View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

EPA/OW RIN: 2040-AG20 Publication ID: Fall 2021 
Title: ●Cybersecurity in Public Water Systems 

EPA is evaluating regulatory approaches to ensure improved cybersecurity at public water systems. EPA plans to offer separate guidance, training, and technical assistance to states and public water systems on cybersecurity. This action will provide regulatory clarity and certainty and promote the adoption of cybersecurity measures by public water systems.

Agency: Environmental Protection Agency(EPA)  Priority: Other Significant 
RIN Status: First time published in the Unified Agenda Agenda Stage of Rulemaking: Final Rule Stage 
Major: No  Unfunded Mandates: No 
CFR Citation: 40 CFR 142.16    40 CFR 142.2   
Legal Authority: 5 U.S.C. 553(b)(3)(A)   
Legal Deadline:  None

Statement of Need:

A cyber-attack can degrade the ability of a public water system to produce and distribute safe drinking water. The risk of a cyber-attack can be reduced through the adoption of cybersecurity best practices by public water systems. Sanitary surveys, which states, tribes, or the EPA typically conduct every 3 to 5 years on all public water systems, should include an evaluation of cybersecurity to identify significant deficiencies. EPA recognizes, however, that many states currently do not assess cybersecurity practices during public water system sanitary surveys. This action is necessary to convey to states that EPA interprets existing regulations for public water system sanitary surveys as including the possible identification of significant deficiencies in cybersecurity practices.

Summary of the Legal Basis:

The Administrative Procedure Act exempts interpretive rules from its notice and comment requirements. 5 U.S.C. section 553(b)(3)(A). The term is not defined in the APA, but the Attorney General’s Manual on the APA, often considered to be akin to legislative history, describes them as “rules or statements issued by an agency to advise the public of the agency’s construction of the statutes and rules which it administers.”


Provide guidance to states, tribes, and EPA on evaluating cybersecurity practices during public water system sanitary surveys without issuing an interpretive rule.

Anticipated Costs and Benefits:

This action is an interpretation of existing responsibilities under current regulations. It establishes no new regulatory requirements and, hence, has no regulatory costs or benefits.


The purpose of this action is to reduce the risks associated with cyber-attacks on public water systems. Because this action is not establishing new regulatory requirements, EPA has not quantified costs and benefits for it. Accordingly, EPA has not estimated the current level of risk or the possible reduction in risk due to this action.

Action Date FR Cite
Final Rule  04/00/2022 
Additional Information: .
Regulatory Flexibility Analysis Required: No  Government Levels Affected: Undetermined 
Federalism: No 
Included in the Regulatory Plan: Yes 
Sectors Affected: 924110 Administration of Air and Water Resource and Solid Waste Management Programs 
RIN Data Printed in the FR: No 
Agency Contact:
Stephanie Flaharty
Environmental Protection Agency
Office of Water
4601M, 1200 Pennsylvania Avenue NW,
Washington, DC 20460
Phone:202 564-5072