Cybersecurity Assessments
Learn about cybersecurity assessment resources available for drinking water and wastewater systems.
On this page:
- Addressing Cybersecurity in your America’s Water Infrastructure Act Emergency Response Plan
- Cybersecurity Risk Self-Assessment Resources
- Cybersecurity Risk Third-Party Assessment Resources
- Cybersecurity Vulnerability Assessment Resources
- Technical Assistance
Addressing Cybersecurity in your America’s Water Infrastructure Act Risk and Resilience Assessment
America’s Water Infrastructure Act (AWIA) Section 2013 requires community water systems (CWS) serving more than 3,300 people to prepare or revise risk and resilience assessments (RRAs) and certify to EPA that this work has been completed. AWIA Section 2013(a) states that the RRA must include “electronic, computer, or other automated systems (including the security of such systems),” otherwise known as cybersecurity. Therefore, a cybersecurity assessment must be included in the required RRA. EPA provides the free resources to described above to support utilities in conducting a cybersecurity assessment, from a third-party option where a contractor conducts the assessment, using EPA’s Water Sector Evaluation Program to a do-it-yourself option, using the free Water Cybersecurity Assessment Tool.
Resources to Conduct Cybersecurity Assessments
Cybersecurity Risk Self-Assessment Resources
- Assessing if a Water & Wastewater System has Operational Technology (pdf)
- EPA: Water Cybersecurity Assessment Tool and Risk Mitigation Template (xlsx)
- EPA: Cybersecurity Checklist in Appendix A of Guidance Document (pdf)
- CISA: Cyber Resilience Review
- CISA: Cross-Sector Cybersecurity Performance Goals
- CISA: Cybersecurity Evaluation Tool
- NIST: AXIO Cybersecurity Program Assessment Tool
- Risk Assessment Method
- Critical Security Controls
Cybersecurity Risk Third-Party Assessment Resources
Cybersecurity Vulnerability Assessment Resources
Technical Assistance
Sign Up for Cybersecurity Technical Assistance: Primacy agencies, drinking water and wastewater systems, circuit riders, and technical assistance providers can submit a question and/or a request for consultation regarding cybersecurity.