Water Infrastructure Security

Security Camera

Vulnerability Assessment

Presidential Decision Directive 63 (PDD 63), issued on May 22, 1998, identified eight critical infrastructures to the United States. The water infrastructure was one of the original eight. Water infrastructure includes both the drinking water and wastewater industries. It called for “…vulnerability assessments…for each sector of the economy and each sector of the government that might be a target of infrastructure attack intended to significantly damage the United States…”, and “…within both the government and the private sector to sensitize people to the importance of security and to train them in security standards…”

The US Congress reinforced the concern for the water infrastructure when it passed Title IV, PL 107-188, The Public Health, Security, and Bioterrorism Preparedness and Response Act (Bioterrorism Act) amending the Safe Drinking Water Act (SDWA). The SDWA now requires community waterworks serving populations over 3,300 to conduct vulnerability assessments. Small systems (serving populations between 3,300 and 49,999) have until June 30, 2004, and medium systems (populations between 50,000 and 99,999) have until December 31, 2003, to complete vulnerability assessments. Large drinking water systems serving populations over 100,000 had until March 31, 2003, to submit their vulnerability assessments to the United States Environmental Protection Agency (USEPA). Within six months of submitting the vulnerability assessment, waterworks have six months to revise or complete an emergency response plan.

Congress dictated that outside of the waterworks, only selected personnel at USEPA Headquarters will have access to a water system’s vulnerability assessment. Vulnerability assessments are excluded from the provisions of the Freedom of Information Act (FOIA).

Requirements under the Bioterrorism Act of 2002 for Community Water Systems

Public Health Security and Bioterrorism Preparedness and Response Act of 2002

The Safe Drinking Water Act

To help with the requirements of the amended SDWA, guidance and tools have been provided to the waterworks industry. Some of the more useful ones are provided below:

Vulnerability Assessment Tools

Vulnerability Assessment Fact Sheet (PDF, 108K) An eight page fact sheet developed by USEPA to highlight the requirements for vulnerability assessments.

Small Systems Vulnerability Self Assessment Guide (PDF, 160K) Recommended for community systems serving populations under 3,300. A checklist jointly developed by ASDWA and NRWA.

Security Vulnerability Self-Assessment Guide for Small Drinking Water Systems Serving Populations of 3,300 and 10,000 – A new vulnerability assessment guide targeted at community drinking water systems serving between 3,300 and 10,000 people is now available and is designed to help these systems complete vulnerability assessments required Bioterrorism Act. The updated guide was developed by ASDWA and NRWA to meet the basic requirements of a vulnerability assessment and will help small drinking water systems assess their critical components and identify security measures that should be implemented.

Instructions to Assist Community Water Systems in Complying with The Public Health Security and Bioterrorism Preparedness and Response Act, Title IV (PDF, 236KB) – Describes how to comply with respect to the certification and submission of vulnerability assessments to the USEPA and certification to EPA of completion of Emergency Response Plans.

A Utility Guide for Security Decision Making [PDF]  (missing)- A flow diagram and recommendations developed by ASDWA and NRWA to assist drinking water systems of all sizes to prepare, evaluate, and respond to security-related incidents.

AMSA Releases Two New Vulnerability Assessment Software Tools – In January 2003, the Association of Metropolitan Sewerage Agencies (AMSA) released two new Vulnerability Self Assessment Tools (VSAT™, one for joint water/wastewater utilities and another for small-medium sized water utilities. VSAT™ water/wastewater provides the valuable online vulnerability assessment capabilities to utilities providing both wastewater treatment and water supply services. Its new counterpart, VSAT™ water, will do the same for both public and private water utilities. These new software tools, developed by AMSA via a cooperative agreement with the USEPA, provide a user-friendly approach to evaluate, prioritize and reduce vulnerabilities based upon five critical utility asset categories. To order either of these new software tools, visit the VSAT™ user site at www.vsatusers.net.


Emergency Response Tools

Model Emergency Response Guidelines (PDF, 96K) – This document provides uniform response, recovery and remediation guidance for water utility actions in response to man-made and/or technological emergencies. The guidance was developed as an initiative of the Water Protection Task Force with input from water utilities and associations, EPA Regions, EPA Office of Water and other federal agencies. The intent of this guidance is to provide the minimum actions that EPA recommends be carried out by a water utility for the events described.



Virginia Water and Wastewater Response Network (VA WARN)

Virginia Water and Wastewater Response Network (VA WARN) is a network of water utilities providing mutual aid to each other to respond to and recover from emergencies. The Virginia Section American Water Works Association and the Virginia Water Environment Association sponsor VBA WARN. VA WARN differs from the Statewide Mutual Aid Program (SMA) as WARN agreements do not require a declaration of an emergency by the Governor. The Virginia SMA does not cover private utilities, but VA WARN agreements do. This means that WARN members can receive emergency assistance any time for any type of emergency. Interested? Visit the VA WARN web site at www.vawarn.org.


National Incident Management System Compliance Tool Available

Homeland Security Presidential Directive 5, “Management of Domestic Incidents”, requires that states, territories, local jurisdictions and tribal entities adopt the National Incident Management System (NIMS). NIMS enables responders from a variety of jurisdictions and disciplines to work together effectively when responding to an emergency. The private sector, including water and wastewater treatment systems, also plays a vital role in NIMS. The implementation of the NIMS creates a baseline capability that, once established, will be the foundation for the nation�s prevention, preparedness, response, and recovery strategies.

The Federal Emergency Management Agency (FEMA) is charged with maintaining and supporting the National Incident Management System. As part of their efforts, FEMA releases compliance objectives and metrics for each fiscal year and updates information on what FEMA is requiring for NIMS compliance.
One of the reasons for becoming NIMS compliant is that federal preparedness funding requires the recipient to be NIMS compliant. Additional benefits of NIMS compliance include:

  • Strengthened response capabilities by following a nationally adopted, standard practice for emergency response
  • Improved mobilization, deployment, utilization, tracking, and demobilization of needed resources
  • Established protocols for improved communication with other levels of response
  • Reduced time delay to access mutual aid/assistance

In order to help determine whether an entity is NIMS compliant, FEMA has developed a tool called NIMSCAST. NIMSCAST is an online tool that guides the user through a series of questions related to the NIMS compliance metrics. Based on the answers to the questions the user receives a report describing the elements of NIMS compliance that are fulfilled and which ones require additional action.

Specific information about what is required for 2009 NIMS Compliance can be found on the FEMA web site:http://www.fema.gov/pdf/emergency/nims/FY2009_NIMS_Implementation_Chart.pdf. FEMA recommendations for private sector NIMS compliance activities can be found on the FEMA web site:http://www.fema.gov/pdf/emergency/nims/ps_fs.pdf