(a) Definitions

In this section:

(1) Appropriate Congressional committees

The term “appropriate Congressional committees” means—

(A) the Committee on Environment and Public Works of the Senate;

(B) the Committee on Homeland Security and Governmental Affairs of the Senate;

(C) the Committee on Energy and Commerce of the House of Representatives; and

(D) the Committee on Homeland Security of the House of Representatives.

(2) Director

The term “Director” means the Director of the Cybersecurity and Infrastructure Security Agency.

(3) Incident

The term “incident” has the meaning given the term in section 3552 of title 44.

(4) Prioritization Framework

The term “Prioritization Framework” means the prioritization framework developed by the Administrator under subsection (b)(1)(A).

(5) Support Plan

The term “Support Plan” means the Technical Cybersecurity Support Plan developed by the Administrator under subsection (b)(2)(A).

(b) Identification of and support for public water systems

(1) Prioritization Framework

(A) In general

Not later than 180 days after November 15, 2021, the Administrator, in coordination with the Director, shall develop a prioritization framework to identify public water systems (including sources of water for those public water systems) that, if degraded or rendered inoperable due to an incident, would lead to significant impacts on the health and safety of the public.

(B) Considerations

In developing the Prioritization Framework, to the extent practicable, the Administrator shall incorporate consideration of—

(i) whether cybersecurity vulnerabilities for a public water system have been identified under section 300i-2 of this title;

(ii) the capacity of a public water system to remediate a cybersecurity vulnerability without additional Federal support;

(iii) whether a public water system serves a defense installation or critical national security asset; and

(iv) whether a public water system, if degraded or rendered inoperable due to an incident, would cause a cascading failure of other critical infrastructure.

(2) Technical Cybersecurity Support Plan

(A) In general

Not later than 270 days after November 15, 2021, the Administrator, in coordination with the Director and using existing authorities of the Administrator and the Director for providing voluntary support to public water systems and the Prioritization Framework, shall develop a Technical Cybersecurity Support Plan for public water systems.

(B) Requirements

The Support Plan—

(i) shall establish a methodology for identifying specific public water systems for which cybersecurity support should be prioritized;

(ii) shall establish timelines for making voluntary technical support for cybersecurity available to specific public water systems;

(iii) may include public water systems identified by the Administrator, in coordination with the Director, as needing technical support for cybersecurity;

(iv) shall include specific capabilities of the Administrator and the Director that may be utilized to provide support to public water systems under the Support Plan, including—

(I) site vulnerability and risk assessments;

(II) penetration tests; and

(III) any additional support determined to be appropriate by the Administrator; and


(v) shall only include plans for providing voluntary support to public water systems.

(3) Consultation required

In developing the Prioritization Framework pursuant to paragraph (1) and the Support Plan pursuant to paragraph (2), the Administrator shall consult with such Federal or non-Federal entities as determined to be appropriate by the Administrator.

(4) Reports required

(A) Prioritization Framework

Not later than 190 days after November 15, 2021, the Administrator shall submit to the appropriate Congressional committees a report describing the Prioritization Framework.

(B) Technical Cybersecurity Support Plan

Not later than 280 days after November 15, 2021, the Administrator shall submit to the appropriate Congressional committees—

(i) the Support Plan; and

(ii) a list describing any public water systems identified by the Administrator, in coordination with the Director, as needing technical support for cybersecurity during the development of the Support Plan.

(c) Rules of construction

Ask a legal question, get an answer ASAP!
Click here to chat with a lawyer about your rights.

Nothing in this section—

(1) alters the existing authorities of the Administrator; or

(2) compels a public water system to accept technical support offered by the Administrator.