The America's Water Infrastructure Act of 2018 (AWIA), Section 2013, requires community water systems serving more than 3,300 people to conduct a Risk and Resilience Assessment (RRA) of the risks and vulnerabilities of the system, covering malevolent acts, natural hazards, and chemical and operational risks, and to develop or update an Emergency Response Plan (ERP) addressing those vulnerabilities. Systems must certify compliance with the EPA every five years, regardless of system size. Initial compliance dates were staggered by system size, but the ongoing review and recertification cycle is uniform: five years for all covered systems under SDWA Section 1433(a)(3) as amended.
AWIA mandates two separate deliverables: an assessment and a plan. Most utilities treat them as two separate compliance activities.
The RRA identifies vulnerabilities across physical infrastructure, cybersecurity systems, chemical handling, monitoring capabilities, and financial and operational capacity. The ERP is supposed to address those vulnerabilities with specific response and recovery procedures. In practice, the two deliverables are often produced separately, by different teams, and filed in different places, without the RRA findings driving the ERP choices that matter most.
ALIGN applies AWIA Section 2013 as a continuous resilience cycle, not two separate compliance deliverables. The RRA drives the ERP. The ERP is tested through exercises. The results of exercises drive improvements that are reflected in the next RRA cycle. The assessment and the plan become a single program.
AWIA Section 2013: What the Law Requires
- RRA: Natural Hazards and Malevolent Acts — Assessment of risks from natural hazards and malevolent acts that could disrupt water system operations or compromise water quality
- RRA: Resilience of Infrastructure and Operations — Assessment of the resilience of pipe and constructed conveyances, physical barriers, source water, treatment, storage and distribution, and automated systems
- RRA: Financial Infrastructure and Chemical Handling — Assessment of financial infrastructure vulnerabilities and risks from chemicals used in treatment, including potential for intentional contamination
- ERP: Response Procedures and Mitigation — Documentation of strategies and resources to improve resilience, and plans for responding to scenarios identified in the RRA
- ERP: Coordination and Communication — Procedures for notifying customers, coordinating with local emergency planning committees (LEPCs), state primacy agencies, and law enforcement, and for conducting exercises to test the ERP
The ALIGN – AWIA Section 2013 Crosswalk
| ALIGN Phase | AWIA Section 2013 Requirement | How ALIGN Delivers |
|---|---|---|
| A — Assess Diagnose |
AWIA RRA: Natural Hazard and Malevolent Act Assessment; Infrastructure Resilience Assessment; Financial and Chemical Risk Assessment | Comprehensive risk and resilience assessment across physical, cyber, chemical, operational, and financial infrastructure meets all AWIA RRA content requirements while adding decision architecture analysis, evaluating how the water system's operational leadership and inter-agency coordination would actually function under the highest-priority RRA scenarios. |
| L — Link Coordinate |
ERP Coordination Requirements; LEPC and State Primacy Agency Notification; Law Enforcement and Emergency Management Coordination; WaterISAC; ESF-3/ESF-10 | Mapping RRA-identified vulnerabilities to government emergency management resources and pre-established coordination frameworks applies ERP coordination requirements, connecting water system emergency plans to LEPC structures, state water primacy agencies, WaterISAC, and ESF-3 (Public Works) and ESF-10 (Oil and Hazardous Materials) coordination systems. |
| I — Integrate Build |
ERP: Response Procedures and Mitigation Strategies; RRA-Informed Countermeasures; Alternate Water Source Planning | Developing ERP response procedures and mitigation strategies driven directly by RRA vulnerability findings ensures that ERP response procedures address the specific vulnerabilities the RRA identified, not generic emergency response frameworks. Alternate water source options and restoration sequences are designed around the actual infrastructure vulnerability picture the RRA produced. |
| G — Generate Stress Test |
ERP Exercise Requirements; AWIA Certification Validation; HSEEP-Informed Scenario Design; RRA Worst-Case Scenario Exercises | Scenario-based exercises built from AWIA RRA highest-priority vulnerabilities apply AWIA's exercise requirement with HSEEP-informed discipline, using RRA worst-case scenarios as the exercise driver and ERP response objectives as the performance benchmark. Exercises test whether the ERP works under the conditions the RRA identified as most consequential. |
| N — Normalize Sustain |
AWIA Certification Cycle (5-year/10-year); RRA/ERP Update Requirements; Continuous Infrastructure Improvement | Maintaining RRA and ERP currency across AWIA certification cycles ensures that infrastructure changes, new vulnerabilities, updated government resource assumptions, and corrective actions from exercises are reflected in the next RRA submission and ERP update. |
Five Ways ALIGN Transforms AWIA Compliance into Water System Resilience
1. RRA Findings as ERP Design Drivers
AWIA requires the ERP to address vulnerabilities identified in the RRA. ALIGN enforces this connection by structuring the ERP around the RRA's highest-priority findings, ensuring that response procedures, resource acquisition priorities, and alternate water source options are built around the specific vulnerabilities the RRA identified. The two deliverables become one integrated program.
2. Decision Architecture for Utility Emergency Operations
AWIA RRA and ERP requirements address infrastructure and response procedures. ALIGN addresses how the water system's operational leadership would actually direct response operations during a contamination event, cyber attack, or extended infrastructure failure, mapping decision authority and notification chains before the scenario tests them.
3. Government Emergency Management Integration
Water system restoration is not a utility-only operation. ESF-3, ESF-10, state emergency management, and local emergency planning committees all have roles that affect how water systems should sequence their response. ALIGN's Link phase builds these relationships into the ERP rather than treating government coordination as a notification-only obligation.
4. Cyber-Physical Risk Integration
AWIA RRA requirements explicitly address cybersecurity vulnerabilities alongside physical infrastructure risks. ALIGN integrates both into a single resilience program, ensuring that cyber incident response procedures connect to physical operations continuity planning, and that exercises test the intersection of cyber intrusion and operational disruption.
5. Certification Cycle Continuity
ALIGN's Normalize phase maintains program continuity across certification cycles, ensuring that each new RRA reflects documented improvements from the previous cycle rather than treating each certification as an independent compliance event.
Conclusion
AWIA Section 2013 establishes the most comprehensive federal risk assessment and emergency planning requirement in the water sector. For water systems that treat RRA and ERP as two separate compliance deliverables, the certification requirement produces two documents. For water systems that treat them as one integrated resilience program, it produces a system that functions when an emergency tests it.
ALIGN applies AWIA as the continuous resilience cycle the law was designed to support. The assessment drives the plan. The plan is tested against the assessment. The results improve the program. And the certification reflects actual operational capability, not just documented compliance.
Sentinel Resilience Partners supports community water systems through AWIA Section 2013 Risk and Resilience Assessment facilitation, Emergency Response Plan development, LEPC coordination support, and HSEEP-aligned exercise programs. ALIGN engagements are structured at four tiers: Audit, Build, Validate, and Sustain.