Water Utilities: Congress Temporarily Extends Cyber Laws, EPA Releases New Guidance

11.19.2025
Nossaman eAlert

Executive Summary

On November 12, 2025, President Trump signed a bipartisan funding package that officially reopened the federal government after a six-week shutdown and temporarily reinstated two major cybersecurity authorities that expired on September 30: the Cybersecurity Information Sharing Act of 2015 (CISA Act) and the State and Local Cybersecurity Grant Program (SLCGP). Both authorities are extended through January 30, 2026. The reinstatement restores liability protections, reestablishes real-time cyber threat information sharing and ensures continued access to federal cybersecurity funding, key tools for drinking water and wastewater utilities.

These actions follow the U.S. Environmental Protection Agency’s (EPA) October 23, 2025, announcement of an updated suite of cybersecurity and emergency planning tools, including a revised Emergency Response Plan (ERP) guide, a Cybersecurity Incident Response Plan (CIRP) template, incident-specific checklists and a cybersecurity procurement checklist. EPA’s rollout coincides with heightened concern about increasingly sophisticated nation-state and criminal cyber threats targeting water systems.

Together, these federal developments create a meaningful window for utilities to strengthen cybersecurity readiness, update ERPs and reengage with federal and state technical assistance programs.

Federal Government Reopens and Two Cyber Laws Reinstated

The November 12 House passage of the funding package to reopen the federal government followed a procedural vote on November 9 and Senate passage on November 10. President Trump signed the legislation that evening, officially ending the six-week shutdown. It also temporarily reinstated two key cybersecurity authorities that expired on September 30:

  • CISA Act – Restores legal and liability protections for entities that voluntarily share cyber threat indicators with the federal government and reestablishes two-way, real-time information sharing between industry and federal agencies.
  • SLCGP – Continues formula-based funding to state, local, tribal and territorial governments to support cybersecurity planning, coordination and resilience. Many states use these funds to assist smaller water and wastewater utilities.

Both extensions received bipartisan support and were praised across critical infrastructure sectors. Their reinstatement aligns closely with EPA’s recently released cyber tools, enabling utilities to update vulnerability assessments and ERPs as federal operations resume.

EPA Announcement

On October 23, 2025, EPA released an updated package of resources to help drinking water and wastewater utilities strengthen cybersecurity and emergency preparedness. The tools emphasize updating risk and resilience assessments to incorporate cyber vulnerabilities and integrating those findings into modernized emergency response plans.

This initiative is part of the EPA’s broader “Powering the Great American Comeback” strategy and builds on the agency’s August 2025 announcement of over $9 million in grant funding for midsize and large water systems. The funding aims to bolster cybersecurity defenses and improve resilience against extreme weather events.

EPA’s new guidelines emphasize a two-pronged approach: updating risk and resilience assessments to include cybersecurity threats and incorporating findings into updated ERPs. Key actions include reducing internet exposure, changing default passwords, performing regular cybersecurity assessments and developing manual operation procedures for automated systems. Additionally, guidance focuses on securing Human-Machine Interfaces, completing asset inventories and conducting regular training and exercises. 

Cybersecurity Preparedness

  • Risk and resilience assessments: Water systems serving over 3,300 people must assess their risks, including cybersecurity vulnerabilities and incorporate the findings into their ERPs.
  • Internet exposure: Reduce public-facing internet exposure and secure all physical ports (like USB) to prevent unauthorized connections.
  • Password and authentication practices: Replace default passwords and implement multi-factor authentication where possible.
  • Asset inventory: Conduct and maintain an inventory of all Operational Technology (OT) and Information Technology (IT) assets to better understand the system's components and vulnerabilities.
  • Vendor security: Use the Cybersecurity Procurement Evaluation Checklist to assess the cybersecurity practices of vendors and service providers. 

Emergency Response Plan (ERP) Integration

  • Develop specific protocols: The ERP should include strategies to prepare for, respond to and recover from cyber incidents.
  • Manual operations: Establish and test documented procedures for manual operations in case automated systems are compromised by a cyberattack.
  • Incident response checklists: Use tools like the Water and Wastewater Systems Cybersecurity Incident Response Plan Template to structure your plan.
  • Regular exercises: Conduct regular exercises, like tabletop scenarios, to test the effectiveness of your ERP and train staff on response protocols. 

Additional Guidance

  • Leadership and training: Appoint an executive to oversee cyber risk, provide regular updates to leadership and ensure operators receive cyber training.
  • Incident planning: Coordinate with the EPA and the Cybersecurity and Infrastructure Security Agency (CISA) to exercise incident response plans.
  • Third-party assessment: Schedule a professional cybersecurity assessment to identify gaps and develop a mitigation plan.
  • Resource and funding: The EPA has released guidance documents, templates and has grant programs to help utilities improve their resilience and cybersecurity. 

Background and Sector Vulnerabilities

Recent cyber incidents highlight increasing attempts to compromise water utility networks, manipulate chemical dosing systems and disrupt operations. A 2024 GAO report (GAO-24-106744) found nearly 170,000 U.S. water systems face cyber risks and a 2024 EPA Inspector General report (25-N-0004) identified critical or high-severity vulnerabilities in 97 drinking water systems serving 27 million people. Key challenges include outdated software, unsupported operating systems, inadequate network segmentation and limited monitoring capacity.

Smaller and resource-constrained utilities continue to face staffing shortages, aging infrastructure and administrative challenges that hinder adoption of cybersecurity best practices even when new resources are available at no cost.

EPA’s Role and Limitations

EPA leads federal water sector cybersecurity efforts but lacks explicit statutory authority to mandate cybersecurity measures. As a result, the agency relies primarily on voluntary engagement, technical assistance and coordination with DHS’s CISA, state agencies and sector partners. While reinstatement of the CISA Act restores stability to threat-sharing activities through January 30, 2026, ongoing improvements in internal monitoring and response capacity remain critical for utilities.

Additional Recommendations and Next Steps

Given the evolving landscape, it is more important than ever for water utilities to proactively examine their emergency response plans, reassess vulnerabilities and prepare for both cyber and physical threats. In addition to the tools provided by the EPA, to further strengthen preparedness and resilience, water utilities should also consider the following actions:

  • Align emergency response plans with federal, state and local requirements and test them through realistic threat scenarios.
  • Strengthen regional partnerships with emergency management, public health and neighboring utilities, including shared services and mutual aid models.
  • Review and update insurance policies to ensure adequate cyber incident coverage.
  • Integrate cybersecurity, emergency power and climate resilience into capital planning.
  • Pursue federal and state funding, including SRF programs, FEMA grants and congressional community project funding.
  • Monitor legislative and regulatory developments and engage with policymakers and agency partners to provide input during comment periods, shape water sector priorities, advocate for resource availability and build durable relationships.

How External Partners Can Help

Seasoned advisors can help utilities strengthen compliance, secure funding and accelerate capital and resilience initiatives. This includes identifying federal financing opportunities, preparing competitive grant applications, drafting legislative and report language, navigating federal and state requirements and supporting procurement, contracting and project delivery.

Twitter/X Facebook LinkedIn PDF
Jump to Page

We use cookies on this website to improve functionality, enhance performance, analyze website traffic and to enable social media features. To learn more, please see our Privacy Policy and our Terms & Conditions for additional detail.