I
119THCONGRESS
1
STSESSION H. R. 2594
To establish a Water Risk and Resilience Organization to develop risk and
resilience requirements for the water sector.
IN THE HOUSE OF REPRESENTATIVES
APRIL2, 2025
Mr. C
RAWFORDintroduced the following bill; which was referred to the Com-
mittee on Transportation and Infrastructure, and in addition to the Com-
mittee on Energy and Commerce, for a period to be subsequently deter-
mined by the Speaker, in each case for consideration of such provisions
as fall within the jurisdiction of the committee concerned
A BILL
To establish a Water Risk and Resilience Organization to
develop risk and resilience requirements for the water sector.
Be it enacted by the Senate and House of Representa-1
tives of the United States of America in Congress assembled, 2
SECTION 1. WATER RISK AND RESILIENCE ORGANIZATION. 3
(a) D
EFINITIONS.—In this section: 4
(1) A
DMINISTRATOR.—The term ‘‘Adminis-5
trator’’ means the Administrator of the Environ-6
mental Protection Agency. 7
(2) C
OVERED WATER SYSTEM .—The term ‘‘cov-8
ered water system’’ means— 9
VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
ssavage on LAPJG3WLY3PROD with BILLS 2
•HR 2594 IH
(A) a community water system (as defined 1
in section 1401 of the Safe Drinking Water Act 2
(42 U.S.C. 300f)) that serves a population of 3
3,300 or more persons; or 4
(B) a treatment works (as defined in sec-5
tion 212 of the Federal Water Pollution Control 6
Act (33 U.S.C. 1292)) that serves a population 7
of 3,300 or more persons. 8
(3) C
YBER RESILIENT.— 9
(A) I
N GENERAL.—The term ‘‘cyber resil-10
ient’’ means the ability of a covered water sys-11
tem to withstand or reduce the magnitude or 12
duration of cybersecurity incidents that disrupt 13
the ability of the covered water system to func-14
tion normally. 15
(B) I
NCLUSION.—The term ‘‘cyber resil-16
ient’’ includes the ability of a covered water sys-17
tem to anticipate, absorb, adapt to, or rapidly 18
recover from cybersecurity incidents. 19
(4) C
YBERSECURITY INCIDENT .—The term ‘‘cy-20
bersecurity incident’’ means a malicious act or sus-21
picious event that disrupts, or attempts to disrupt, 22
the operation of programmable electronic devices 23
and communication networks, including hardware, 24
VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
ssavage on LAPJG3WLY3PROD with BILLS 3
•HR 2594 IH
software, and data that are essential to the cyber re-1
silient operation of a covered water system. 2
(5) C
YBERSECURITY RISK AND RESILIENCE RE -3
QUIREMENT.—The term ‘‘cybersecurity risk and re-4
silience requirement’’ means a requirement that pro-5
vides for the cyber resilient operation of a covered 6
water system and the cyber resilient design of 7
planned additions or modifications to a covered 8
water system. 9
(6) W
ATER RISK AND RESILIENCE ORGANIZA -10
TION; WRRO.—The terms ‘‘Water Risk and Resil-11
ience Organization’’ and ‘‘WRRO’’ mean the organi-12
zation certified by the Administrator under sub-13
section (c). 14
(b) A
PPLICABILITY.—Not later than 270 days after 15
the date of enactment of this Act, the Administrator shall 16
issue a final rule to carry out this section, including regu-17
lations for the selection and certification of the WRRO 18
under subsection (c). 19
(c) C
ERTIFICATION.— 20
(1) I
N GENERAL.—Following the issuance of 21
the final rule under subsection (b)(1), any organiza-22
tion may submit an application to the Adminis-23
trator, at such time, in such manner, and containing 24
such information as the Administrator may require, 25
VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
ssavage on LAPJG3WLY3PROD with BILLS 4
•HR 2594 IH
for certification as the Water Risk and Resilience 1
Organization. 2
(2) R
EQUIREMENTS.—The Administrator shall 3
certify not more than 1 organization that submitted 4
an application under paragraph (1) as the Water 5
Risk and Resilience Organization if the Adminis-6
trator determines that the organization— 7
(A) demonstrates advanced technical 8
knowledge and expertise in the operations of 9
covered water systems; 10
(B) is comprised of 1 or more members 11
with relevant experience as owners or operators 12
of covered water systems; 13
(C) has demonstrated the ability to develop 14
and implement cybersecurity risk and resilience 15
requirements that provide for an adequate level 16
of cybersecurity risk and resilience for a covered 17
water system; 18
(D) is capable of establishing measures, in 19
line with prevailing best practices, to secure 20
sensitive information and to protect sensitive 21
security information from public disclosure; and 22
(E) has established rules that— 23
(i) require that the organization be 24
independent of the users, owners, and op-25
VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
ssavage on LAPJG3WLY3PROD with BILLS 5
•HR 2594 IH
erators of a covered water system, with 1
balanced and objective stakeholder rep-2
resentation in the selection of directors of 3
the organization and balanced decision 4
making in any committee or subordinate 5
organizational structure; 6
(ii) require that the organization allo-7
cate reasonable dues, fees, and other 8
charges among end-users for all activities 9
under this section; 10
(iii) provide just and reasonable pro-11
cedures for enforcement of cybersecurity 12
risk and resilience requirements and the 13
imposition of penalties in accordance with 14
subsection (f), including limitations on ac-15
tivities, functions, or operations, or other 16
appropriate sanctions; and 17
(iv) provides for reasonable notice and 18
opportunity for public comment, due proc-19
ess, openness, and balancing of interests in 20
developing cybersecurity risk and resilience 21
requirements and otherwise exercising du-22
ties described in this section. 23
(d) C
YBERSECURITY RISK ANDRESILIENCERE-24
QUIREMENTS.— 25
VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
ssavage on LAPJG3WLY3PROD with BILLS 6
•HR 2594 IH
(1) IN GENERAL.— 1
(A) P
ROPOSED REQUIREMENTS .—The 2
WRRO shall file with the Administrator each 3
cybersecurity risk and resilience requirement or 4
modification to such a requirement that the 5
WRRO proposes to be made effective under this 6
section. 7
(B) I
MPLEMENTATION PLAN .— 8
(i) I
N GENERAL.—For each proposed 9
cybersecurity risk and resilience require-10
ment or modification to such a require-11
ment filed pursuant to subparagraph (A), 12
the WRRO shall file an implementation 13
plan, including the schedule for implemen-14
tation, which may include a specified date, 15
by which covered water systems shall 16
achieve compliance with all of the cyberse-17
curity risk and resilience requirement or 18
modification to such a requirement. The 19
implementation schedule may account for a 20
phased rollout of the requirement, recog-21
nizing that the requirement may not apply, 22
in totality, to all covered water systems. 23
(ii) R
EASONABLE DEADLINES .—The 24
enforcement date proposed by the WRRO 25
VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
ssavage on LAPJG3WLY3PROD with BILLS 7
•HR 2594 IH
in the implementation plan under clause (i) 1
shall provide a reasonable implementation 2
period for covered water systems to meet 3
the requirements under the implementation 4
plan. 5
(2) A
PPROVAL.— 6
(A) I
N GENERAL.—Notwithstanding para-7
graph (3)(A), the Administrator shall approve a 8
proposed cybersecurity risk and resilience re-9
quirement or modification to such a require-10
ment, including the accompanying implementa-11
tion plan filed under paragraph (1), if the Ad-12
ministrator determines that the requirement is 13
just, reasonable, and not unduly discriminatory 14
or preferential. 15
(B) D
EFERENCE TO WRRO .—The Adminis-16
trator shall defer to the technical expertise of 17
the WRRO with respect to the content of a pro-18
posed cybersecurity risk and resilience require-19
ment or modification to such a requirement. 20
(3) D
ISAPPROVAL OF REQUIREMENT .— 21
(A) I
N GENERAL.—Notwithstanding para-22
graph (2)(A), if the Administrator disapproves, 23
in whole or in part, a filed cybersecurity risk 24
and resilience requirement or modification to 25
VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00007 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
ssavage on LAPJG3WLY3PROD with BILLS 8
•HR 2594 IH
such a requirement, the Administrator shall re-1
mand such requirement to the WRRO and pro-2
vide to the WRRO specific recommendations 3
that would lead to the approval of the cyberse-4
curity risk and resilience requirement or modi-5
fication to such requirement under paragraph 6
(2). 7
(B) T
IMELINE.—The Administrator shall 8
remand to the WRRO a proposed cybersecurity 9
risk and resilience requirement or modification 10
to such a requirement disapproved under sub-11
paragraph (A), including the submission of the 12
specific recommendations required under that 13
subparagraph, not later than 90 days after the 14
date on which the WRRO filed the requirement 15
or modification with the Administrator under 16
paragraph (1)(A). 17
(C) R
ESPONSE AND APPROVAL .— 18
(i) I
N GENERAL.—On receipt of the 19
remand of a proposed cybersecurity risk 20
and resilience requirement or modification 21
to such a requirement and receipt of the 22
specific recommendations of the Adminis-23
trator pursuant to subparagraph (A), the 24
WRRO shall— 25
VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00008 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
ssavage on LAPJG3WLY3PROD with BILLS 9
•HR 2594 IH
(I) accept the recommendations 1
of the Administrator and resubmit an 2
amended proposed cybersecurity risk 3
and resilience requirement or modi-4
fication to such a requirement con-5
sistent with those recommendations; 6
(II) provide to the Administrator 7
and a reason why the recommendation 8
was not accepted; or 9
(III) withdraw the proposed cy-10
bersecurity risk and resilience require-11
ment or modification to such a re-12
quirement. 13
(ii) A
MENDED REQUIREMENT .—If the 14
WRRO files an amended proposed cyberse-15
curity risk and resilience requirement or 16
modification to such a requirement under 17
clause (i)(I) the Administrator shall review 18
such proposed requirement or modification 19
and determine whether to approve such 20
amended requirement or modification in 21
accordance with paragraph (2)(A). 22
(iii) R
ESPONSE BY WRRO.—On receipt 23
of a response from the WRRO pursuant to 24
clause (i)(II), the Administrator shall— 25
VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00009 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
ssavage on LAPJG3WLY3PROD with BILLS 10
•HR 2594 IH
(I) approve the proposed cyberse-1
curity risk and resilience requirement 2
or modification to such a requirement; 3
or 4
(II) invite the WRRO to engage 5
in negotiations with the Administrator 6
to reach consensus to address the spe-7
cific recommendation made by the Ad-8
ministrator under subparagraph (A). 9
(4) E
FFECTIVE DATE.—The effective date of an 10
approved cybersecurity risk and resilience require-11
ment or modification to such a requirement pro-12
posed under this subsection shall be set by the Ad-13
ministrator in accordance with the proposed imple-14
mentation plan submitted by the WRRO under para-15
graph (1). 16
(5) S
UBMISSION OF SPECIFIC REQUIREMENT .— 17
The Administrator, on the motion of the Adminis-18
trator or on complaint may, following consultation 19
with the WRRO, order the WRRO to file with the 20
Administrator under paragraph (1) a proposed cy-21
bersecurity risk and resilience requirement or modi-22
fication to such as requirement that addresses a spe-23
cific matter if the Administrator determines there is 24
a reasonable basis to conclude the existing cyberse-25
VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00010 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
ssavage on LAPJG3WLY3PROD with BILLS 11
•HR 2594 IH
curity risk and resilience requirements are insuffi-1
cient, when implemented by covered water systems, 2
to protect, defend, or recover from or mitigate a cy-3
bersecurity incident. 4
(6) C
ONFLICT.— 5
(A) I
N GENERAL.—The final rule adopted 6
under subsection (b)(2) shall include specific 7
processes for the identification and timely reso-8
lution of any conflict between a cybersecurity 9
risk and resilience requirement and any func-10
tion, rule, order, tariff, or agreement accepted, 11
approved, or ordered by the Administrator that 12
is applicable to a covered water system. 13
(B) C
OMPLIANCE.—A covered water sys-14
tem shall continue to comply with a function, 15
rule, order, tariff, or agreement described in 16
subparagraph (A) unless— 17
(i) the Administrator finds a conflict 18
exists between a cybersecurity risk and re-19
silience requirement and any function, 20
rule, order, tariff, or agreement approved 21
or otherwise accepted or ordered by the 22
Administrator; 23
VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00011 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
ssavage on LAPJG3WLY3PROD with BILLS 12
•HR 2594 IH
(ii) the Administrator orders a change 1
to that function, rule, order, tariff, or 2
agreement; and 3
(iii) the ordered change becomes effec-4
tive. 5
(C) M
ODIFICATION.—If the Administrator 6
determines that a cybersecurity risk and resil-7
ience requirement needs to be changed as a re-8
sult of a conflict identified under this para-9
graph, the Administrator shall direct the 10
WRRO to propose and file with the Adminis-11
trator a modified cybersecurity risk and resil-12
ience requirement pursuant to paragraphs (1) 13
through (4) of this section. 14
(e) W
ATERSYSTEMMONITORING AND ASSESS-15
MENT.—To aid in the development and adoption of appro-16
priate and necessary cybersecurity risk and resilience re-17
quirements and modifications to such requirements, the 18
WRRO shall— 19
(1) routinely monitor and conduct periodic as-20
sessments of the implementation of cybersecurity 21
risk and resilience requirements approved by the Ad-22
ministrator under subsection (d) and the effective-23
ness of cybersecurity risk and resilience require-24
ments for covered systems, including by requiring— 25
VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00012 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
ssavage on LAPJG3WLY3PROD with BILLS 13
•HR 2594 IH
(A) annual self-attestations of compliance 1
with such cybersecurity risk and resilience re-2
quirements by covered water systems; and 3
(B) assessments of the covered water sys-4
tem by the WRRO or by a third party des-5
ignated by the WRRO not less frequently than 6
every 5 years of compliance by covered water 7
systems with such cybersecurity risk and resil-8
ience requirements; and 9
(2) annually submit to the Administrator a re-10
port describing the implementation of cybersecurity 11
risk and resilience requirements approved by the Ad-12
ministrator under subsection (d) and the effective-13
ness of cybersecurity risk and resilience require-14
ments for covered water systems subject to the re-15
quirements that reports under this paragraph— 16
(A) shall only include aggregated or 17
anonymized findings, observations, and data; 18
and 19
(B) shall not contain any sensitive security 20
information. 21
(f) E
NFORCEMENT.— 22
(1) I
N GENERAL.—The WRRO may, subject to 23
paragraphs (2) through (5), impose a penalty on the 24
owner or operator of a covered water system for a 25
VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00013 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
ssavage on LAPJG3WLY3PROD with BILLS 14
•HR 2594 IH
violation of a cybersecurity risk and resilience re-1
quirement if the WRRO, after notice and an oppor-2
tunity for a consultation and a hearing— 3
(A) finds that the owner or operator of a 4
covered system has violated or failed to comply 5
with the cybersecurity risk and resilience re-6
quirement; and 7
(B) files notice of the finding under sub-8
paragraph (A) and the record of the proceeding 9
with the Administrator. 10
(2) N
OTICE.— 11
(A) I
N GENERAL.—The WRRO may not 12
impose a penalty on the owner or operator of a 13
covered water system under paragraph (1) un-14
less the WRRO provides the owner or operator 15
with— 16
(i) notice of the alleged violation of or 17
failure to comply with a cybersecurity risk 18
and resilience requirement; and 19
(ii) an opportunity for a consultation 20
and a hearing prior to finding that the 21
owner or operator has violated or failed to 22
comply with the applicable cybersecurity 23
risk and resilience requirement under para-24
graph (1)(A). 25
VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00014 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
ssavage on LAPJG3WLY3PROD with BILLS 15
•HR 2594 IH
(B) ACCESS TO COUNSEL.—The owner or 1
operator of a covered water system may engage 2
legal counsel to take part in the consultation 3
and hearing described in subparagraph (A)(ii). 4
(3) E
FFECTIVE DATE OF PENALTY .—A penalty 5
imposed under paragraph (1) may take effect not 6
earlier than 31 days after the date on which the 7
WRRO files with the Administrator notice of the 8
penalty and the record of proceedings under sub-9
paragraph (B) of that paragraph. 10
(4) I
MPOSITION OF PENALTY .— 11
(A) M
AXIMUM AMOUNT .—A penalty im-12
posed under paragraph (1) shall not exceed 13
$25,000 per day the applicable owner or oper-14
ator is in violation of a cybersecurity risk and 15
resilience requirement approved by the Adminis-16
trator under subsection (d). 17
(B) L
IMITATION.—No penalty may be im-18
posed on a covered water system under any 19
other provision of law for a violation of a cyber-20
security risk and resilience requirement ap-21
proved by the Administrator under subsection 22
(d). 23
(C) U
SE OF PENALTY FUNDS .—Any pen-24
alties collected under this subsection shall be re-25
VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00015 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
ssavage on LAPJG3WLY3PROD with BILLS 16
•HR 2594 IH
turned to the WRRO to support training initia-1
tives and other resource capabilities of the 2
WRRO in carrying out the duties of the WRRO 3
under this section. 4
(5) R
EVIEW BY ADMINISTRATOR .— 5
(A) I
N GENERAL.—The Administrator may 6
review a penalty imposed under paragraph (1). 7
(B) A
PPLICATION FOR REVIEW .—The Ad-8
ministrator may conduct a review under sub-9
paragraph (A) on the motion of the Adminis-10
trator or on application by an owner or oper-11
ator of a covered water system that is the sub-12
ject of a penalty imposed under paragraph (1), 13
if such application is filed not later than 30 14
days after the date on which the notice of that 15
penalty is filed with the Administrator. 16
(C) S
TAY OF PENALTY.—A penalty under 17
review by the Administrator under this para-18
graph may only be stayed if, on the motion of 19
the Administrator or on application by the 20
owner or operator of the covered water system 21
that is the subject of the penalty, the Adminis-22
trator separately orders the stay of the penalty. 23
(D) P
ROCEEDINGS.— 24
VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00016 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
ssavage on LAPJG3WLY3PROD with BILLS 17
•HR 2594 IH
(i) IN GENERAL.—In any proceeding 1
to review a penalty imposed under para-2
graph (1), the Administrator, after notice 3
and, subject to clause (ii), opportunity for 4
a hearing, shall by order affirm, set aside, 5
reinstate, or modify the penalty, and, if ap-6
propriate, remand to the WRRO for fur-7
ther proceedings. 8
(ii) R
ECORD BELOW .—A hearing 9
under clause (i) may consist solely of the 10
record before the WRRO and an oppor-11
tunity for the presentation of supporting 12
reasons to affirm, modify, or set aside the 13
applicable penalty. 14
(iii) E
XPEDITED PROCEDURES .—The 15
Administrator shall act expeditiously in ad-16
ministering all proceedings under this 17
paragraph. 18
(g) S
AVINGSPROVISIONS.— 19
(1) A
UTHORITY.—Nothing in this section au-20
thorizes the WRRO or the Administrator to develop 21
binding cybersecurity risk and resilience require-22
ments for covered water systems, except as specifi-23
cally provided for in this Act. 24
VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00017 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
ssavage on LAPJG3WLY3PROD with BILLS 18
•HR 2594 IH
(2) RULE OF CONSTRUCTION .—Nothing in this 1
section preempts any authority of any State to take 2
action to ensure the safety, adequacy, and resilience 3
of water service within that State, as long as such 4
action is not inconsistent with or in conflict with any 5
cybersecurity risk and resilience requirement. 6
(h) S
TATUS OFWRRO.—The WRRO is not a depart-7
ment, agency, or instrumentality of the United States 8
Government. 9
(i) A
UTHORIZATION OF APPROPRIATIONS.—There is 10
authorized to be appropriated to carry out this section 11
$10,000,000 to remain available to the WRRO until ex-12
pended. 13
Æ
VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00018 Fmt 6652 Sfmt 6301 E:\BILLS\H2594.IH H2594
ssavage on LAPJG3WLY3PROD with BILLS