J^6D sr/%
PRO
United States Environmental Protection AgencyRegion 8
1595 Wynkoop Street
Denver, CO. 80202-1129
Phone: 1-800-227-8917
Fax: 1-877-876-9101
Web: https://www.epa.gov/region8-waterops
EPA REGION 8
DRINKING WATER
PROGRAM
WYOMING SYSTEMS
NEWSLETTER
February 2021
I
IN THIS ISSUE
AFTER-HOURS EMERGENCY PHONE NUMBER
STAFFING CHANGES
SUBMITTING SAMPLE RESULTS & COMPLIANCE
DOCUMENTS TO EPA REGION 8
WHAT'S IN A SAMPLE BOTTLE NAME?
REQUIRED INFORMATION FORTOTAL
COLIFORM LAB REPORTS FOR THE REVISED
TOTAL COLIFORM RULE (RTCR)
AGUIDETO READING YOUR REVISED TOTAL
COLIFORM RULE (RTCR) LEVEL 2 ASSESSMENT
CYBER THREATS INCREASING AT SMALL
COMMUNITY WATER PLANTS
THE IMPORTANCE OF BEST SAMPLE
COLLECTION PRACTICES FOR CHEMICAL
SAMPLING
COMPLYING WITH AMERICAS WATER
INFRASTRUCTURE ACT: COMMUNITY WATER
SYSTEMS SERVING OVER 3,300 PEOPLE TO
COMPLETE RISK AND RESILIENCE ASSESSMENT
& EMERGENCY RESPONSE PLAN
-------�
AFTER-HOURS EMERGENCY PHONE NUMBER
The Region 8 Drinking Water Program has an after-hours emergency phone number! If you
experience an emergency situation during non-workday hours orthe weekend, such as an issue
that disrupts your water supply orthe water is contaminated with E. coli bacteria or other
contaminants, please call 303-312-6327 for assistance. During Monday-Friday working hours
please contact one of our staff members for assistance.
STAFFING CHANGES IN EPA REGION 8's DRINKING WATER PROGRAM
Please welcome Lucien Gassie as the manager of the Wyoming Sanitary Surveys program. Lucien joined the EPA in
February 2020 and is responsible for overseeing the contracts for conducting most of the Wyoming Sanitary Surveys
(approximately 200 per year), RTCR Level 2 Assessments, and Microscopic Particulate Analysis Sampling. Lucien has a
PhD in Environmental Engineering from the University of Miami and has experience managing and operating direct
potable reuse water treatment plants, which were the focus of his dissertation. Lucien can be reached at
Gassie.Lucien@epa.gov or 303-312-6620.
Please welcome Chelsea Ransom as the Lead and Copper Rule Manager. Chelsea Ransom started as the Lead and Copper
Rule Manager in December 2020 and is responsible for managing the lead and copper rule for our regulated water
systems, including compliance and monitoring. Chelsea comes to us from the private sector where she worked primarily
on wastewater projects in all capacities from master planning to design. She previously worked for EPA's Office of
Transportation and Air Quality (OTAQ) in Ann Arbor where she focused on marine air emissions and was a Peace Corps
Volunteer in Mali where her primary projects involved securing clean drinking water and building sanitation infrastructure.
She has Master's degrees in Environmental Engineering and Natural Resources and the Environment from the University
of Michigan where she focused on the sustainability of water and wastewater treatment. She has her Bachelor's degree
from University of Vermont in Civil Engineering and is a licensed Professional Engineer in California and Michigan. Please
feel free to contact Chelsea with all of your Lead and Copper questions at Chelsea.Ransom@epa.gov or (303) 312-6876.
Please see the revised Contact List on Region 8's WaterOps website for a full run-down on our staff.
HOW TO SUBMIT SAMPLE RESULTS AND OTHER COMPLIANCE DOCUMENTATION TO EPA REGION 8
All compliance documentation (monitoring results,
significant deficiency corrections, etc.) should be
submitted to the EPA Region 8 office through the
R8DWU@epa.gov (R8DWU) email portal. Documentation
that is sent to R8DWU, following the rules described
below, is automatically distributed via an automated
process to the appropriate EPA staff. Use of R8DWU helps
to ensure your documentation is handled in a timely
manner, independent of staff schedules or changes. It also
simplifies the documentation submittal process by
providing you with a single email address to use for all
compliance reporting.
R8DWU Email Rules:
2. Include the correct keyword or abbreviation for the
documentation being submitted in the subject line of
the email (see the following table).
3. More than one type of documentation can be
submitted in the same email as long as the subject line
of the email containsthe correct keyword or
abbreviation for each type of document being
submitted. Each keyword should be separated by a
comma. For example, if an email contains nitrates,
inorganic compounds (IOC), volatile organic
compounds (VOC), and synthetic organic compounds
(SOC) results, the email subject could be:
"WY5600000 NO3, IOC, VOC, SOC."
1. Include your PWS ID# in the subject line of the email.
4-
2
Do not copy any EPA staff on the email.
-------�
If the above rules are not followed, you risk your
documentation being mishandled and not received by the
appropriate EPA Region 8 staff. For example, if Rule 3
above is not followed, the results will not be distributed to
the correct group of people. If you copy EPA staff on the
email to R8DWU, these individuals will receive the email
from you directly and will also receive a forwarded copy of
the email from R8DWIJ. This creates confusion and
unnecessary duplication.
Please follow the above rules to help us make this process
work for us and for you!
A table with the appropriate keyword or abbreviation to
use for each type of documentation is included below for
your reference.
R8DWU Documentation Submittal Keyword List
Type of Documentation
Required Keywords
Example Email Subject
Consumer Confidence Report (CCR)
"CCR" or "Water Quality Report"
WY5600000 CCR
Disinfection Byproduct (DBF) Results (TTHM or
I-IAA5)
"DBP" or "TTHM" or "HAA5"
WY5600000 DBP
DBP Precursor Results (Total Organic Carbon
and/or alkalinity and/or UV absorbance)
"TOC" or "TOCA" or "Precursor" or
"SUVA"
WY5600000 TOC
DBP Operation Evaluation Level (OEL) Report
"OEL"
WY5600000 OEL
inorganic Compounds (IOC), including asbestos
and/or
Synthetic Organic Compounds (SOC) and/or
Volatile Organic Compounds (VOC)
"IOC" or "SOC" or "VOC"
WY5600000 IOC or
WY5600000 IOC, SOC, VOC
Results
Lead and Copper Rule (LCR) Results (including
Water Quality Parameters results)
"LCR" or "Lead" or "Copper" or "Pb/Cu"
WY5600000 LCR
LCR Sample Plan
"LCR Sample Plan" or "LCR Plan"
WY5600000 LCR Sample Plan
LT2 Source Water Monitoring Results (E. Coli or
Cryptosporidium)
"LT2" or "Crypto"
WY5600000 LT2
3
-------�
Maximum Residual Disinfectant Level Report
(MRDL)
"MRDL"
WY5600000 MRDL
Nitrate or Nitrite Results
"Nitrate" or "Nitrite" or "N03" or "N02" or
"N+N" or "N-N"
WY5600000 NO3
Radionuclides Results
"RADS" or "Radionuclide"
WY5600000 RADS
Revised Total Coliform Rule (RTCR) Results - Tribal
"Tribal BACT" or "Tribal BAC-T" or "BACT
08" or "Tribal RTCR" or "RTCR 08"
Tribal BACT 083090000 or
BACT 083890000 or
RTCR 084690000
Revised Total Coliform Rule (RTCR) Results -
Wyoming
"Wyoming BACT" or "WY BACT" or
"BACT WY" or "Wyoming RTCR" or "WY
RTCR" or "RTCR WY"
WY5600000 WY BACT
RTCR Level l or Level i Assessment
"Level 1 Assessment" or "Level 2
Assessment" or "RTCR Assessment"
WY5600000 Level 1 Assessment
RTCR Seasonal Start-up Checklist
"Seasonal" or "Start-up"
WY5600000 Seasonal Start-up
Significant Deficiency Correction Notice
"Significant Deficiency" or "Deficiencies"
WY5600000 Significant Deficiency
Surface Water Treatment Rule (SWTR) Monthly
Operating Report
"SWTR" or "1 1 1"
WY5600000 SWTR
System Changes (Contacts changes, change form,
or basic information form) - Wyoming
"Wyoming Change" or"WY Change" or
"WY INV Change"
WY5600000 WY Inv Change
Example subject for an email that contains nitrates, IOC, SOC, VOC and Rads results: "WY5600000 NOs, IOC, SOC, VOC, Rads"
WHAT'S IN A SAMPLE BOTTLE NAME?
Synthetic Organic Compounds
(SOCs), Volatile Organic Compounds
(VOCs), and Radionuclides (RADS) (if
required). In most cases, this is NOT
the sampling point for total coliforrn,
disinfection byproducts, lead or
copper. There is a note on the
schematic that says, "Sample Points
(SP) shown on the schematic are
ONLY for Nitrates, RADs, lOCs,
SOCs, and VOCs. If you sample for
other contaminants, please refer to
your individual Site Sampling or
Monitoring Plans."
The following article discusses
labeling requirements only for total
coliform, nitrate-nitrite, and
triggered Ground Water Rule (TG
GWR) samples. The information is
The way you label your water
samples tells EPA a lot about the
sample. It also determines whether
HI 9828-0
CALIBRATION solution
LOT 0679
EXP 04/2013
VOL 500-ML
Cq ^*57020
Soli
ut'°f HI 9828, 50
your sample results will be credited
to your water system or if you end up
with a monitoring violation when the
correct sampling location is not
clearly indicated. Every year around
mid-February, EPA sends out the
annual Monitoring and Reporting
Requirements ("To Do" lists), along
with a "schematic" of your water
system. The schematic is an overly
simplified, not-to-scale diagram of
your water system. Instead of
showing individual buildings and
streets as your distribution system, it
has a large pound sign or hashtag,
that looks like this #. There is also at
least one red star and blue arrow
indicating where a sample should be
collected for Nitrate-Nitrite, other
Inorganic Compounds (lOCs),
-------�
applicable to all public water
systems (PWSs), but there is no
discussion on how to label samples
for lead, copper, disinfection
byproducts, chemicals, asbestos,
radionuclides, or any other
parameters that may be required.
Nitrate/Nitrite Monitoring Location
If your system is required to sample
for nitrate-nitrite per your
Monitoring and Reporting
Requirements, the sampling point on
the schematic is marked as SPxx
(i.e., SPoi or SP04) with a
description of the sample point
location (i.e., storage tank). The EPA
database will only accept samples
labeled in this mannerfor nitrate-
nitrite, other lOCs, SOCs, VOCs, and
radionuclides. The SPxx designation
tells EPAthat a water sample was
collected AFTER any water
treatment processes and BEFORE it
gets to the first consumer and is
from the location we call "the entry
point to the distribution system."
Please note that you may have more
than one sampling point for nitrate-
nitrite due to the number of entry
points to the distribution system
representing separate sources of
water. Please use a certified lab of
your choice to analyze the samples.
It is the PWS's responsibility to make
sure that the lab analyzing your
sample(s) for compliance is State or
EPA certified for the specific analyte
and method being requested. Make
sure the sampling point and sample
point description (the SPxx number
previously mentioned) is clearly
noted on the lab's chain of custody
or other form that is submitted with
your water sample(s). This will
ensure that the sample result is
accurately recorded in the EPA
database as a sample for
compliance. Without the correct
sample point location, your PWS will
get a nitrate-nitrite failure to
monitor (FTM) violation.
Total Coliform Monitoring Location
Total coliform water sample(s) must
be labeled with a sample location
name that clearly indicatesthat it is
in the distribution system, preferably
with the letters "DIST" and
according to your Revised Total
Coliform Rule (RTCR) Sample Siting
Plan. For example, "men's restroom-
DIST" or "DIST 123 Main St." Total
coliform samples must be collected
within the distribution system where
the water is used (not at the storage
tank or pump house). If you write on
your sample bottle or laboratory
chain of custody form that a total
coliform sample was collected at
SPxx, the sample will be rejected,
and you will receive a total coliform
failure to monitor (FTM) violation.
Ground Water Rule (GWR) (Source)
Monitoring Locations
If your water source is a well or
spring, you are required to collect a
groundwater source sample at the
well or spring if your PWS has a
routine RTCR total coliform positive
(TC+) result. Samples must be
collected from all groundwater
sources that were in use during the
collection of the routine RTCR TC+
sample, and they must be analyzed
for total coliforms and E. coli. If you
have a surface water source, this
requirement does not apply to your
PWS. If you purchase water from
another system, this requirement
does not apply to you
either. However, you
must notify the PWS
that you purchase
water from so that
they can take their
source water sample to
meet the GWR
sampling requirement.
Collect the source sample(s) at the
groundwater source(s) (well or
spring) BEFORE any treatment. You
are required to have a designated
sample tap at a location that allows
testing from the water source. If
there is no sample tap on your
well(s), you may collect the source
sample from the faucet or tank inlet
closest to the well and then install a
more appropriate sample tap at the
source. If your groundwater sources
combine before treatment, you may
take a combined source sample, but
make sure to markthe sample
location as "combined" and note the
groundwater sources' facility codes
that were combined (e.g., Combined
WL01, WL02, and WL03). This
sample must be labeled as the
Triggered Monitoring Ground Water
Rule sample (or "TG GWR" for short).
You must indicate that it is a source
sample or collected from the well or
spring so that we know it is not one
of the required RTCR repeat samples
from the distribution system.
5
-------�
Remember: This sample is only
required if you use groundwater for
your source water and have a routine
total coliform positive result.
What if SPxx and/or DIST and/or
TG GWR are the same location?
What if your PWS does not have a
way to collect a sample from the
source (for the TG GWR) or from the
entry point to the distribution
system (for the SPxx for
nitrate/nitrite)? Please discuss this
situation with EPA, and EPA may
designate the first tap within the
distribution system as the same
sampling location for all three water
samples, the TG GWR, the nitrate-
nitrite, and the total coliform routine
sample. If this is the case, you will
need to remember to label each
sample bottle differently according
to the naming conventions described
above. Even though the sample
location is the same, the EPA
database will not accept samples
that are labeled improperly.
If a nitrate-nitrite sample is labeled
as being in the distribution system
and says DIST, you will get a nitrate
FTM violation. If the water sample
from the same location is labeled as
"TG GWR," and you intended it to be
a routine total coliform sample, it
will not be accepted as such, and you
will get a monthly total coliform FTM
violation. If a total coliform sample is
labeled as being from SPxx, you will
get a total coliform FTM violation
since the database will think the
total coliform sample was collected
from the entry point to the
distribution system and not from the
distribution system itself. Although
it sounds confusing, if you print out
your Monitoring and Reporting
Requirements, and keep the form(s)
with the correct sample point
code(s) with your sample bottles,
then you can always refer to it for
the proper way to label your
samples. We also recommend
keeping your RTCR Sample Siting
Plan close by so that you remember
where to collect your sample(s) each
month and the proper sample
naming convention to write on your
sample bottles and laboratory chain
of custody.
If you do not have an agreement
with your lab to send sample results
to EPA, then please send ALL lab
reports to R8DWU@EPA.GOV as
soon as you receive them from the
lab. You must include your public
water system identification number
(PWS ID# - begins with 08 or WY560
or WY568) and the contaminant that
was analyzed in the subject line. If
you are unsure which of your
monitoring requirements you have
fulfilled already, please take a look at
your water system on Drinking
Water Watch at
https://sdwisr8.epa.gov/Region8DW
WPUB/. Simply type in your PWS
ID# to search for your water system.
Click on your PWS ID# to bring up
your water system profile. On the
left-hand side of the profile, you will
see an option to view the
contaminants that were analyzed.
EPA Regulation
Contaminant Analyzed
Physical Sample Location
Sample Site Name
Nitrate-Nitrite Rule
Nitrate, Nitrite, or
Nitrate-Nitrite
Entry point to the distribution
system, after treatment*
Example: SP01-storage
tank, SP04 - pressure tank
Revised Total
Coliform Rule
Total Coliform and E. coli
Within the distribution
system*
Example: DIST- Men's
restroom, or DIST-123 Main
Street
Ground Water Rule
E. coli
Directly from the well or
spring, before treatment*
Example: TG GWR - WLOi -
source
* If the sample location is the same for all 3 regulations, please collect your samples and label each bottle
according to the naming convention above.
6
-------�
REQUIRED INFORMATION FOR TOTAL COLIFORM LAB REPORTS FOR THE REVISED TOTAL COLIFORM RULE
(RTCR)
EPA Region 8 is required to maintain a considerable amount of information about each Wyoming and Region 8 Tribal
public water system (PWS), including records of tests, measurements, analyses, decisions, and considerations, to
determine compliance with the National Primary Drinking Water Regulations. This is spelled out in the federal regulations
at 40 CFR §142.14.
That means that if EPA doesn't get correct and complete information from the water system or the lab on each water
sample report from the lab, we need to ask for revisions of the report. This causes additional work for EPA, the lab and
YOU, the water system. It may even lead to a monitoring violation if we don't receive that information.
Here is a list of the required information we need in orderto process yourtotal
coliform sample resultsforthe Revised Total Coliform Rule (RTCR):
1. Public Water System Identification Number (PWSID)
2. Date and time the total coliform sample was collected
3. Date and time the total coliform sample was received by the lab
4. Sample location (i.e., street address, building name, or room name)
5. Sample type (i.e., Routine, Repeat or Special)
6. Total coliform (TC) and E. coli (EC) analytical method
7. Water sample analysis result
The following will explain why these elements are required.
1.The Public Water System ID Number (PWSID) is required for a few reasons:
a. PWSs may change names or owners, but. the PWSID stays the same. For EPA to track the ongoing water
quality at a site, we must have the PWSID on all lab reports.
b. If a PWS has an arrangement with a lab to have their lab results sent electronically to EPA, we may not receive
the data if there is no PWSID on the chain of custody form. In this case, the PWS will get a monitoring violation
when, in fact, the sample was collected. *Remember: It isthe responsibility of the Public Water System, not
the lab, to ensure that, data arrive at EPA by the date they are due.
c. The customer name listed on the lab report is sometimes not the PWS name that we have in the EPA's
database. Instead, a consultant or a parent company is listed on the form. So, without a PWSID, EPA can't tell
which PWS collected the water sample.
2. The date and time the total coliform sample was collected informs EPA of the correct monitoring period forthe
sample. For example: a sample collected on October 1 cannot be counted for the September monitoring period.
3. The date and time the total coliform sample was received by the lab is also required for determining compliance
with the Revised Total Coliform Rule, since the lab methods only allow 30 hours from the time the sample was
collected to the time the lab starts the analysis on the water sample. If a sample was collected on September 23 and
the lab doesn't receive the sample until September 25, then that is over 30 hours, and the lab will reject the sample.
The water system is required to collect another sample before September 30 to avoid a monitoring violation.
7
-------�
4. The sample location (i.e.. street address, building name, or room name) is required for comparison with the Sample
Siting Plan and to determine where in the distribution system a total coliform or E. coli positive sample result(s) may
have occurred.
5. The sample type (i.e.. Routine. Repeat, or Special) is required to determine if the required samples were collected
that may trigger an Assessment or a monitoring violation. If a Routine sample was marked Special, then it will not be
counted towards compliance, and the PWS will get a monitoring violation. If a Repeat sample is marked Routine, then
the PWS will trigger an Assessment. For more information about the correct way to label your water samples for the
Revised Total Coliform Rule (and the Ground Water Rule), please see https://www.epa.gov/reqion8-waterops/rtcr-
and-qwr-sample-labelinq-i instructions.
6. The analytical method is the test the lab uses to analyze your water samples. There is a list of approved testing
methods that labs are required to use for total coliform samples. If a lab uses an unapproved method, EPA will reject
the sample and the water system will get a monitoring violation. Please check with your lab to make sure they are
using an EPA approved test method.
7. The water sample analysis result, whether positive or negative, is critical to determine compliance with the
regulation. If a sample was total coliform positive but E. coli was not analyzed, it can trigger further actions or even a
violation.
WATER SYSTEM RESPONSIBILITY
Ultimately, it is your responsibility to use a drinking water certified laboratory and that the correct information is on all of
your chain of custody forms and sample bottles when they are submitted to the lab.
BE SURE TO WRITE CLEARLY AND NEATLY ON YOUR BOTTLES AND LAB FORMS
Take a few minutes before you collect your sample or before you drop it off at the lab to ensure the correct boxes are
checked and your 2s don't look like 6s or Is don't look like 7s, etc. Likewise, when you receive your sample results, you
should look overthe lab report and make sure all 7 items described above are on the lab report.
How to Correct A Mistake in a Lab Report for EPA
If you see a mistake or something missing from your lab report, please work with the lab to get the information corrected
and re-sent to EPA. In some cases, it is ok to write the correction on the lab report and then date and initial the correction.
This is okay if a PWSID is missing or the sample location is missing. However, once you receive a lab report you cannot
change the sample type from Routine to Special, especially if the result istotal coliform positive (TC+).
If you are revising a lab report, you must include documentation and an explanation as to what the revision was and why it
was necessary. Communication is a large component to keeping your water system in compliance.
REMEMBER: It is MUCH easier to fix a mistake BEFORE a sample is analyzed
than after you receive a violation
8
-------�
A GUIDE TO READING YOUR REVISED TOTAL COLIFORM RULE (RTCR) LEVEL 2 ASSESSMENT
A Level 2 Assessment can be required if a water system has multiple total coliform positive (TC+) sample results or a
combination of routine and repeat TC+ and E. coli positive (EC+) sample results. A Level 2 Assessment includes an on-site
visit by a contractor (paid for by EPA) to evaluate different components of your water system. Sometimes a second pair of
eyes can help determine what the source of contamination may be. You must make yourself available to walk through the
system with the contractor helping identify possible issues. Part of your responsibility during the Assessment is to discuss
possible due dates for correcting any problems that could be allowing bacteria into the water supply. If the corrective
action section of the Assessment is incomplete, EPA may assign certain actions and due datesthat you will be responsible
for completing.
At this point, you may be thinking to yourself, "This sounds an awful lot like a Sanitary Survey that we have every 3-5 years.
How is it different?"
In a nutshell, a Level 2 Assessment is RE-ACTIVE & a Sanitary Survey is PRO-ACTIVE
This table highlights some of the differences between a Level 2 Assessment and a Sanitary Survey.
Related EPA Regulations
Revised Total Coliform Rule (RTCR)
Ground Water Rule (GWR) / Surface
Water Treatment Rule (SWTR)
Name of On-Site
Evaluation
Level 2 Assessment
Sanitary Survey
Name of Issues Identified
During the Evaluation
that Require Correction
Sanitary Defect
Significant Deficiency
EPA Rule Manager
Jamie Harris
Matt Langenfeld (GWR)
Jake Crosby (SWTR)
Triggering Event
Total Coliform and/or E. coli positive
samples in the distribution system may
trigger a Level 2 Assessment.
Sanitary surveys are conducted every 3
years (Community systems) or 5 years
(Non-Community systems).
Purpose
Identify and eliminate contamination
pathways that may be the cause of the
positive bacteriological samplesthat
currently exist in the water supply.
Routine review of the water system's
design, operation and maintenance to
identify failures, malfunctions or other
issues that are causing or have the
potential to cause contamination of the
finished water.
Timeline for Completing
Corrective Actions
30 days or a schedule approved by EPA
6 months or a schedule approved by EPA
Area of Focus During the
Evaluation
Various situations at the water system
that could provide a path for microbial
A review of the entire water system
including the following elements: water
9
-------�
contaminantsto enterthe distribution
system OR indicates an existing failure
or imminent failure in a protective
barrier (for example, treatment, well seal
or screen) that is already in place.
source, treatment, distribution system,
finished water storage, pump facilities
and controls, monitoring and reporting
and data verification, system
management and operation, and
operator compliance.
The Level 2 Assessment Process
After the Level 2 Assessment evaluation, the contractor sends EPA their draft report, and then EPA determines the final
Sanitary Defects and corrective actions. EPA finalizes the report and mails a paper copy via certified mail (except all
documents are emailed during the pandemic) to the Administrative Contact in the EPA database. A copy is also emailed to
the system's operator, owner, and legal entity, the Wyoming Department of Environmental Quality (WY DEQ), the
Wyoming Department of Agriculture, the Midwest Assistance Program (MAP), and the Wyoming Association of Rural
Water Systems (WARWS) for possible technical assistance. Some of the required corrective actions for the identified
sanitary defects may require a permit from WY DEQ. If a permit is required, it will be noted in the Corrective Actions
document.
The Level 2 Assessment Report Packet
There are potentially six parts to the Level 2 Assessment Packet:
Part 1: A cover letter with background information about the Level 2 Assessment, such as the triggering sample event
and important dates.
Part 2: A table of the Sanitary Defects found during the Assessment and the required and recommended corrective
actions and due dates proposed by the water system and those required by EPA.
Part 3: The finalized Level 2 Assessment Report that was completed with the contractor on site.
Part 4: Photos that were taken during the Level 2 Assessment to document any possible Sanitary Defects.
Part 5: A blank Sanitary Defect Correction Notice to be completed by the water system representative to document
the completed corrective actions taken and the dates each action was taken, indicating if photo documentation was
included. This must be submitted to EPA asthe corrective actions are completed.
Part 6 (Optional): Supplemental Documents like the Sample Siting Plan template or the Storage Tank Cleaning
Checklist.
How to Read the Level 2 Assessment Report Packet
Once you receive the Assessment packet, you should review each section. You should read through the Assessment
Report (Part 3) and look at the photos that are referenced (Part 4) for clarification of the issue. Then review the Sanitary
Defect corrective actions and due dates (Part 2) and make sure that you understand each requirement and due date. If you
cannot meet any of the due dates listed, it is your responsibility to notify EPA in writing BEFOREthe due date and request
an extension. In the written request you should identify a revised due date and a schedule of actions needed to meet the
requested due date, along with a justification as to why an extension is needed. Depending on the severity of the issue,
EPA may accept or negotiate a different due date.
10
-------�
FAILURE TO REQUEST AN EXTENSION OR MEET A DUE DATE WILL RESULT IN A VIOLATION
Everyone has the same goal when a Level 2 Assessment is triggered to ensure the water system gets back to serving water
free of bacteria. Communication with the EPA is the best way to reach that goal.
CYBER THREATS INCREASING AT SMALL COMMUNITY WATER PLANTS
On 5 February 2021, unidentified cyber actors obtained
unauthorized access, on two separate occasions,
approximately five hours apart, to the supervisory control
and data acquisition (SCADA) system used at a local
municipality's water treatment plant. The unidentified
actors accessed the SCADA system's software and altered
the amount of sodium hydroxide, a caustic chemical, used
as part of the water treatment process. Water treatment
plant personnel immediately noticed the change in dosing
amounts and corrected the issue before the SCADA
system's software detected the manipulation and alarmed
due to the unauthorized change. As a result, the water
treatment process remained unaffected and continued to
operate as normal.
The unidentified actors accessed the water treatment
plant's SCADA controls via remote access software,
TeamViewer, which was installed on one of several
computers the water treatment plant personnel used to
conduct system status checks and to respond to alarms or
any other issues that arose during the water treatment
process. All computers used by water plant personnel
were connected to the SCADA system and used the 32-bit
version of the Windows 7 operating system. Further, all
computers shared the same password for remote access
and appeared to be connected directly to the Internet
without any type of firewall protection installed.
Recommended Mitigation
Restrict all remote connections to SCADA
systems, specifically those that allow physical
control and manipulation of devices within the
SCADA network. One-way unidirectional
monitoring devices are recommended to monitor
SCADA systems remotely.
Install a firewall software/hardware appliance with
logging and ensure it is turned on. The firewall should
be secluded and not permitted to communicate with
unauthorized sources. Keep computers, devices, and
applications, including SCADA/industrial control
systems (ICS) software, patched and up to date.
Use two-factor authentication with strong passwords.
| nnn mon ntni n «
» Uu i i ui uu uiui u '.;, f; f
* If! n 1 1 1 innn
¦ - . jM u 1 1 1 1 uuu
fata, nr
'-"J
1JDD
U 1 iu uuuu UUU I
J*.iZSSUL ^ at 1 m, n nn 1 % n 1 nn ] f!! f!
4!" * r' y^u 1 uu iu uu 1 i u iuc- uiui u
WIIIII iin 3 ... _ ISO! _'iCS0 !0:!
! " 1 i-S ti- S
¦ m ¦ t i m 4 < t ft
Only use secure networks and consider installing a
virtual private network (VPN).
Implement an update and patch management cycle
Patch all systems for critical vulnerabilities, prioritizing
timely patching of Internet-connected systems for
known vulnerabilities and software processing
Internet data, such as Web browsers, browser plugins,
and document readers.
Additional EPA cybersecurity best practices for the water
sector can be found at the following link:
https://www.epa.aov/waterriskassessment/epa-
cvbersecuritv-best-practices-water-sector. Questions
about water security can be sent to Region 8 Water
Security Coordinator, Kyle St. Clair at
stclair. kvle(a)epa.qov.
11
-------�
THE IMPORTANCE OF BEST SAMPLE COLLECTION PRACTICES FOR CHEMICAL SAMPLING
Using best sample collection practices is imperative so
that a sample result istruly representative of the water
source and not a result of cross contamination with other
chemicals. This is especially important when conducting
sampling for inorganic and organic chemicals because
there are many consumer products in the marketplace
that can cross contaminate water samples if one is not
careful. It is also important to use best practices for
collecting samples so that the highest quality samples can
be evaluated by the laboratory.
The following recommended best practices are not
comprehensive, but they do help minimize the potential
for cross contamination of drinking water samples in the
field and ensure quality samples are provided to the
laboratory for analyses.
Make sure you do not handle chemicals before collecting
water samples.
Do not store chemicals like gasoline, pesticides, oils,
epoxies, or sealants nearthe sampling location(s).
Wash your hands with soap and water before
collecting water samples.
Collect samples in an area free of excessive dust,
debris, rain, snow, or other sources of contamination.
Check with the laboratory on how to collect samples,
noting any sample volumes and maximum holding
timesthat are required for analysis.
Ask the lab how to fill the bottles, since this wili
depend on what the water is being sampled for and
the method used for analysis. Plastic, clear glass,
and/or amber glass bottles will be used for chemical
sampling.
The type of cap on the sample bottles will depend
upon the chemical being sampled for and the
analytical method used by the laboratory. The
absence of headspace is required for collecting
samples in small glass bottles for volatile organic
analyses (VOA) because volatile chemicals evaporate
into the air. These bottles are commonly referred to as
VOA vials.
If the bottle contains a preservative, do not rinse the
bottle.
Wear gloves and eye protection when handling acids
and other preservatives.
Ship samples to the laboratory as instructed and as
soon asthey are collected. Delays in shipment may
necessitate re-sampling due to sample holding times
being exceeded during storage and shipment.
Complete the chain-of-custody form with all relevant
information, including the public water system
identification number, water system name, sample
collection date, and sample location(s). The sample
location should include a facility number and a sample
number (e.g. treatment plant sampling point
TP01/SP01). This ensures an accurate accounting of
where the sampling took place to provide EPA with
the information needed to monitor compliance with
the Safe Drinking Water Act.
Please contact Kendra Morrison with any questions at
(303) 312-6145 or morrison..kendra(a)epa.qov
COMMUNITY WATER SYSTEMS SERVING OVER 3,300 PEOPLE MUST COMPLETE A RISK AND RESILIENCE
ASSESSMENT AND EMERGENCY RESPONSE PLAN TO COMPLY WITH AMERICA'S WATER INFRASTRUCTURE ACT
Charlene Kormondy, Water Security Division, United States Environmental Protection Agency
Natural hazards (e.g., floods, hurricanes) and malevolent acts (e.g., cyberattacks, contamination) may pose risks to
community water systems (CWSs) and their ability to provide safe and reliable drinking water, it is important for CWSs to
understand their risks and to have a plan on how to mitigate these risks and respond to an emergency. Enacted in 2018,
12
-------�
America's Water Infrastructure Act (AWIA) requires CWSs that serve more than 3,300 people to develop or update risk and
resilience assessments and emergency response plans.
Compliance deadlines depend on the system size. The deadlines for systems serving 100,000 people or more have already
passed. The remaining deadlines are:
System Size
Risk and Resilience
Assessment
Emergency Response Plan
If serving 50,000 to 99,999 people
December 31, 2020
June 30, 2021
If serving 3,301 to 49,999 people
June 30, 2021
December 30, 2021
In order to comply, each utility must submit a certification of its risk and resilience assessment and emergency response
plan to the United States Environmental Protection Agency. There are three options for submitting this certification: a
user-friendly secure online portal, email, or regular mail.
Risk and resilience assessments evaluate the vulnerabilities, threats and consequences from potential hazards. These
assessments must include: natural hazards and malevolent acts (i.e., all hazards); resilience of water facility infrastructure
(including pipes, physical barriers, water sources and collection, treatment, storage and distribution, and electronic,
computer and other automated systems); monitoring practices; financial systems (e.g., billing systems); chemical storage
and handling; and operation and maintenance.
Emergency response plans must include: strategies and resources to improve resilience, including physical security and
cybersecurity; plans and procedures for responding to a natural hazard or malevolent act that threatens safe drinking
water; actions and equipment to lessen the impact of a malevolent act or natural hazard, including alternative water
sources, relocating intakes and flood protection barriers; and strategies to detect malevolent acts or natural hazards that
threaten the system.
After the initial compliance deadlines, each CWS serving more than 3,300 people must review its risk and resilience
assessment and emergency response plan at least once every five years to determine if they should be revised. Upon
completion of such a review, the system must submit to EPA a certification that it has reviewed its risk and resilience
assessment and emergency response plan and revised them, if applicable.
If CWSs need help meeting these requirements, EPA has several tools available to help systems develop their risk and
resilience assessments and emergency response plans. EPA does not require water systems to use these or any designated
standards, methods, or tools to conduct the risk and resilience assessments or to prepare the emergency response plans.
Rather, these tools are provided as optional support during the process:
Baseline Information on Malevolent Acts for Community Water Systems: The information in this document can help
systems identify and assess the likelihood of malevolent acts occurring at their water system as part of their risk and
resilience assessment.
Vulnerability Self-Assessment Tool (VSAT 2.0): VSAT 2.0 is a user-friendly tool that can help drinking water utilities of all
sizes conduct a risk and resilience assessment.
Small System Risk and Resilience Assessment Checklist: This guidance is intended for small CWSs serving greater than
3,300 but less than 50,000 people to comply with the requirements for risk and resilience assessments.
Emergency Response Plan Guidance: This template and instructions will assist water utilities with developing or
updating an emergency response plan in accordance with AWIA.
13
-------�
How to Certify Your Risk and Resilience Assessment or Emergency Response Plan: This webpaqe explains the three
options available to CWSs for submitting certification statements, including a training video on the electronic
certification option.
Additionally, EPA has collected some lessons learned as systems develop their risk and resilience assessments and
emergency response plans:
Pre-assessment (e.g., gathering information and having meetings with key personnel like human resources, billing, safety
operations, etc.) can help to streamline the process.
List assets that are critical (i.e., will cause economic or health problems for those served).
Use an existing resource to help present the analysis, such as EPA's Small System Risk and Resilience Assessment
Checklist.
There is a free virtual workshop to help CWSs learn more about the requirements of AWIAfrom March 9 - March 11, 2021.
This workshop contains 3 modules that participants may register for individually. Please register at
https://www.epa.aov/waterresilience/americas-water-infrastructure-act-risk-assessments-and-emeraencv-response-
plans#TNG.
Module 1 - Section 2013 Requirements, Certification, & Section 2018 Basics
Module 2 - Risk and Resilience Assessments: Malevolent Acts, Natural Hazards, and the Small Systems Checklist
Module 3 - Emergency Response Plan Template and Guidance
For more information on the AWIA Section 2013 requirements, visit https://www.epa.gov/waterresilience/americas-water-
infrastructure-act-risk-assessments-and-emergency-response-plans. Questions about the requirements can be sent to
dwresilience@epa.gov or Region 8 Water Security Coordinator, Kyle St. Clair at stclair.kyle@epa.gov
14
-------� |