US
Us Congress House Bill HB2594

Us Congress 2025-2026 Regular Session

Us Congress House Bill HB2594 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11 I
22 119THCONGRESS
33 1
44 STSESSION H. R. 2594
55 To establish a Water Risk and Resilience Organization to develop risk and
66 resilience requirements for the water sector.
77 IN THE HOUSE OF REPRESENTATIVES
88 APRIL2, 2025
99 Mr. C
1010 RAWFORDintroduced the following bill; which was referred to the Com-
1111 mittee on Transportation and Infrastructure, and in addition to the Com-
1212 mittee on Energy and Commerce, for a period to be subsequently deter-
1313 mined by the Speaker, in each case for consideration of such provisions
1414 as fall within the jurisdiction of the committee concerned
1515 A BILL
1616 To establish a Water Risk and Resilience Organization to
1717 develop risk and resilience requirements for the water sector.
1818 Be it enacted by the Senate and House of Representa-1
1919 tives of the United States of America in Congress assembled, 2
2020 SECTION 1. WATER RISK AND RESILIENCE ORGANIZATION. 3
2121 (a) D
2222 EFINITIONS.—In this section: 4
2323 (1) A
2424 DMINISTRATOR.—The term ‘‘Adminis-5
2525 trator’’ means the Administrator of the Environ-6
2626 mental Protection Agency. 7
2727 (2) C
2828 OVERED WATER SYSTEM .—The term ‘‘cov-8
2929 ered water system’’ means— 9
3030 VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
3131 ssavage on LAPJG3WLY3PROD with BILLS 2
3232 •HR 2594 IH
3333 (A) a community water system (as defined 1
3434 in section 1401 of the Safe Drinking Water Act 2
3535 (42 U.S.C. 300f)) that serves a population of 3
3636 3,300 or more persons; or 4
3737 (B) a treatment works (as defined in sec-5
3838 tion 212 of the Federal Water Pollution Control 6
3939 Act (33 U.S.C. 1292)) that serves a population 7
4040 of 3,300 or more persons. 8
4141 (3) C
4242 YBER RESILIENT.— 9
4343 (A) I
4444 N GENERAL.—The term ‘‘cyber resil-10
4545 ient’’ means the ability of a covered water sys-11
4646 tem to withstand or reduce the magnitude or 12
4747 duration of cybersecurity incidents that disrupt 13
4848 the ability of the covered water system to func-14
4949 tion normally. 15
5050 (B) I
5151 NCLUSION.—The term ‘‘cyber resil-16
5252 ient’’ includes the ability of a covered water sys-17
5353 tem to anticipate, absorb, adapt to, or rapidly 18
5454 recover from cybersecurity incidents. 19
5555 (4) C
5656 YBERSECURITY INCIDENT .—The term ‘‘cy-20
5757 bersecurity incident’’ means a malicious act or sus-21
5858 picious event that disrupts, or attempts to disrupt, 22
5959 the operation of programmable electronic devices 23
6060 and communication networks, including hardware, 24
6161 VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
6262 ssavage on LAPJG3WLY3PROD with BILLS 3
6363 •HR 2594 IH
6464 software, and data that are essential to the cyber re-1
6565 silient operation of a covered water system. 2
6666 (5) C
6767 YBERSECURITY RISK AND RESILIENCE RE -3
6868 QUIREMENT.—The term ‘‘cybersecurity risk and re-4
6969 silience requirement’’ means a requirement that pro-5
7070 vides for the cyber resilient operation of a covered 6
7171 water system and the cyber resilient design of 7
7272 planned additions or modifications to a covered 8
7373 water system. 9
7474 (6) W
7575 ATER RISK AND RESILIENCE ORGANIZA -10
7676 TION; WRRO.—The terms ‘‘Water Risk and Resil-11
7777 ience Organization’’ and ‘‘WRRO’’ mean the organi-12
7878 zation certified by the Administrator under sub-13
7979 section (c). 14
8080 (b) A
8181 PPLICABILITY.—Not later than 270 days after 15
8282 the date of enactment of this Act, the Administrator shall 16
8383 issue a final rule to carry out this section, including regu-17
8484 lations for the selection and certification of the WRRO 18
8585 under subsection (c). 19
8686 (c) C
8787 ERTIFICATION.— 20
8888 (1) I
8989 N GENERAL.—Following the issuance of 21
9090 the final rule under subsection (b)(1), any organiza-22
9191 tion may submit an application to the Adminis-23
9292 trator, at such time, in such manner, and containing 24
9393 such information as the Administrator may require, 25
9494 VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
9595 ssavage on LAPJG3WLY3PROD with BILLS 4
9696 •HR 2594 IH
9797 for certification as the Water Risk and Resilience 1
9898 Organization. 2
9999 (2) R
100100 EQUIREMENTS.—The Administrator shall 3
101101 certify not more than 1 organization that submitted 4
102102 an application under paragraph (1) as the Water 5
103103 Risk and Resilience Organization if the Adminis-6
104104 trator determines that the organization— 7
105105 (A) demonstrates advanced technical 8
106106 knowledge and expertise in the operations of 9
107107 covered water systems; 10
108108 (B) is comprised of 1 or more members 11
109109 with relevant experience as owners or operators 12
110110 of covered water systems; 13
111111 (C) has demonstrated the ability to develop 14
112112 and implement cybersecurity risk and resilience 15
113113 requirements that provide for an adequate level 16
114114 of cybersecurity risk and resilience for a covered 17
115115 water system; 18
116116 (D) is capable of establishing measures, in 19
117117 line with prevailing best practices, to secure 20
118118 sensitive information and to protect sensitive 21
119119 security information from public disclosure; and 22
120120 (E) has established rules that— 23
121121 (i) require that the organization be 24
122122 independent of the users, owners, and op-25
123123 VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
124124 ssavage on LAPJG3WLY3PROD with BILLS 5
125125 •HR 2594 IH
126126 erators of a covered water system, with 1
127127 balanced and objective stakeholder rep-2
128128 resentation in the selection of directors of 3
129129 the organization and balanced decision 4
130130 making in any committee or subordinate 5
131131 organizational structure; 6
132132 (ii) require that the organization allo-7
133133 cate reasonable dues, fees, and other 8
134134 charges among end-users for all activities 9
135135 under this section; 10
136136 (iii) provide just and reasonable pro-11
137137 cedures for enforcement of cybersecurity 12
138138 risk and resilience requirements and the 13
139139 imposition of penalties in accordance with 14
140140 subsection (f), including limitations on ac-15
141141 tivities, functions, or operations, or other 16
142142 appropriate sanctions; and 17
143143 (iv) provides for reasonable notice and 18
144144 opportunity for public comment, due proc-19
145145 ess, openness, and balancing of interests in 20
146146 developing cybersecurity risk and resilience 21
147147 requirements and otherwise exercising du-22
148148 ties described in this section. 23
149149 (d) C
150150 YBERSECURITY RISK ANDRESILIENCERE-24
151151 QUIREMENTS.— 25
152152 VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
153153 ssavage on LAPJG3WLY3PROD with BILLS 6
154154 •HR 2594 IH
155155 (1) IN GENERAL.— 1
156156 (A) P
157157 ROPOSED REQUIREMENTS .—The 2
158158 WRRO shall file with the Administrator each 3
159159 cybersecurity risk and resilience requirement or 4
160160 modification to such a requirement that the 5
161161 WRRO proposes to be made effective under this 6
162162 section. 7
163163 (B) I
164164 MPLEMENTATION PLAN .— 8
165165 (i) I
166166 N GENERAL.—For each proposed 9
167167 cybersecurity risk and resilience require-10
168168 ment or modification to such a require-11
169169 ment filed pursuant to subparagraph (A), 12
170170 the WRRO shall file an implementation 13
171171 plan, including the schedule for implemen-14
172172 tation, which may include a specified date, 15
173173 by which covered water systems shall 16
174174 achieve compliance with all of the cyberse-17
175175 curity risk and resilience requirement or 18
176176 modification to such a requirement. The 19
177177 implementation schedule may account for a 20
178178 phased rollout of the requirement, recog-21
179179 nizing that the requirement may not apply, 22
180180 in totality, to all covered water systems. 23
181181 (ii) R
182182 EASONABLE DEADLINES .—The 24
183183 enforcement date proposed by the WRRO 25
184184 VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
185185 ssavage on LAPJG3WLY3PROD with BILLS 7
186186 •HR 2594 IH
187187 in the implementation plan under clause (i) 1
188188 shall provide a reasonable implementation 2
189189 period for covered water systems to meet 3
190190 the requirements under the implementation 4
191191 plan. 5
192192 (2) A
193193 PPROVAL.— 6
194194 (A) I
195195 N GENERAL.—Notwithstanding para-7
196196 graph (3)(A), the Administrator shall approve a 8
197197 proposed cybersecurity risk and resilience re-9
198198 quirement or modification to such a require-10
199199 ment, including the accompanying implementa-11
200200 tion plan filed under paragraph (1), if the Ad-12
201201 ministrator determines that the requirement is 13
202202 just, reasonable, and not unduly discriminatory 14
203203 or preferential. 15
204204 (B) D
205205 EFERENCE TO WRRO .—The Adminis-16
206206 trator shall defer to the technical expertise of 17
207207 the WRRO with respect to the content of a pro-18
208208 posed cybersecurity risk and resilience require-19
209209 ment or modification to such a requirement. 20
210210 (3) D
211211 ISAPPROVAL OF REQUIREMENT .— 21
212212 (A) I
213213 N GENERAL.—Notwithstanding para-22
214214 graph (2)(A), if the Administrator disapproves, 23
215215 in whole or in part, a filed cybersecurity risk 24
216216 and resilience requirement or modification to 25
217217 VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00007 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
218218 ssavage on LAPJG3WLY3PROD with BILLS 8
219219 •HR 2594 IH
220220 such a requirement, the Administrator shall re-1
221221 mand such requirement to the WRRO and pro-2
222222 vide to the WRRO specific recommendations 3
223223 that would lead to the approval of the cyberse-4
224224 curity risk and resilience requirement or modi-5
225225 fication to such requirement under paragraph 6
226226 (2). 7
227227 (B) T
228228 IMELINE.—The Administrator shall 8
229229 remand to the WRRO a proposed cybersecurity 9
230230 risk and resilience requirement or modification 10
231231 to such a requirement disapproved under sub-11
232232 paragraph (A), including the submission of the 12
233233 specific recommendations required under that 13
234234 subparagraph, not later than 90 days after the 14
235235 date on which the WRRO filed the requirement 15
236236 or modification with the Administrator under 16
237237 paragraph (1)(A). 17
238238 (C) R
239239 ESPONSE AND APPROVAL .— 18
240240 (i) I
241241 N GENERAL.—On receipt of the 19
242242 remand of a proposed cybersecurity risk 20
243243 and resilience requirement or modification 21
244244 to such a requirement and receipt of the 22
245245 specific recommendations of the Adminis-23
246246 trator pursuant to subparagraph (A), the 24
247247 WRRO shall— 25
248248 VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00008 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
249249 ssavage on LAPJG3WLY3PROD with BILLS 9
250250 •HR 2594 IH
251251 (I) accept the recommendations 1
252252 of the Administrator and resubmit an 2
253253 amended proposed cybersecurity risk 3
254254 and resilience requirement or modi-4
255255 fication to such a requirement con-5
256256 sistent with those recommendations; 6
257257 (II) provide to the Administrator 7
258258 and a reason why the recommendation 8
259259 was not accepted; or 9
260260 (III) withdraw the proposed cy-10
261261 bersecurity risk and resilience require-11
262262 ment or modification to such a re-12
263263 quirement. 13
264264 (ii) A
265265 MENDED REQUIREMENT .—If the 14
266266 WRRO files an amended proposed cyberse-15
267267 curity risk and resilience requirement or 16
268268 modification to such a requirement under 17
269269 clause (i)(I) the Administrator shall review 18
270270 such proposed requirement or modification 19
271271 and determine whether to approve such 20
272272 amended requirement or modification in 21
273273 accordance with paragraph (2)(A). 22
274274 (iii) R
275275 ESPONSE BY WRRO.—On receipt 23
276276 of a response from the WRRO pursuant to 24
277277 clause (i)(II), the Administrator shall— 25
278278 VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00009 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
279279 ssavage on LAPJG3WLY3PROD with BILLS 10
280280 •HR 2594 IH
281281 (I) approve the proposed cyberse-1
282282 curity risk and resilience requirement 2
283283 or modification to such a requirement; 3
284284 or 4
285285 (II) invite the WRRO to engage 5
286286 in negotiations with the Administrator 6
287287 to reach consensus to address the spe-7
288288 cific recommendation made by the Ad-8
289289 ministrator under subparagraph (A). 9
290290 (4) E
291291 FFECTIVE DATE.—The effective date of an 10
292292 approved cybersecurity risk and resilience require-11
293293 ment or modification to such a requirement pro-12
294294 posed under this subsection shall be set by the Ad-13
295295 ministrator in accordance with the proposed imple-14
296296 mentation plan submitted by the WRRO under para-15
297297 graph (1). 16
298298 (5) S
299299 UBMISSION OF SPECIFIC REQUIREMENT .— 17
300300 The Administrator, on the motion of the Adminis-18
301301 trator or on complaint may, following consultation 19
302302 with the WRRO, order the WRRO to file with the 20
303303 Administrator under paragraph (1) a proposed cy-21
304304 bersecurity risk and resilience requirement or modi-22
305305 fication to such as requirement that addresses a spe-23
306306 cific matter if the Administrator determines there is 24
307307 a reasonable basis to conclude the existing cyberse-25
308308 VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00010 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
309309 ssavage on LAPJG3WLY3PROD with BILLS 11
310310 •HR 2594 IH
311311 curity risk and resilience requirements are insuffi-1
312312 cient, when implemented by covered water systems, 2
313313 to protect, defend, or recover from or mitigate a cy-3
314314 bersecurity incident. 4
315315 (6) C
316316 ONFLICT.— 5
317317 (A) I
318318 N GENERAL.—The final rule adopted 6
319319 under subsection (b)(2) shall include specific 7
320320 processes for the identification and timely reso-8
321321 lution of any conflict between a cybersecurity 9
322322 risk and resilience requirement and any func-10
323323 tion, rule, order, tariff, or agreement accepted, 11
324324 approved, or ordered by the Administrator that 12
325325 is applicable to a covered water system. 13
326326 (B) C
327327 OMPLIANCE.—A covered water sys-14
328328 tem shall continue to comply with a function, 15
329329 rule, order, tariff, or agreement described in 16
330330 subparagraph (A) unless— 17
331331 (i) the Administrator finds a conflict 18
332332 exists between a cybersecurity risk and re-19
333333 silience requirement and any function, 20
334334 rule, order, tariff, or agreement approved 21
335335 or otherwise accepted or ordered by the 22
336336 Administrator; 23
337337 VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00011 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
338338 ssavage on LAPJG3WLY3PROD with BILLS 12
339339 •HR 2594 IH
340340 (ii) the Administrator orders a change 1
341341 to that function, rule, order, tariff, or 2
342342 agreement; and 3
343343 (iii) the ordered change becomes effec-4
344344 tive. 5
345345 (C) M
346346 ODIFICATION.—If the Administrator 6
347347 determines that a cybersecurity risk and resil-7
348348 ience requirement needs to be changed as a re-8
349349 sult of a conflict identified under this para-9
350350 graph, the Administrator shall direct the 10
351351 WRRO to propose and file with the Adminis-11
352352 trator a modified cybersecurity risk and resil-12
353353 ience requirement pursuant to paragraphs (1) 13
354354 through (4) of this section. 14
355355 (e) W
356356 ATERSYSTEMMONITORING AND ASSESS-15
357357 MENT.—To aid in the development and adoption of appro-16
358358 priate and necessary cybersecurity risk and resilience re-17
359359 quirements and modifications to such requirements, the 18
360360 WRRO shall— 19
361361 (1) routinely monitor and conduct periodic as-20
362362 sessments of the implementation of cybersecurity 21
363363 risk and resilience requirements approved by the Ad-22
364364 ministrator under subsection (d) and the effective-23
365365 ness of cybersecurity risk and resilience require-24
366366 ments for covered systems, including by requiring— 25
367367 VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00012 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
368368 ssavage on LAPJG3WLY3PROD with BILLS 13
369369 •HR 2594 IH
370370 (A) annual self-attestations of compliance 1
371371 with such cybersecurity risk and resilience re-2
372372 quirements by covered water systems; and 3
373373 (B) assessments of the covered water sys-4
374374 tem by the WRRO or by a third party des-5
375375 ignated by the WRRO not less frequently than 6
376376 every 5 years of compliance by covered water 7
377377 systems with such cybersecurity risk and resil-8
378378 ience requirements; and 9
379379 (2) annually submit to the Administrator a re-10
380380 port describing the implementation of cybersecurity 11
381381 risk and resilience requirements approved by the Ad-12
382382 ministrator under subsection (d) and the effective-13
383383 ness of cybersecurity risk and resilience require-14
384384 ments for covered water systems subject to the re-15
385385 quirements that reports under this paragraph— 16
386386 (A) shall only include aggregated or 17
387387 anonymized findings, observations, and data; 18
388388 and 19
389389 (B) shall not contain any sensitive security 20
390390 information. 21
391391 (f) E
392392 NFORCEMENT.— 22
393393 (1) I
394394 N GENERAL.—The WRRO may, subject to 23
395395 paragraphs (2) through (5), impose a penalty on the 24
396396 owner or operator of a covered water system for a 25
397397 VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00013 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
398398 ssavage on LAPJG3WLY3PROD with BILLS 14
399399 •HR 2594 IH
400400 violation of a cybersecurity risk and resilience re-1
401401 quirement if the WRRO, after notice and an oppor-2
402402 tunity for a consultation and a hearing— 3
403403 (A) finds that the owner or operator of a 4
404404 covered system has violated or failed to comply 5
405405 with the cybersecurity risk and resilience re-6
406406 quirement; and 7
407407 (B) files notice of the finding under sub-8
408408 paragraph (A) and the record of the proceeding 9
409409 with the Administrator. 10
410410 (2) N
411411 OTICE.— 11
412412 (A) I
413413 N GENERAL.—The WRRO may not 12
414414 impose a penalty on the owner or operator of a 13
415415 covered water system under paragraph (1) un-14
416416 less the WRRO provides the owner or operator 15
417417 with— 16
418418 (i) notice of the alleged violation of or 17
419419 failure to comply with a cybersecurity risk 18
420420 and resilience requirement; and 19
421421 (ii) an opportunity for a consultation 20
422422 and a hearing prior to finding that the 21
423423 owner or operator has violated or failed to 22
424424 comply with the applicable cybersecurity 23
425425 risk and resilience requirement under para-24
426426 graph (1)(A). 25
427427 VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00014 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
428428 ssavage on LAPJG3WLY3PROD with BILLS 15
429429 •HR 2594 IH
430430 (B) ACCESS TO COUNSEL.—The owner or 1
431431 operator of a covered water system may engage 2
432432 legal counsel to take part in the consultation 3
433433 and hearing described in subparagraph (A)(ii). 4
434434 (3) E
435435 FFECTIVE DATE OF PENALTY .—A penalty 5
436436 imposed under paragraph (1) may take effect not 6
437437 earlier than 31 days after the date on which the 7
438438 WRRO files with the Administrator notice of the 8
439439 penalty and the record of proceedings under sub-9
440440 paragraph (B) of that paragraph. 10
441441 (4) I
442442 MPOSITION OF PENALTY .— 11
443443 (A) M
444444 AXIMUM AMOUNT .—A penalty im-12
445445 posed under paragraph (1) shall not exceed 13
446446 $25,000 per day the applicable owner or oper-14
447447 ator is in violation of a cybersecurity risk and 15
448448 resilience requirement approved by the Adminis-16
449449 trator under subsection (d). 17
450450 (B) L
451451 IMITATION.—No penalty may be im-18
452452 posed on a covered water system under any 19
453453 other provision of law for a violation of a cyber-20
454454 security risk and resilience requirement ap-21
455455 proved by the Administrator under subsection 22
456456 (d). 23
457457 (C) U
458458 SE OF PENALTY FUNDS .—Any pen-24
459459 alties collected under this subsection shall be re-25
460460 VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00015 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
461461 ssavage on LAPJG3WLY3PROD with BILLS 16
462462 •HR 2594 IH
463463 turned to the WRRO to support training initia-1
464464 tives and other resource capabilities of the 2
465465 WRRO in carrying out the duties of the WRRO 3
466466 under this section. 4
467467 (5) R
468468 EVIEW BY ADMINISTRATOR .— 5
469469 (A) I
470470 N GENERAL.—The Administrator may 6
471471 review a penalty imposed under paragraph (1). 7
472472 (B) A
473473 PPLICATION FOR REVIEW .—The Ad-8
474474 ministrator may conduct a review under sub-9
475475 paragraph (A) on the motion of the Adminis-10
476476 trator or on application by an owner or oper-11
477477 ator of a covered water system that is the sub-12
478478 ject of a penalty imposed under paragraph (1), 13
479479 if such application is filed not later than 30 14
480480 days after the date on which the notice of that 15
481481 penalty is filed with the Administrator. 16
482482 (C) S
483483 TAY OF PENALTY.—A penalty under 17
484484 review by the Administrator under this para-18
485485 graph may only be stayed if, on the motion of 19
486486 the Administrator or on application by the 20
487487 owner or operator of the covered water system 21
488488 that is the subject of the penalty, the Adminis-22
489489 trator separately orders the stay of the penalty. 23
490490 (D) P
491491 ROCEEDINGS.— 24
492492 VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00016 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
493493 ssavage on LAPJG3WLY3PROD with BILLS 17
494494 •HR 2594 IH
495495 (i) IN GENERAL.—In any proceeding 1
496496 to review a penalty imposed under para-2
497497 graph (1), the Administrator, after notice 3
498498 and, subject to clause (ii), opportunity for 4
499499 a hearing, shall by order affirm, set aside, 5
500500 reinstate, or modify the penalty, and, if ap-6
501501 propriate, remand to the WRRO for fur-7
502502 ther proceedings. 8
503503 (ii) R
504504 ECORD BELOW .—A hearing 9
505505 under clause (i) may consist solely of the 10
506506 record before the WRRO and an oppor-11
507507 tunity for the presentation of supporting 12
508508 reasons to affirm, modify, or set aside the 13
509509 applicable penalty. 14
510510 (iii) E
511511 XPEDITED PROCEDURES .—The 15
512512 Administrator shall act expeditiously in ad-16
513513 ministering all proceedings under this 17
514514 paragraph. 18
515515 (g) S
516516 AVINGSPROVISIONS.— 19
517517 (1) A
518518 UTHORITY.—Nothing in this section au-20
519519 thorizes the WRRO or the Administrator to develop 21
520520 binding cybersecurity risk and resilience require-22
521521 ments for covered water systems, except as specifi-23
522522 cally provided for in this Act. 24
523523 VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00017 Fmt 6652 Sfmt 6201 E:\BILLS\H2594.IH H2594
524524 ssavage on LAPJG3WLY3PROD with BILLS 18
525525 •HR 2594 IH
526526 (2) RULE OF CONSTRUCTION .—Nothing in this 1
527527 section preempts any authority of any State to take 2
528528 action to ensure the safety, adequacy, and resilience 3
529529 of water service within that State, as long as such 4
530530 action is not inconsistent with or in conflict with any 5
531531 cybersecurity risk and resilience requirement. 6
532532 (h) S
533533 TATUS OFWRRO.—The WRRO is not a depart-7
534534 ment, agency, or instrumentality of the United States 8
535535 Government. 9
536536 (i) A
537537 UTHORIZATION OF APPROPRIATIONS.—There is 10
538538 authorized to be appropriated to carry out this section 11
539539 $10,000,000 to remain available to the WRRO until ex-12
540540 pended. 13
541541 Æ
542542 VerDate Sep 11 2014 22:29 Apr 07, 2025 Jkt 059200 PO 00000 Frm 00018 Fmt 6652 Sfmt 6301 E:\BILLS\H2594.IH H2594
543543 ssavage on LAPJG3WLY3PROD with BILLS