To establish a Water Risk and Resilience Organization to develop risk and resilience requirements for the water sector.
- Bill Number
- H.R. 2594
- Origin Chamber
- House
- Congress
- 119th Congress, Session 1
- Policy Area
- Environmental Protection
- Status
- Introduced
- Latest Action
- 2025-04-02: Referred to the Committee on Transportation and Infrastructure, and in addition to the Committee on Energy and Commerce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
- Last Updated
- 2025-09-05T08:06:09Z
AI-Generated Summary
Purpose of the Legislation
This bill, H.R. 2594, aims to create a specialized organization to establish cybersecurity standards for larger public water systems in the United States. The goal is to improve the water sector's ability to prevent, withstand, and recover from cyber threats that could disrupt clean water delivery, ensuring safer and more reliable water services.
Key Provisions
- Definitions:
- Covered water system: Public community water systems or wastewater treatment facilities serving 3,300 or more people (based on existing laws like the Safe Drinking Water Act and Federal Water Pollution Control Act).
- Cyber resilient: The capacity of these systems to anticipate, absorb, adapt to, or quickly recover from cyber disruptions.
- Cybersecurity incident: A malicious or suspicious event targeting electronic devices, networks, hardware, software, or data essential to water operations.
- Cybersecurity risk and resilience requirement: Standards for secure operations and design of water systems, including upgrades.
- Establishment and Certification of the Water Risk and Resilience Organization (WRRO):
- The Environmental Protection Agency (EPA) Administrator must issue a final rule within 270 days of enactment to select and certify one nonprofit organization as the WRRO.
- Certification requires the organization to have technical expertise in water operations, experience from water system owners/operators, ability to create effective standards, secure handling of sensitive information, independence from water utilities, fair fee structures, and due process in decision-making (e.g., public comment periods).
- Development and Approval of Standards:
- The WRRO proposes cybersecurity standards and implementation plans (with phased timelines and reasonable deadlines for compliance).
- The EPA approves standards if they are fair, reasonable, and non-discriminatory, deferring to the WRRO's technical expertise.
- If disapproved, the EPA remands with specific fixes within 90 days; the WRRO can revise, explain rejection, or withdraw.
- The EPA can direct the WRRO to address gaps in existing standards.
- Conflicts with other EPA rules are resolved through EPA processes, with ongoing compliance required until changes are approved.
- Monitoring and Assessment:
- The WRRO conducts ongoing reviews, including annual self-reports from water systems and third-party audits every 5 years.
- Annual aggregated (non-sensitive) reports to the EPA on compliance and effectiveness.
- Enforcement:
- The WRRO can penalize non-compliant water systems up to $25,000 per day after notice, consultation, and a hearing (with legal representation allowed).
- Penalties take effect 31 days after filing with the EPA; funds support WRRO training.
- No other penalties under law for these violations; EPA reviews penalties within 30 days, with options to affirm, modify, or stay them, using expedited processes.
- Other Elements:
- The WRRO is independent (not a government entity) and cannot create binding standards beyond this bill.
- States retain authority over water safety unless it conflicts with approved standards.
- Authorizes $10 million for the WRRO, available until spent.
Significant Changes to Existing Law
- Introduces a new, industry-led framework for mandatory cybersecurity standards in the water sector, building on but not altering core definitions from the Safe Drinking Water Act (1974) and Clean Water Act (1972).
- Shifts standard-setting from direct federal regulation to an EPA-certified private organization, with EPA approval as a check—unlike purely voluntary or agency-driven guidelines in current cybersecurity policies for critical infrastructure.
- Adds enforcement powers to a non-governmental body (with EPA oversight), replacing or limiting other potential penalties to avoid overlap.
- No broad preemption of state laws, but creates a federal backstop for cybersecurity consistency.
Potential Impacts
- Government Agencies: The EPA gains a supervisory role in certifying the WRRO, approving standards, resolving conflicts, and reviewing penalties, potentially increasing workload but leveraging private expertise to reduce direct federal involvement.
- Citizens: Enhances protection of public water supplies from cyber attacks (e.g., hacks disrupting treatment or distribution), reducing risks of contamination or shortages for over 3,300-person communities; may indirectly raise water costs via compliance fees.
- International Relations: No direct impacts mentioned, though stronger U.S. water cybersecurity could indirectly support global infrastructure resilience discussions (e.g., in forums like the UN or bilateral agreements).
Main Stakeholders Affected
- Covered Water Systems: Owners and operators (e.g., municipal utilities, wastewater plants serving 3,300+ people) must comply with new standards, undergo assessments, and face potential penalties—impacting thousands of facilities nationwide.
- Water Risk and Resilience Organization (WRRO): The certified entity bears responsibility for standard development, monitoring, enforcement, and self-funding through fees.
- Environmental Protection Agency (EPA): Oversees certification, approvals, and enforcement reviews, acting as a gatekeeper.
- States and Local Governments: Retain primary water oversight but must align with federal standards if conflicts arise; smaller systems (under 3,300 people) are unaffected.
- Water Industry Members: Experts, owners, and operators contribute to WRRO governance, balancing representation for fair decision-making.
Notable Legal, Constitutional, or Political Implications
- Legal: Emphasizes due process (notice, hearings, EPA review) in enforcement, aligning with administrative law principles; limits penalties to prevent double jeopardy under other statutes. The WRRO's independence avoids direct federal liability but requires robust conflict-resolution processes to ensure standards don't unlawfully burden utilities.
- Constitutional: Supports public welfare by securing critical infrastructure (a federal interest under the Commerce Clause), while preserving state powers (10th Amendment) through non-preemptive language. Enforcement procedures include hearing rights, safeguarding against arbitrary penalties (5th and 14th Amendments).
- Political: Promotes a public-private partnership model for infrastructure security, potentially appealing across parties by minimizing bureaucracy; could spark debates on federal vs. state roles or costs to ratepayers, but focuses neutrally on cyber threats without partisan framing. The $10 million authorization signals modest initial investment in national resilience.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Rep. Crawford, Eric A. "Rick" [R-AR-1]
Cosponsors (3)
Rep. Bresnahan, Robert [R-PA-8], Rep. Finstad, Brad [R-MN-1], Rep. Vindman, Eugene Simon [D-VA-7]
Recent Actions
- 2025-04-02: Referred to the Committee on Transportation and Infrastructure, and in addition to the Committee on Energy and Commerce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
- 2025-04-02: Referred to the Committee on Transportation and Infrastructure, and in addition to the Committee on Energy and Commerce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
- 2025-04-02: Referred to the Subcommittee on Water Resources and Environment.
- 2025-04-02: Introduced in House
- 2025-04-02: Introduced in House
Bill Versions
- To establish a Water Risk and Resilience Organization to develop risk and resilience requirements for the water sector. — issued 2025-04-02 — PDF (18 pages)