Close this search box.

EPA Backtracks: Cybersecurity Rule for Public Water Systems Withdrawn

Table of Contents
    Add a header to begin generating the table of contents
    Scroll to Top

    Recent Posts

    image of a water treatment facility


    **Update to our previous blog post here **

    After facing legal challenges and concerns from water associations, the U.S. Environmental Protection Agency (EPA) reversed course and withdrew its cybersecurity rules for public water systems (PWSs). This significant decision leaves the question of how to protect our critical water infrastructure from cyberattacks open.


    • Rule withdrawal: The EPA’s rule mandated states report cybersecurity threats and integrate assessments into PWS sanitary surveys, raising concerns about exceeding authority and burdening smaller systems.
    • Legal challenges: Lawsuits argued the rule circumvented Congressional actions and exceeded the EPA’s statutory mandate.
    • Small system concerns: Water associations argued smaller PWSs lacked resources to comply and preferred assistance over regulation.
    • Public disclosure risks: Potential exposure of sensitive cybersecurity information through state records laws was a major concern.


    • Stay informed: Cybersecurity professionals in the water sector should monitor evolving federal regulations and potential legislation.
    • Support smaller systems: Focus assistance programs and resources on helping smaller PWSs improve their cybersecurity posture.
    • Foster collaboration: Industry-wide collaboration is crucial to address cyber threats and develop practical solutions for PWSs of all sizes.


    The withdrawn rule aimed to address increasing cybersecurity threats to PWSs. States were required to report threats to the EPA, raising concerns about sensitive information becoming publicly accessible. Additionally, cybersecurity assessments were to be incorporated into PWS sanitary surveys, questioning the expertise of state agencies conducting them. These requirements, coupled with concerns about burdening smaller systems and potential public disclosure risks, led to legal challenges and the EPA’s eventual withdrawal of the rule.

    Looking ahead, the Biden administration intends to pursue “Plan B” by lobbying Congress for similar legislation. Meanwhile, a bipartisan bill proposes funding and technical assistance for rural water systems, aligning with the water associations’ preference for assistance over regulation. The broader federal trend points towards increased focus on cybersecurity across various sectors, including financial institutions and public companies.

    Cybersecurity professionals must adapt their strategies to this evolving landscape, remaining informed about regulatory changes and prioritizing support for smaller PWSs. By fostering collaboration and developing practical solutions, the water sector can effectively address cyber threats and safeguard our critical water infrastructure.

    Picture of Josh Moulin

    Josh Moulin

    Josh Moulin has been in the cybersecurity field for over two decades and worked in a variety of roles. He is the founder and principal of Natsar, a cybersecurity company in New York, USA. Previously, he has served in roles including the Senior VP of Operations at the Center for Internet Security (CIS), commander of an FBI cybercrimes task force, director of an ASCLD/LAB accredited digital forensics lab, Chief Information Officer (CIO) and Chief Information Security Officer (CISO) of a national security program within the United States nuclear weapons enterprise, and an Executive Partner at Gartner, the world’s largest research and advisory company. Josh is considered an expert in cybersecurity, risk management, and organizational leadership and frequently engages with companies around the world on these and other topics. He has a Master of Science Degree in Information Security Assurance and the following certifications: CAWFE, CEH, CFCE, CHFI, CISSP, CNDA, DFCP, GCFA, GCFR, GCIA, GIME, and GSEC.

    9 thoughts on “EPA Backtracks: Cybersecurity Rule for Public Water Systems Withdrawn”

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    Scroll to Top

    Contact Natsar

    Fill out the form below, and we will be in touch shortly.
    Please enable JavaScript in your browser to complete this form.