
as a December 2020 online document that addresses frequently asked questions, a vulnerability self-
assessment tool, a checklist, and a template to assist water systems in complying with AWIA. The EPA
also collaborated with trade organizations—such as the American Water Works Association, the
Association of State Drinking Water Administrators, the National Rural Water Association, and the Rural
Community Assistance Partnership—to provide resources and information to water systems.
Ninety-Five Percent of Noncompliant Water Systems Were Small Water Systems
As we present in Table 5, approximately 19 percent of all water systems did not certify that they
completed their risk and resilience assessments and emergency response plans by the statutory
deadlines. Ninety-five percent of these noncompliant water systems were small water systems. The
percent of small water systems that did not comply with the deadline for certifying the completion of
their risk and resilience assessment was more than double the percent of medium and large water
systems.
Table 5: Water system noncompliance with section 2013 certification requirements at the initial
certification deadlines
Water system size
Large
Medium
Small
Total
Total population of water systems
Number of systems
547
619
8,984
10,150
Number of people served
218 million
42.9 million
107 million
368 million*
Water systems that did not comply with certification deadline for risk and resilience assessment
Certification deadline
March 31, 2020
December 31, 2020
June 30, 2021
Number of systems
47
49
1,878
1,974
Percent of systems
8.6%
7.9%
20.9%
19.4%
Number of people served
20.7 million
3.5 million
15.9 million
40.0 million*
Water systems that did not comply with certification deadline for emergency response plan
Certification deadline
September 30, 2020
June 30, 2021
December 31, 2021
Number of systems
60
45
1,848
1,953
Percent of systems
11.0%
7.3%
20.6%
19.2%
Number of people served
23.8 million
3.2 million
16.2 million
43.2 million
Source: OIG analysis of EPA data. (EPA OIG table)
* The sum of the number of people served by large, and medium water systems does not equal the total
presented because of rounding.
Small Water System Noncompliance Rate Varied by State
As Figure 5 shows, the noncompliance rate for small water systems' certification of risk-and-resilience-
assessment completion varied by state. Eight states had noncompliance rates over 30 percent. Arkansas
had the highest rate of noncompliance at 53.8 percent. All small water systems in one state, Maine,
complied with the statutory deadline.
23-P-0003
13
-------
Figure 5: Small water system noncompliance with risk-and-resilience-assessment certification
deadline by state
Small Water System Noncompliance Rate Varied by EPA Region
As Figure 6 shows, small water systems also had varying noncompliance rates with the risk-and-
resilience-assessment certification deadline by EPA region. The rate of small system noncompliance by
region varied from less than 10 percent in Region 1 to over 30 percent in Regions 2 and 6.
Figure 6: Small water system noncompliance with risk-and-resilience-assessment certification
deadline by region
Source: OIG analysis of EPA data. (EPA OIG image)
23-P-0003
-------
Noncompliant Small Water Systems Struggled with Other SDWA Requirements
Small water systems that did not comply with the deadline to certify completion of their risk and
resilience assessments also had a higher average number of SDWA violations. As Figure 7 shows, from
2015 through 2021, the section 2013-noncompliant small water
systems had, on average, 7.8 SDWA violations, while the section 2013-
compliant small water systems had, on average, 6.0 SDWA violations.8
In a previous OIG report, we found that small water systems were less
likely to have the technical capacity to properly monitor their water for
contaminants, make timely repairs, or replace faulty materials.9 The
lack of technical capacity can lead to poor water quality, water system unreliability, or failing water
system infrastructure, all of which can pose significant public health risks to customers. These same
capacity limitations may affect small water systems' ability to complete section 2013 requirements.
Figure 7: Average number of SDWA violations by small water systems from 2015 through 2021, by
compliance status with the risk-and-resilience-assessment certification deadline
Technical Capacity
Water systems must have proper
equipment and personnel for
operation and maintenance.
I
Note'. 95 percent confidence intervals shown around each average.
Source: OIG analysis of EPA data. (EPA OIG image)
Small Water Systems Serving Disadvantaged Communities Were Less Likely to
Comply with Section 2013
In our nationwide analysis of small water systems, we found that communities served by small water
systems that did not comply with the risk-and-resilience-assessment certification deadline have
characteristics that statistically differ from the characteristics of communities served by compliant small
water systems. In general, communities served by the noncompliant small water systems had a lower
median household income, a lower education level, and a higher percentage of minority residents—all
characteristics of disadvantaged communities—than communities served by compliant small water
8 A t-test analysis strongly indicated that the average numbers of violations were statistically different between
those small water systems that certified completion of their risk and resilience assessments by the certification
deadline date and those small water systems that did not comply with the certification deadline.
9 OIG Report No. 16-P-0108, Drinking Water: EPA Needs to Take Additional Steps to Ensure Small Community Water
Systems Designated as Serious Violators Achieve Compliance, issued March 22, 2016.
23-P-0003
15
-------
systems. As an example of how we analyzed these characteristics, Figure 8 shows the distribution of
compliant and noncompliant small water systems in Texas The compliance status is shown by census
tract and one characteristic, the median household income.10 Texas has a relatively high small water
system noncompliance rate of 27.1 percent, as shown in Figure 5.
Figure 8: Compliance status of small water systems in Texas, by census tract and median
household income, at the initial risk-and-resilience-assessment certification deadline
N
A
*
f
» | |
" °. q
a Q
tlP- 'j
-
v'Lifs.la
130
I
260 Miles
_i I
.m
¦a.
- -v^
Source: OiG analysis of EPA and U.S. Census data. (EPA OIG image)
Small Systems Face Barriers to Compliance
Legend
Household Median Income
$10,255-$64,412
$64,413—$106,551
¦ $106,552-$214,750
Certification Status
Compliant
~ Noncompliant
EPA regional staff and managers, as well as water system representatives, told us that there were
several reasons for the high rate of small water system noncompliance with the statutory deadlines:
• Communicating with nearly 9,000 small water systems was difficult. Despite extensive outreach
by the Office of Water, the EPA regions, and other organizations, such as the Association of
State Drinking Water Administrators, the American Water Works Association, the National Rural
Water Association, the Rural Community Assistance Partnership, and state rural water
associations, some small system managers did not know about the AWIA requirements, which
likely contributed to noncompliance.
10Census tracts are small and relatively permanent statistical subdivisions of a county or equivalent
entity. The primary purpose of census tracts is to provide a stable set of geographic units for the
presentation of decennial census data. Census tracts generally have a population size of 1,200 to 8,000
people with an optimum size of 4,000 people.
23-P-0003
16
-------
• Funding was limited for small water systems. Stakeholders told us that many small systems did
not have the funds, as larger water systems did, to hire contractors to conduct the risk and
resilience assessments and develop the emergency response plans. In addition, Congress did not
appropriate funds for the grant program AWIA established to assist communities with meeting
the requirements.
• Technical capacity is limited for small water systems. A manager from one small water system
said that the water system relied on its state rural water association to assist with AWIA
compliance because the water system did not have the technical experience to complete the
risk and resilience assessment and emergency response plan.
Effects of Section 2013 Noncompliance
Water systems that did not certify in a timely manner completion of their risk and resilience
assessments serve 40 million people. Furthermore, 95 percent of noncompliant water systems were
small water systems, and small water systems serving disadvantaged communities were less likely to
comply than small water systems not serving disadvantaged communities. Not completing risk and
resilience assessments in a timely manner could leave risks unaddressed and water systems vulnerable
to cyberattacks and other malevolent acts; unaddressed risks could cause unsafe drinking water or loss
of service. As a result, increasing compliance with section 2013 is important to protect public health.
The EPA Worked to Help Noncompliant Water Systems
Become Compliant
After the 2020 and 2021 certification deadlines passed, the EPA continued to work with noncompliant
water systems to bring them into compliance with section 2013, using processes and plans initiated
following the passage of AWIA in October 2018, including tracking compliance status and a strategic
communication plan. The EPA continued to track compliance status, call water systems directly to help
them complete their risk and resilience assessments and emergency response plans, and direct the
water systems to other entities that could assist them in reaching compliance.
The EPA regions also used their enforcement discretion to bring water systems into compliance with
section 2013. The enforcement approaches taken by the EPA regions varied. Three of the five regions
we interviewed issued administrative orders to noncompliant medium and large water systems; these
orders included schedules for those water systems to achieve compliance. The other two regions did not
use formal enforcement tools like the administrative orders and instead offered noncompliant water
systems informal assistance, such as providing information on AWIA certification requirements.
Regions were not required to—and did not—record section 2013 noncompliance in the EPA's Safe
Drinking Water Information System database, as is done with other SDWA violations. This means there
is not a formal record of section 2013 noncompliance in a publicly available database.
The deadline for small water systems to certify completion of their emergency response plans was
December 31, 2021. A regional water enforcement manager told us that issuing administrative orders to
the large number of noncompliant small water systems was not practical due to the EPA's limited
resources and other priorities. As previously shown in Table 5, at the time of the deadlines, nearly 2,000
small systems had not certified completion of their risk and resilience assessments and emergency
response plans. Regional managers and staff members said that working directly with noncompliant
23-P-0003
17
-------
small water systems and providing them with resources and technical assistance was the most effective
way to bring them into compliance. This difference in enforcement approach toward small water
systems means that it is unlikely an EPA region will issue a formal administrative order to a small system
for noncompliance with section 2013.
As Figure 9 shows, after the initial certification deadlines passed, water systems continued to certify to
the EPA that they completed their risk and resilience assessments and emergency response plans. For
example, as of December 31, 2021, all medium and large systems had certified to the EPA that their risk
and resilience assessments were complete. As of that same date, which was six months following the
deadline for small water systems to certify completion of their risk and resilience assessments, there
were still 1,029 small water systems, or 11.5 percent—which serve a total of 7.2 million people—that
had not yet done so.
Figure 9: Water systems that came into compliance with section 2013 certification requirements
after statutory deadline, as of December 31, 2021
Risk and resilience assessment
Emergency response plan
Ol
6X1
100%
80%
60%
40%
20%
0%
(J) CJl CJl O)
o o o o
(N (N
-------
The EPA Needs to Improve Its Oversight of Section 2013 Requirements
The EPA needs to improve its oversight of section 2013 requirements for water systems to certify
completion of their risk and resilience assessments and emergency response plans. While the EPA had
plans and processes in place, the number of noncomplying water systems supports the need to update
those plans and processes. We identified several weaknesses in the EPA's oversight that contributed to
water systems' noncompliance, including that the EPA:
• Did not have accurate water system contact information.
• Did not have the resources it needed.
• Did not transparently communicate or issue formal guidance regarding AWIA requirements and
enforcement actions.
In addition, the EPA did not evaluate the quality of the risk and resilience assessments and emergency
response plans completed by water systems and the quality remains unknown.
The EPA Did Not Have Accurate Water System Contact Information
The EPA did not have a system for maintaining and updating water system contact information for the
purposes of communicating with the water systems about water security issues. As a result, the EPA did
not have accurate, complete, or up-to-date contact information for all the water systems subject to
section 2013 requirements. The EPA needs accurate contact information so that it can notify water
system representatives of their AWIA responsibilities and inform them of the available AWIA assistance
and resources. The EPA also needs accurate contact information so that it can provide direct technical
assistance and take formal enforcement actions against noncompliant water systems.
The EPA did not prioritize maintaining accurate, up-to-date contact information because primacy states
work directly with most water systems to meet most SDWA requirements. The EPA also did not require
states to maintain in the Safe Drinking Water Information System database accurate water system
contact information that would be appropriate for security issues. To effectively communicate AWIA
requirements, the EPA had to first track down correct contact information and update its records. As a
result, notifications to water systems regarding AWIA requirements were delayed, and the EPA
expended resources that could have been directed toward assisting water systems with achieving AWIA
compliance. In addition, once the EPA began updating the contact information for section 2013, it
maintained that information in a separate system from the Safe Drinking Water Information System
database and did not have controls in place to maintain the accuracy of the information.
A lack of accurate contact information also means that the EPA was not prepared to communicate
directly with water systems in the event of an emergency, such as a cyberattack on water systems, or in
the event of an emerging public health concern, such as the coronavirus pandemic. The lack of accurate
contact information also shows that the EPA had not established close working relationships with the
water systems, which means that the EPA was not providing the level of assistance needed. A
noncompliance rate of 19 percent, as detailed previously in Table 5, points to the need for the EPA to
provide more effective assistance to water systems to meet the ongoing section 2013 certification
requirements.
23-P-0003
19
-------
The EPA Did Not Have Necessary Resources
Although the EPA has sole responsibility for overseeing and enforcing water systems' compliance with
section 2013, the Agency had limited time, personnel, and funds to fulfill this responsibility. AWIA set
the initial certification deadlines for the water systems and the deadline for issuing the baseline
information. These deadlines meant that the EPA had limited time to establish the new program. In
addition, Congress did not appropriate funds for the EPA to use in meeting the Act's requirement of
issuing baseline information and taking the oversight actions dictated by good governance principles,
such as those established by the Office of Management and Budget and the GAO. Those oversight
actions include informing water systems of their responsibilities, assisting water systems in meeting the
requirements, tracking water system compliance, and taking appropriate enforcement action. Instead,
the EPA reallocated funds and personnel from its existing water security program and regional drinking
water and water enforcement programs. The EPA did not devote the level of funds and personnel
needed to provide the level of oversight that would have brought all water systems into timely
compliance with the AWIA requirements. Greater oversight by the Agency would likely have resulted in
higher water system compliance.
The EPA Was Not Transparent Regarding AWIA Enforcement
The EPA was not transparent regarding the steps Agency staff would take when water systems failed to
comply with section 2013. The EPA did not issue formal AWIA guidance to the water systems that clearly
described how it would enforce compliance. Instead, the EPA developed a document that discusses
frequently asked questions, which said that the EPA "may" use its enforcement discretion "to bring an
action to require compliance and may also seek a civil penalty." In addition, the EPA placed this informal
document on its section 2013 website in December 2020, after the certification deadlines for large
water systems had passed and just before the December 31, 2020 risk-and-resilience-assessment
certification deadline for medium water systems.
In April 2021, the Office of Water and the Office of Enforcement and Compliance Assurance issued a
joint memorandum to the EPA regions that outlined the protocol for enforcement and compliance
assurance related to section 2013. The memorandum provides regions flexibility in how they work with
noncompliant water systems. The memorandum did not direct the regions to record water system
noncompliance with AWIA requirements in the EPA's Safe Drinking Water Information System database,
as is done with other water system violations of SDWA requirements. Instead, the memorandum
clarifies that the EPA's approach is to provide a path to compliance first through assistance and then
through enforcement. The memorandum outlines the steps the regions can take to carry out this
approach. It is unclear how and whether the EPA communicated this approach with water systems, as
the EPA did not publish guidance available to the water systems that outlines what steps the EPA may
take if water systems do not comply with AWIA.
The EPA maintains the Water Supply Guidance Manual on its website. This manual makes water supply
guidance memorandums available to water systems, states, and the public. As of November 2022, this
manual did not include information on section 2013 requirements. As such, water systems remain
poorly informed on AWIA requirements and the steps the EPA would take to bring water systems into
compliance.
23-P-0003
20
-------
The Quality of the Risk and Resilience Assessments and Emergency Response
Plans Is Unknown
Although AWIA defines the required components of the risk and resilience assessments and emergency
response plans, as shown previously in Table 3, the Act does not require that the EPA or states review
these assessments and plans to ensure that the water systems include those components. As a result,
the EPA cannot ensure that water system risk and resilience assessments and emergency response plans
meet AWIA requirements, the quality of the assessments and plans is unknown, and the EPA cannot
effectively manage risk. As we discussed in Chapter 2, in February 2021, the EPA increased the
cybersecurity threat likelihoods due to the increased importance of cybersecurity to water system
safety.
Although AWIA does not require such quality reviews, the EPA has authority under section 1445 of
SDWA to access these risk and resilience assessments and emergency response plans. Reviewing a
sample of these risk and resilience assessments and emergency response plans would allow the EPA to
identify improvements and best practices to share with water systems so that they can improve their
assessments and plans when completing the ongoing certification requirements.
Effects of Oversight Weaknesses
Weaknesses in EPA oversight of section 2013 requirements resulted in noncompliance among
19 percent of water systems, potentially jeopardizing the health and safety of the 40 million people
served by the noncompliant water systems. Further, most of the noncompliant systems were small
water systems that likely served disadvantaged communities. We analyzed the characteristics of
communities served by noncompliant and compliant small water systems for several characteristics. We
found that communities served by noncompliant systems on average had characteristics associated with
disadvantaged communities, including a lower median household income, a lower education level, and a
higher percentage of minority residents.
The EPA's delivery of AWIA information was hampered because the Agency had not maintained
accurate system contact information that would have facilitated timely communication of necessary
guidance. The EPA's limited guidance to water systems caused water system managers to not
understand the enforcement steps the EPA would take to address noncompliance; such an
understanding could help motivate compliance. Further, the EPA did not know whether the risk and
resilience assessments and emergency response plans met the section 2013 requirements, which are
intended to increase the security of our nation's water systems.
As of December 31, 2021, over 1,000 small water systems had not yet certified completion of their
section 2013 requirements. In addition, AWIA requires that water systems review their risk and
resilience assessments and emergency response plans every five years and revise them as needed. As
such, the EPA's oversight must continue and improve.
Conclusions
Improvements are needed in the EPA's oversight of water system compliance with AWIA. The EPA must
continue working with noncompliant systems to ensure that they address AWIA requirements and must
also oversee the ongoing AWIA certification requirements. Improvements in EPA oversight should lead
to greater compliance with section 2013 requirements, including among small water systems serving
23-P-0003
21
-------
disadvantaged communities. Without such improved oversight, water systems may fail to meet the
ongoing certification requirements and remain vulnerable to malevolent acts, which could adversely
impact the safety of drinking water and harm the health of the communities they serve. Furthermore, by
reviewing the quality of the submitted risk and resilience assessments and emergency response plans,
the EPA can identify improvements and best practices to share with water systems, thus better
protecting the country's critical infrastructure and the health of its citizens.
Recommendations, Agency Response, and OIG Assessment
In our draft report, we made four recommendations to the Agency on actions to be taken to address our
findings. We met with representatives from the Offices of Water and Enforcement and Compliance
Assurance on September 20, 2022. We received the Agency's written response on September 22, 2022.
That response is presented in Appendix A.
We modified Recommendations 1 and 2 to address Agency concerns.
Recommendation 1
We recommend that the assistant administrator for Water, in consultation with the assistant
administrator for Enforcement and Compliance Assurance, as appropriate, update and implement a plan
for supporting community water systems so that all water systems comply with all certification
requirements included in section 2013 of the America's Water Infrastructure Act, for past and future
deadlines related to risk and resilience assessments and emergency response plans.
The Agency disagreed with the draft recommendation "owing to the absence of a supporting factual
foundation." We disagree with this characterization of our findings. We found that the certification
requirements are ongoing and that some water systems have yet to comply with the initial certification
deadlines. These findings support our recommendation that the Agency should update and implement a
plan for supporting water systems so that all water systems comply with all certification requirements
included in section 2013 of AWIA, for past and future deadlines related to risk and resilience
assessments and emergency response plans. In addition, we found that noncompliant small water
systems more likely served disadvantaged communities and had a higher average number of SDWA
violations. These findings support our conclusion that the Agency needs to modify its implementation to
better support these noncompliant small systems. In its response, the Agency stated that it is gathering
lessons learned, drafting an "After-Action Report," and refining its implementation plan. These actions
meet the intent of our recommendation. We ask the Agency to review our final report and provide a
date for when it anticipates completion of an updated implementation plan.
Recommendation 2
We recommend that the assistant administrator for Water, in consultation with the assistant
administrator for Enforcement and Compliance Assurance, as appropriate, update processes related to
the EPA's implementation of section 2013 of the America's Water Infrastructure Act, including processes
to monitor community water system compliance with section 2013 and record noncompliance and
contact information in the EPA's Safe Drinking Water Information System database. These processes
should be documented in the EPA's Water Supply Guidance Manual.
23-P-0003
22
-------
The Agency disagreed with the draft recommendation "owing to the absence of a supporting factual
foundation." Again, we disagree with this characterization of our findings. We found that the Agency did
not record compliance with section 2013 requirements and water security contact information in the
Safe Drinking Water Information System database and did not document its processes in the Water
Supply Guidance Manual. These findings support our recommendation to update compliance monitoring
processes and record noncompliance and contact information in the EPA's Safe Drinking Water
Information System database. In its response, the Agency stated that it intends to update the Safe
Drinking Water Information System to house the AWIA section 2013 data and is amenable to
documenting processes in the Water Supply Guidance Manual. These actions meet the intent of our
recommendation. We ask the Agency to review our final report and provide a date for when it
anticipates completion of these actions.
Recommendation 3
We recommend that the assistant administrator for Water, in consultation with the assistant administrator
for Enforcement and Compliance Assurance, as appropriate, review a sample of risk and resilience
assessments and emergency response plans completed by community water systems under section 2013
of the America's Water Infrastructure Act to determine improvements, particularly in cybersecurity, that
can be made as the water systems complete the Act's ongoing certification requirements.
The Agency disagreed with this recommendation because of concerns regarding the possible exposure
of sensitive information about water system vulnerabilities. As an alternative solution, the Agency
stated that credentialed inspectors could use their SDWA section 1445 authority to review risk and
resilience assessments and emergency response plans while conducting inspections on-site at water
systems. The Agency's proposed solution partially meets the intent of our recommendation. We ask the
Agency to review our final report and define the number of reviews it will conduct to complete the
corrective action. We also ask the Agency to provide an estimated date of completion once it has
developed a fully responsive corrective action plan.
Recommendation 4
We recommend that the assistant administrator for Water, in consultation with the assistant
administrator for Enforcement and Compliance Assurance, as appropriate, develop formal guidance for
community water systems that clearly describes the America's Water Infrastructure Act section 2013
requirements, including certification deadlines, enforcement steps, and the improvements identified as
a result of Recommendation 3. Incorporate this guidance into the EPA's Water Supply Guidance Manual.
The Agency disagreed with this recommendation "owing to the absence of a supporting factual
foundation." We disagree with this characterization of our findings. We found that the Agency does not
have formal guidance for the section 2013 requirements, which supports our recommendation that the
Agency incorporate guidance into the Water Supply Guidance Manual. The Agency described the
websites, frequently asked questions documents, and fact sheets that it maintains online. These are not
formal guidance but could serve as the foundation for developing formal guidance. The Agency stated in
its response that it is amenable to incorporating AWIA guidance into the Water Supply Guidance
Manual. This action partly meets the intent of our recommendation. We ask the Agency to review our
final report and reconsider incorporating improvements into the guidance that result from its action to
address Recommendation 3. We also ask the Agency to provide an estimated date of completion once it
has developed a fully responsive corrective action plan.
23-P-0003
23
-------
Status of Recommendations
RECOMMENDATIONS
Planned
Rec.
Page
Completion
No.
No.
Subject
Status1
Action Official
Date
22 In consultation with the assistant administrator for Enforcement
and Compliance Assurance, as appropriate, update and
implement a plan for supporting community water systems so
that all water systems comply with all certification requirements
included in section 2013 of the America's Water Infrastructure
Act, for past and future deadlines related to risk and resilience
assessments and emergency response plans.
22 In consultation with the assistant administrator for Enforcement
and Compliance Assurance, as appropriate, update processes
related to the EPA's implementation of section 2013 of the
America's Water Infrastructure Act, including processes to
monitor community water system compliance with section 2013
and record noncompliance and contact information in the EPA's
Safe Drinking Water Information System database. These
processes should be documented in the EPA's Water Supply
Guidance Manual.
Assistant Administrator for
Water
Assistant Administrator for
Water
23 In consultation with the assistant administrator for Enforcement
and Compliance Assurance, as appropriate, review a sample of
risk and resilience assessments and emergency response plans
completed by community water systems under section 2013 of
the America's Water Infrastructure Act to determine
improvements, particularly in cybersecurity, that can be made as
the water systems complete the Act's ongoing certification
requirements.
23 In consultation with the assistant administrator for Enforcement
and Compliance Assurance, as appropriate, develop formal
guidance for community water systems that clearly describes the
America's Water Infrastructure Act section 2013 requirements,
including certification deadlines, enforcement steps, and the
improvements identified as a result of Recommendation 3.
Incorporate this guidance into the EPA's Water Supply Guidance
Manual.
Assistant Administrator for
Water
Assistant Administrator for
Water
1 C = Corrective action completed.
R = Recommendation resolved with corrective action pending.
U = Recommendation unresolved with resolution efforts in progress.
23-P-0003
24
-------
Appendix A
Agency Response to Draft Report
UNITED STATES ENVIRONMENTAL PROTEC TION AGENCY
WASHINGTON. D.C. 20460
OFFICE OF WATER
MEMORANDUM
SUBJECT: Response to Office of Inspector General Draft Report OA-FY21-0240. The EPA Met
2018 Water Security Requirements but Needs to Improve Oversight to Support Water
System Compliance, dated August 11, 2022
Thank you for the opportunity to respond to the recommendations in the draft report OA-FY21-0240,
The EPA Met 2018 Water Security Requirements but Needs to Improve Oversight to Support Water
System Compliance. The following is our position on each of the draft report recommendations. The
Office of Water (OW) disagrees with Recommendations 1-4 and has provided detailed reasons for our
position for your consideration. Additionally, attached are technical comments on the draft report. OW
consulted with the Office of Enforcement and Compliance Assurance to prepare this response.
AGENCY'S POSITION
Recommendation 1 - Disagree
In consultation with the assistant administrator for Enforcement and Compliance Assurance, as
appropriate, develop and implement a plan for supporting community water systems so that all water
systems comply with all certification requirements included in section 2013 of the America's Water
Infrastructure Act, for past and future deadlines related to risk and resilience assessments and emergency
response plans.
OW disagrees with this recommendation owing to the absence of a supporting factual foundation. EPA
has developed and implemented a plan for supporting community water systems (CWSs) with the goal
that all water systems comply with all certification requirements in AWIA Section 2013. EPA created
FROM: Radhika Fox
Assistant Administrator
For BENITA
BEST-WONG
Digitally signed by
BENITA BEST-WONG
Date: 2022.09.21
16:11:29-04*00'
TO:
Michael D. Davis, Director
Environmental Investment and Infrastructure Directorate Office of Audit
Response:
23-P-0003
25
-------
and implemented an extensive communication, outreach, and training plan for AWIA. As OW
documents extensively for the OIG in multiple engagements and as summarized below, OW executed a
multi-faceted strategic plan to reach CWSs. The high compliance rates, as noted below, provide further
evidence of the success and effectiveness of the massive undertaking that OW took and continues to
implement to educate CWSs on and prepare CWSs for the AWIA requirements and deadlines.
OW developed an extensive written strategic communications and outreach plan in March 2019
that identified all water systems that were required to comply with AWIA based on the agency
record of CWSs, which is the Safe Drinking Water Information System (SDWIS). In addition,
the plan identified key stakeholder groups which could support OW in communicating the
requirements and providing technical assistance to water systems.
OW worked directly with the ten EPA regions, American Water Works Association (AWW A),
National Rural Water Association (NRWA), the Rural Community Assistance Partnership
(RCAP), Regional RCAP partnerships, State rural water programs, Association of State Drinking
Water Administrators (ASDWA), and State and Tribal primacy agencies to identify key roles
and responsibilities for program implementation, as well as to leverage their existing
communication networks and relationships with CWSs to obtain missing contact information and
provide technical assistance to CWSs on AWIA.
OW used multiple direct communication techniques to inform CWSs that must comply with
AWIA including several series of emails, physical mass mailers, a Federal Register Notice,
conference presentations, article publications, website information, in-person and virtual
trainings to explain AWIA requirements, deadlines, and where to locate OW's AWIA Section
2013 assistance resources.
OW conducted in-person and virtual workshops and webinars for large, medium, and small sized
CWSs from 2019-2021 with participation from a total of 4,826 of the total 10,151 systems that
were required to comply.
OW staff attended 53 conferences reaching 3,915 conference attendees (e.g., state rural water
conferences, RCAP annual conference, NRWA annual conference) to provide detailed
information on AWIA Section 2013 requirements, deadlines, certification processes, and use of
applicable tools.
OW identified publications across the country that have CWSs as an audience and submitted
several AWIA articles to be published throughout 2020 and 2021 to share information about
AWIA. The total readership for all published articles was 258,300.
OW staff also hosted AWIA Risk and Resilience Assessment (RRA) and Emergency Response
Plan (ERP) Office Hours for one month leading up to the small-sized CWS RRA and ERP
certification deadlines, meeting one-on-one and in groups with water systems who had additional
compliance questions.
In addition to the above listed activities, OW focused on two groups of CWSs that were identified as
potentially needing extra assistance:
OW used specific communications to relay AWIA Section 2013 requirements and assistance
resources to tribal systems. OW leveraged existing relationships including EPA's Direct
Implementation (DI) Network, the Tribal Drinking Water Coordinators for each EPA Region,
Indian Health Service (IHS) and other groups that provide technical assistance to tribal CWSs.
OW staff made AWIA-specific announcements during the DI network's meetings every few
23-P-0003
26
-------
months to keep the DI Network updated on EPA's AWIA resources and training opportunities.
OW staff also elicited DI Network ideas on any additional avenues that could be pursued to
reach tribal CWSs. Several ideas were suggested and pursued, including speaking at tribefocused
conferences, publishing AWIA articles in tribal-focused publications, and hosting an AWIA ERP
workshop series in December 2021 specifically geared toward tribal CWSs.
OW also created an AWIA Spanish language webpage with translated versions of EPA's RRA
and ERP assistance resources to help Spanish-speaking water system operators comply with
AWIA Section 2013, including the 100 small systems in Puerto Rico.
AWIA was signed into law on October 23, 2018, and the first certification deadline for large systems
was March 31, 2020. In total, over 10,000 systems are subject to the AWIA requirement. In less than a
year and half, OW not only developed a comprehensive, multifaceted plan and implemented a process
for supporting community water systems to meet the requirements of section 2013, it also developed
guidance, conducted training, built a database (see Response to Recommendation 2 below), and ensured
broad communication and outreach to all impacted water systems.
As of September 2022, the compliance rate for systems is as follows: large CWSs (population
served >100,000) - 100% RRA certified, 99% ERP certified; medium CWSs (population served
>50,000 to 99,999) - 100% RRA certified, 99% ERP certified; and small CWSs (population
served >3,301 to 49,999) - 94% RRA certified, 92% ERP certified. To ensure full compliance,
OW continues to refine the implementation plan and work with OECA and the regional water
programs to identify and provide the support necessary to assist water systems that have not
certified. OW also continues to update the database to ensure the most accurate representation of
CWSs.
To complement the efforts above, OW fully intends to build on the lessons learned from the
recent AWIA compliance cycles and make improvements in support of ongoing and future
AWIA compliance. In addition, OW also is drafting its own After-Action Report, gathering data
from all ten EPA regions, NRWA, RCAP, and ASDWA. Recommendations from the
participants will be included in the final After-Action Report on how to improve EPA's
implementation, tools, and communication.
Recommendation 2 - Disagree
In consultation with the assistant administrator for Enforcement and Compliance Assurance, as
appropriate, establish processes related to the EPA's implementation of section 2013 of the America's
Water Infrastructure Act. These should include processes to monitor community water system
compliance with section 2013 and record noncompliance and contact information in the EPA's Safe
Drinking Water Information System database. These processes should be documented in the EPA's
Water Supply Guidance Manual.
Response:
OW disagrees with Recommendation 2 owing to the absence of a supporting factual foundation. EPA
did establish "processes related to the EPA's implementation of section 2013 of the America's Water
Infrastructure Act." OW established a rigorous and comprehensive process to record CWS compliance
and noncompliance and to obtain updated contact information for CWSs. OW created a database in
EPA's Shared CROMERR Services (SCS) - the Agency's electronic reporting site - to track AWIA
23-P-0003
27
-------
compliance and maintain updated contact information. This database, which did not exist prior to OW
developing it, was designed to identify all systems required to comply with AWIA Section 2013 and
provide those systems with a method to electronically certify compliance, track compliance of all
applicable CWSs. The SCS AWIA database also served to inform EPA regions, states and associations
of the status of systems within their jurisdiction and/or service area. In addition, data from the SCS
AWIA database as to which CWSs were covered by the RRA and ERP certification requirements under
Section 2013 of AWIA, as well as data on the CWSs that complied with the law, are posted publicly and
updated monthly on EPA's website: https://www.epa.gov/waterresilience/americas-water-
infrastructureact-section-2013-compliance-data. Recommendation 2 suggests that this information
should be contained within EPA's SDWIS database, however SDWIS is not currently configured in a
way that supports tracking of this AWIA-specific information. In an effort to identify existing
information systems that could be leveraged to support AWIA implementation, the AWIA
implementation team engaged with the SDWIS team and learned that the SDWIS modernization effort
could not accommodate the aggressive AWIA Section 2013 timelines. As a result, OW developed an
AWIA specific database in SCS to track compliance on timescales that could not be achieved using the
SDWIS platform. Further, SDWIS- Fed is updated once a quarter, however AWIA compliance cycles
and tracking require more frequent updates. SDWIS is currently undergoing a modernization effort, and
the SDWIS modernization team intends to update SDWIS to house the AWIA Section 2013 data. Once
the SDWIS modernization is complete, OW intends to upload data from the SCS AWIA database to
SDWIS on intervals that align with pre-scheduled SDWIS database updates.
The section titled, "The EPA Did Not Have Accurate Water System Contact Information" in the
OAFY21-0240 report contains overstatements about the accuracy of the contact information and
overlooks the extensive efforts that OW conducted to obtain updated contact information. OW initiated
the effort to confirm the accuracy of CWS contact information by using the relevant data fields in
SDWIS. After sending emails to these contacts and receiving multiple bounce backs, OW initiated
several actions to obtain accurate data for the 10,151 systems covered by AWIA Section 2013 including
the following:
For any CWSs lacking an email address in SDWIS, OW obtained the email address by calling
water systems directly to ask for updated contact information and searching CWS websites for
any available online email addresses.
OW asked EPA regions to request that their states and direct implementation systems complete
any missing or outdated contact information which was then updated in the AWIA SCS
database.
OW also sent physical mass mailers through the US mail to any water system on the AWIA
compliance list for which there was a missing email address or for which an AWIA deadline
reminder email bounced back. 1,915 mass mailers were sent in June 2020, 1,392 were sent in
January 2021, and 44 were sent in April 2021.
OW is amenable to the recommendation that AWIA "processes should be documented in the EPA's
Water Supply Guidance Manual. "
23-P-0003
28
-------
Recommendation 3 - Disagree
In consultation with the assistant administrator for Enforcement and Compliance Assurance, as
appropriate, review a sample of risk and resilience assessments and emergency response plans
completed by community water systems under section 2013 of the America's Water Infrastructure Act
to determine improvements, particularly in cybersecurity, that can be made as the water systems
complete the Act's ongoing certification requirements.
Response:
OW disagrees with Recommendation 3. OW has concerns, based on extensive conversations with the
Office of General Counsel (OGC) and Office of Enforcement and Compliance Assurance (OECA) on
the potential Freedom of Information Act (FOIA) implications with EPA having copies of CWS RRAs
and ERPs. This action could expose sensitive information about CWS vulnerabilities in the CWS RRAs
and
ERPs. However, a possible solution to this issue includes EPA's Enforcement and Compliance
Assurance Divisions (ECAD) and OECA credentialed inspectors using their SDWA section 1445
authority to review RRAs and ERPs while conducting inspections onsite at water systems, as there are
enforcement-related exemptions to release under FOIA. On a case-by-case basis, ECADs and OECA
may take various levels of enforcement actions after viewing CWSs RRAs and ERPs and observing
noncompliance. For example, an inspector may review an RRA or ERP and observe missing information
such as an asset category required by the statute or in some cases the absence of the document after
having certified to EPA that it had been completed. This type of information that is being gleaned from
EPA's field work is also being used to actively update the FAQ document and other guidance that OW
has developed to explain how to develop a complete RRA and ERP.
Recommendation 4 - Disagree
In consultation with the assistant administrator for Enforcement and Compliance Assurance, as
appropriate, develop formal guidance for community water systems that clearly describes the America's
Water Infrastructure Act section 2013 requirements, including certification deadlines, enforcement steps,
and the improvements identified as a result of Recommendation 3. Incorporate this guidance into the
EPA's Water Supply Guidance Manual.
Response:
OW disagrees with Recommendation 4 owing to the absence of a supporting factual foundation. OW
published extensive information on AWIA requirements and certification deadlines, including the
AWIA Section 2013 webpage. the AWIA Section 2013 Frequently Asked Questions (FAQ) document,
the AWIA Section 2013 Fact Sheet, among other documents. OW published information on enforcement
steps in the AWIA Section 2013 FAQ document. OW and OECA also released a memo detailing an
escalation protocol to address noncompliance in April 2021. If OIG has specific information on AWIA
requirements, certification deadlines, or enforcement steps that they suggest adding to this existing
information to provide further clarity, OW would be amenable to consider adding such information.
OW is amenable to the recommendation that AWIA guidance be incorporated into the EPA's Water
Supply Guidance Manual moving forward.
23-P-0003
29
-------
Thank you again for the opportunity to respond to the recommendations in the draft report OA-FY21-
0240. If you have any questions regarding this response, please have your staff contact OW's Acting
Audit Follow-Up Coordinator, Nizanna Bathersfield, at Bathersfield.Nizanna@epa.gov or (202)
5642258.
Attachments (2)
1. Technical Comments
2. AWIA 18 Section 2013 Strategic Communication Plan (February 2019)
cc: Benita Best-Wong, OW/DAA
Macara Lousberg, OW/IO
Nizanna Bathersfield, OW AFC
Jennifer McLain, OW/OGWDW
Karen Wirth, OW/OGWDW
Larry Starfield, OECA/Acting AA
Rosemarie Kelley, OECA/OCE
Gwendolyn Spriggs, OECA AFC
23-P-0003
30
-------
Appendix B
Distribution
The Administrator
Deputy Administrator
Chief of Staff, Office of the Administrator
Deputy Chief of Staff, Office of the Administrator
Agency Follow-Up Official (the CFO)
Assistant Administrator for Water
Agency Follow-Up Coordinator
General Counsel
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for Public Affairs
Deputy Assistant Administrators for Water
Director, Office of Continuous Improvement, Office of the Chief Financial Officer
Director, Office of Ground Water and Drinking Water, Office of Water
Director, Office of Program Analysis, Regulatory, and Management Support, Office of Water
Associate Director, Office of Program Analysis, Regulatory, and Management Support, Office of Water
Audit Follow-Up Coordinator, Office of the Administrator
Audit Follow-Up Coordinator, Office of Water
23-P-0003
31
------- |