Cybersecurity Requirements Table
Translations
Drinking Water System Cybersecurity Requirements
| Step | Action Required | Responsible Party | Frequency | Documentation | Notes |
|---|---|---|---|---|---|
| 1 | Review and update cybersecurity vulnerability analysis (CVA)1 | Authorized representative or designated individual2 | ≤ Annually | Submit to the Department every five years, or within 30 days after major water facility infrastructure changes are made in accordance with Subpart 5-1.33(e). |
Effective January 2027. Must be made available to the Department upon request. |
| 2 | Establish a cybersecurity program3 that also incorporates the findings of the CVA | Authorized representative or designated individual2 | Develop initial program using Appendix 5-E requirements and update as needed. | Must be made available to the Department upon request. |
Designated individuals for systems serving more than 50,000 people must certify every five years in accordance with Subpart 5-1.33(e) that their covered water system has a cybersecurity program. Effective January 2027. Update with changes in technology, staff, and/or any other changes to the covered water system that could affect cybersecurity. |
| 3 | Complete one-hour of cybersecurity training | Drinking water operators | Operators must receive one-hour of cybersecurity training every three years. | Proof of training must be made available to the Department upon request. |
Effective immediately upon adoption of Appendix 5-E. No exclusions. |
| 4 | Notify the Department after identifying cybersecurity vulnerabilities that may impact the covered water system’s ability to comply with the requirements of Subpart 5-1 or that identify a situation that may pose a risk to public health. | Authorized representative or designated individual2 | No later than 48-hours after identification. | Update the CVA with newly identified cybersecurity vulnerabilities. | To report a cybersecurity vulnerability, please contact TPP@health.ny.gov and provide only your name, system, contact phone number, and that you need to report a vulnerability. |
| 5 | Notify the Department after a cybersecurity incident that may impact the covered water system’s ability to comply with the requirements of Subpart 5-1 or that identify a situation that may pose a risk to public health. | Any authorized representative | No later than 24-hours after identification. | Secure reporting mechanism. |
Effective immediately upon adoption of Appendix 5-E. To notify the Department, please submit a cybersecurity incident report form. |
| 6 | Implement corrective action for vulnerabilities identified in the CVA that may impact the covered water system’s ability to comply with the requirements of Subpart 5-1 or that identify a situation that may pose a risk to public health. Vulnerabilities that meet the reporting requirements are considered significant deficiencies4. | Authorized representative or designated individual2 | Corrective action to start and/or be completed within 120 days of notification. | Consult with the Department within 30 days to identify mitigation steps in accordance with Subpart 5-1.71(c). | Vulnerabilities identified that impact subpart 5-1 compliance, or could pose a threat to public health, are a significant deficiency4 and must be addressed. |
1. Conduct in accordance with Appendix 5-E, Section 5-E.5 - Cybersecurity Vulnerability Analysis (CVA).
2. Each covered water system serving a combined wholesale and retail population of greater than 50,000 shall designate an individual deemed qualified by the covered water system’s owner with demonstrable knowledge of cybersecurity principles and practical experience in system protection or risk management who shall be the individual responsible for the system’s cybersecurity program.
3. Establish a cybersecurity program in accordance with Appendix 5-E, Section 5-E.6 - Cybersecurity program requirements. In systems serving a population of more than 50,000, the designated individual shall certify the cybersecurity program was developed in accordance with Appendix 5-E and submit to the Department every five years in accordance with Subpart 5-1.33(e). Designated individuals must also provide a confidential written report annually to the system’s governing body on the system’s cybersecurity program and material cybersecurity risks.
4. A significant deficiency means a defect in a system’s design, operation or maintenance, or a failure or malfunction of its source, treatment, storage, or distribution, that causes or is reasonably expected to cause the introduction of contamination into water delivered to consumers. Significant deficiencies also include loss of ability to deliver an adequate quantity of water; inadequate barriers of protection including failure of monitoring; conditions that pose an obvious security risk to the water system; or any other condition with the potential to cause a future public health hazard (i.e. before the next scheduled sanitary survey).