2040-AG20 202110 The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions 2040 Office of Water OW 2000 Environmental Protection Agency EPA Cybersecurity in Public Water Systems

EPA is evaluating regulatory approaches to ensure improved cybersecurity at public water systems. EPA plans to offer separate guidance, training, and technical assistance to states and public water systems on cybersecurity. This action will provide regulatory clarity and certainty and promote the adoption of cybersecurity measures by public water systems.

]]> Other Significant First Time Published in The Unified Agenda Final Rule Stage No No 40 CFR 142.16 40 CFR 142.2 5 U.S.C. 553(b)(3)(A) Yes

A cyber-attack can degrade the ability of a public water system to produce and distribute safe drinking water. The risk of a cyber-attack can be reduced through the adoption of cybersecurity best practices by public water systems. Sanitary surveys, which states, tribes, or the EPA typically conduct every 3 to 5 years on all public water systems, should include an evaluation of cybersecurity to identify significant deficiencies. EPA recognizes, however, that many states currently do not assess cybersecurity practices during public water system sanitary surveys. This action is necessary to convey to states that EPA interprets existing regulations for public water system sanitary surveys as including the possible identification of significant deficiencies in cybersecurity practices.

]]>

The Administrative Procedure Act exempts interpretive rules from its notice and comment requirements. 5 U.S.C. section 553(b)(3)(A). The term is not defined in the APA, but the Attorney General’s Manual on the APA, often considered to be akin to legislative history, describes them as “rules or statements issued by an agency to advise the public of the agency’s construction of the statutes and rules which it administers.”

]]>

Provide guidance to states, tribes, and EPA on evaluating cybersecurity practices during public water system sanitary surveys without issuing an interpretive rule.

]]>

This action is an interpretation of existing responsibilities under current regulations. It establishes no new regulatory requirements and, hence, has no regulatory costs or benefits.

]]>

The purpose of this action is to reduce the risks associated with cyber-attacks on public water systems. Because this action is not establishing new regulatory requirements, EPA has not quantified costs and benefits for it. Accordingly, EPA has not estimated the current level of risk or the possible reduction in risk due to this action.

]]> Final Rule 04/00/2022 . No Undetermined No No 924110 Administration of Air and Water Resource and Solid Waste Management Programs No No Stephanie Flaharty 2040 Office of Water OW 202 564-5072 flaharty.stephanie@epa.gov 4601M, 1200 Pennsylvania Avenue NW, Washington DC 20460