[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 7922 Introduced in House (IH)]
<DOC>
118th CONGRESS
2d Session
H. R. 7922
To establish a Water Risk and Resilience Organization to develop risk
and resilience requirements for the water sector.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
April 10, 2024
Mr. Crawford (for himself and Mr. Duarte) introduced the following
bill; which was referred to the Committee on Transportation and
Infrastructure, and in addition to the Committee on Energy and
Commerce, for a period to be subsequently determined by the Speaker, in
each case for consideration of such provisions as fall within the
jurisdiction of the committee concerned
_______________________________________________________________________
A BILL
To establish a Water Risk and Resilience Organization to develop risk
and resilience requirements for the water sector.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. WATER RISK AND RESILIENCE ORGANIZATION.
(a) Definitions.--In this section:
(1) Administrator.--The term ``Administrator'' means the
Administrator of the Environmental Protection Agency.
(2) Agency.--The term ``Agency'' means the Environmental
Protection Agency.
(3) Covered water system.--The term ``covered water
system'' means--
(A) a community water system (as defined in section
1401 of the Safe Drinking Water Act (42 U.S.C. 300f))
that serves a population of 3,300 or more persons; or
(B) a treatment works (as defined in section 212 of
the Federal Water Pollution Control Act (33 U.S.C.
1292)) that serves a population of 3,300 or more
persons.
(4) Cyber resilient.--The term ``cyber resilient'' means
the ability of a covered water or wastewater system to
withstand or reduce the magnitude or duration of cybersecurity
incidents that disrupt the covered system's ability to function
normally and which includes the capability to anticipate,
absorb, adapt to, or rapidly recover from cybersecurity
incidents.
(5) Cybersecurity incident.--The term ``cybersecurity
incident'' means a malicious act or suspicious event that
disrupts, or attempts to disrupt, the operation of programmable
electronic devices and communication networks including
hardware, software, and data that are essential to the cyber
resilient operation of a covered water system.
(6) Cybersecurity risk and resilience requirement.--The
term ``cybersecurity risk and resilience requirement'' means a
cybersecurity requirement approved by the Administrator under
subsection (d) to provide for the cyber resilient operation of
a covered water system and the cyber resilient design of
planned additions or modifications to such system.
(7) Water risk and resilience organization.--The terms
``Water Risk and Resilience Organization'' and ``WRRO'' mean
the organization certified by the Agency under subsection (c).
(b) Jurisdiction and Applicability.--
(1) Jurisdiction.--The Administrator shall have
jurisdiction, within the United States, over the WRRO certified
by the Agency under subsection (c).
(2) Regulations.--Not later than 270 days after the date of
enactment of this Act, the Administrator shall issue a final
rule to implement this section to certify the WRRO.
(c) Certification.--
(1) In general.--Following the issuance of a rule under
subsection (b)(2), any person may submit an application to the
Administrator for certification as a Water Risk and Resilience
Organization.
(2) Requirements.--The Administrator shall certify one
Water Risk and Resilience Organization if the Administrator
determines that such organization--
(A) demonstrates advanced technical knowledge and
expertise in the operations of covered water systems;
(B) is comprised of 1 or more members with relevant
experience as owners or operators of covered water
systems;
(C) has demonstrated the ability to develop and
implement cybersecurity risk and resilience
requirements that provide for an adequate level of
cybersecurity risk and resilience for a covered water
system;
(D) is capable of establishing measures, in line
with prevailing best practices, to secure sensitive
information and to protect sensitive security
information from public disclosure; and
(E) has established rules that require that--
(i) it is independent of the users, owners,
and operators of a covered water system, with
balanced and objective stakeholder
representation in the selection of directors of
the organization and balanced decision making
in any committee or subordinate organizational
structure;
(ii) it allocate reasonable dues, fees, and
other charges among end-users for all
activities under this section;
(iii) provide just and reasonable
procedures for enforcement of cybersecurity
risk and resilience requirements and the
imposition of penalties in accordance with
subsection (f) (including limitations on
activities, functions, or operations, or other
appropriate sanctions); and
(iv) provide for reasonable notice and
opportunity for public comment, due process,
openness, and balance of interests in
developing cybersecurity risk and resilience
requirements and otherwise exercising duties.
(d) Cybersecurity Risk and Resilience Requirements.--
(1) In general.--
(A) Proposed requirements.--The WRRO shall propose
and file with the Administrator each cybersecurity risk
and resilience requirement or modification to a
requirement that it proposes to be made effective under
this section.
(B) Implementation plan.--For each cybersecurity
risk and resilience requirement or modification to such
a requirement proposed pursuant to subparagraph (A),
the WRRO shall also propose an implementation plan,
including the schedule by which covered water systems
must achieve compliance with all or parts of the
cybersecurity risk and resilience requirement or
modification to such a requirement. The enforcement
date must provide a reasonable implementation period
for covered water systems to meet the requirements
under the implementation plan.
(2) Approval.--
(A) In general.--Notwithstanding paragraph (3)(A),
the Administrator shall approve, by rule or order, a
proposed cybersecurity risk and resilience requirement
or modification to such a requirement if the
Administrator determines that the requirement is just,
reasonable, not unduly Discriminatory, or preferential.
(B) Deference to wrro.--The Administrator shall
defer to the technical expertise of the WRRO with
respect to the content of a proposed cybersecurity risk
and resilience requirement or modification to such a
requirement.
(3) Disapproval of requirement.--
(A) In general.--Notwithstanding paragraph (2)(A),
the Administrator shall remand to the WRRO a proposed
cybersecurity risk and resilience requirement or
modification to such a requirement for which the
Administrator disapproves, in whole or in part, and
provide 1 or more specific recommendations that would
cause the proposed requirement or modification to be
approved under paragraph (2).
(B) Response and approval.--
(i) In general.--Upon remand of a proposed
cybersecurity risk and resilience requirement
or modification to such a requirement and
receipt of the Administrator's recommendation
pursuant to subparagraph (A), the WRRO shall--
(I) accept the Administrator's
recommendation and resubmit an amended
proposed cybersecurity risk and
resilience requirement or modification
to such a requirement consistent with
the Administrator's recommendation;
(II) respond to the Administrator
and provide a reason why the
recommendation was not accepted; or
(III) withdraw the proposed
cybersecurity risk and resilience
requirement or modification to such a
requirement.
(ii) Amended requirement.--If the WRRO
resubmits a requirement or modification, the
Administrator shall review an amended proposed
cybersecurity risk and resilience requirement
or modification to such requirement submitted
by the WRRO pursuant to clause (i)(I) and
determine whether to approve such amended
requirement in accordance with paragraph
(2)(A).
(iii) Response by wrro.--Upon receipt of a
response from the WRRO pursuant to clause
(i)(II), the Administrator shall--
(I) approve the proposed
cybersecurity risk and resilience
requirement or modification to such a
requirement; or
(II) invite the WRRO to engage in
negotiations with the Administrator to
reach consensus to address the specific
recommendation made by the
Administrator under subparagraph (A).
(4) Effective date.--The effective date of a cybersecurity
risk and resilience requirement or modification to such a
requirement proposed under this subsection shall be set by the
Administrator in accordance with the proposed implementation
plan submitted by the WRRO under paragraph (1).
(5) Submission of specific requirement.--The Administrator,
upon the Administrator's own motion or upon complaint and
having a reasonable basis to conclude existing recommendations
under the WRRO are insufficient, when implemented by covered
water systems, to protect, defend, mitigate, or recover from a
cybersecurity incident, may, following consultation with the
WRRO, order the WRRO to submit to the Agency a proposed
cybersecurity risk and resilience requirement or a modification
to such a requirement that addresses a specific matter if the
Administrator considers such a requirement or modified
requirement necessary to protect, defend, mitigate, or recover
from a cybersecurity incident.
(6) Conflict.--
(A) In general.--The final rule adopted under
subsection (b)(2) shall include specific processes for
the identification and timely resolution of any
conflict between a cybersecurity risk and resilience
requirement and any function, rule, order, tariff, or
agreement accepted, approved, or ordered by the
Administrator applicable to a covered water system.
(B) Compliance.--A water system shall continue to
comply with such function, rule, order, tariff, or
agreement approved, or otherwise accepted or ordered by
the Administrator unless--
(i) the Administrator finds a conflict
exists between cybersecurity risk and
resilience requirement and any such provision;
(ii) the Administrator orders a change to
such provision; and
(iii) the ordered change becomes effective.
(C) Modification.--If the Administrator determines
that a cybersecurity risk and resilience requirement
needs to be changed as a result of a conflict
identified under this paragraph, the Administrator
shall direct the WRRO to develop and file with the
Administrator a modified cybersecurity risk and
resilience requirement under this subsection,
undertaken pursuant to the processes in paragraphs (1)
through (4) above.
(e) Water System Monitoring and Assessment.--To aid in the
development and adoption of appropriate and necessary cybersecurity
risk and resilience requirements and modifications to requirements, the
WRRO shall--
(1) routinely monitor and conduct periodic assessments,
including requiring self-attestations of compliance from
covered water systems annually and assessments of the covered
water system by the WRRO or a designated third party not less
than every five years, of the implementation of cybersecurity
risk and resilience requirements, and the effectiveness of
cybersecurity risk and resilience requirements for covered
water systems in the United States; and
(2) annually submit to the Administrator a report on the
implementation of cybersecurity risk and resilience
requirements, the effectiveness of cybersecurity risk and
resilience requirements for covered water systems in the United
States, provided that such reports shall only include
aggregated or anonymized findings, observations, and data, and
shall not contain any sensitive security information.
(f) Enforcement.--
(1) In general.--The WRRO may impose, subject to paragraphs
(2) and (4), a penalty on an owner or operator of a covered
water system for a violation of a cybersecurity risk and
resilience requirement approved by the Administrator under
subsection (d) if the WRRO, after notice and an opportunity for
a hearing--
(A) finds that the owner or operator of a covered
system has violated or failed to comply with a
requirement approved by the Administrator under
subsection (d); and
(B) files notice and the record of the proceeding
with the Administrator.
(2) Notice.--The WRRO may not impose a penalty on an owner
or operator of a covered system under paragraph (1) unless the
WRRO provides the owner or operator with notice of the alleged
violation or failure to comply with a cybersecurity risk and
resilience requirement and an opportunity for a consultation
and a hearing prior to finding that the owner or operator has
violated such requirement under paragraph (1)(A). The owner or
operator of a covered water system may engage legal Counsel to
take part in the consultation and hearing Requirements.
(3) Effective date of penalty.--A penalty imposed under
paragraph (1) may take effect not earlier than the 31st day
after the WRRO files with the Administrator notice of the
penalty and the record of proceedings.
(4) Imposition of penalty.--A penalty imposed under
paragraph (1) shall not exceed $25,000 per day the entity is in
violation of a cybersecurity risk and resilience requirement.
(A) A penalty imposed under this subsection shall
be the only penalty imposed for the violation. The
Administrator is barred from imposing additional
penalties on the covered water System for the same
violation.
(B) Any penalties collected will be returned to the
WRRO to support training initiatives and support other
resource capabilities of the WRRO in carrying out its
duties under this Act.
(5) Review by administrator.--
(A) In general.--A penalty imposed under paragraph
(1) may be subject to review by the Administrator.
(B) Application for review.--The Administrator may
conduct a review under subparagraph (A) on the
Administrator's own motion or upon application by an
owner or operator of a covered water system that is the
subject of a penalty imposed under paragraph (1) filed
not later than 30 days after notice of such penalty is
filed with the Administrator.
(C) Stay of penalty.--A penalty under review by the
Administrator under this paragraph may not be stayed
unless the Administrator otherwise orders that such
penalty be stayed upon the Administrator's own motion
or upon application by the owner or operator of the
covered water system owner or operator that is the
subject of such penalty.
(D) Proceeding.--
(i) In general.--In any proceeding to
review a penalty imposed under paragraph (1),
the Administrator, after notice and opportunity
for hearing (which hearing may consist solely
of the record before the WRRO and opportunity
for the presentation of supporting reasons to
affirm, modify, or set aside the penalty),
shall by order affirm, set aside, reinstate, or
modify the penalty, and, if appropriate, remand
to the WRRO for further proceedings.
(ii) Expedited procedures.--The
Administrator shall act expeditiously in
administering all hearings under this section.
(g) Savings Provision.--
(1) Authority.--Nothing in this Act authorizes the WRRO or
the EPA Administrator to develop cybersecurity binding risk and
resilience requirements for covered water systems, except as
defined by this act.
(2) Rule of construction.--Nothing in this section may be
construed to preempt any authority of any State to take action
to ensure the safety, adequacy, and resilience of water service
within that State, as long as such action is not inconsistent
with or conflicts with any cybersecurity risk and resilience
requirement.
(h) Status of WRRO.--The WRRO certified under subsection (c) is not
a department, agency, or instrumentality of the United States
Government.
(i) Authorization of Appropriations.--There is authorized to be
appropriated to carry out this subsection $5,000,000 for each of fiscal
years 2024 and 2025, to remain available to the WRRO until expended.
<all>