← Frameworks / AWIA / Control Mappings

America's Water Infrastructure Act Section 2013

Federal law requiring community water systems serving more than 3,300 people to conduct risk and resilience assessments and develop emergency response plans covering cybersecurity. Complemented by AWWA cybersecurity guidance covering governance, asset management, access control, network security, detection and monitoring, incident response, supply chain management, and workforce security. Overseen by EPA with 5-year reassessment cycles. Addresses unique water utility challenges including distributed infrastructure, small utility resource constraints, and treatment process safety.

Controls: 58

Total Mappings: 67

Publisher: U.S. Environmental Protection Agency (EPA) / AWWA Version: 2018

AWIA → SP 800-53 SP 800-53 → AWIA Coverage Analysis

AC (6) AT (3) AU (2) CA (1) CM (2) CP (3) IA (2) IR (6) PE (2) PL (2) PM (8) PS (4) RA (6) SA (2) SC (4) SI (1) SR (4)

AC Access Control

Control	Name	AWIA References
AC-02	Account Management	AWWA Sec 3
AC-03	Access Enforcement	AWWA Sec 3
AC-04	Information Flow Enforcement	AWWA Sec 4
AC-06	Least Privilege	AWWA Sec 3
AC-07	Unsuccessful Login Attempts	AWWA Sec 3
AC-17	Remote Access	AWWA Sec 3

AT Awareness and Training

Control	Name	AWIA References
AT-01	Security Awareness And Training Policy And Procedures	AWWA Sec 8
AT-02	Security Awareness	AWWA Sec 8
AT-03	Security Training	AWWA Sec 8

AU Audit and Accountability

Control	Name	AWIA References
AU-02	Auditable Events	AWWA Sec 5
AU-06	Audit Monitoring, Analysis, And Reporting	AWWA Sec 5

CA Security Assessment and Authorization

Control	Name	AWIA References
CA-07	Continuous Monitoring	AWWA Sec 4AWWA Sec 5

CM Configuration Management

Control	Name	AWIA References
CM-02	Baseline Configuration	AWWA Sec 2
CM-08	Information System Component Inventory	AWWA Sec 2

CP Contingency Planning

Control	Name	AWIA References
CP-01	Contingency Planning Policy And Procedures	Sec 2013(b)
CP-02	Contingency Plan	Sec 2013(b)
CP-04	Contingency Plan Testing And Exercises	Sec 2013(b)

IA Identification and Authentication

Control	Name	AWIA References
IA-02	User Identification And Authentication	AWWA Sec 3
IA-05	Authenticator Management	AWWA Sec 3

IR Incident Response

Control	Name	AWIA References
IR-01	Incident Response Policy And Procedures	Sec 2013(b)AWWA Sec 6
IR-02	Incident Response Training	Sec 2013(b)AWWA Sec 6
IR-04	Incident Handling	Sec 2013(b)AWWA Sec 6
IR-05	Incident Monitoring	AWWA Sec 5AWWA Sec 6
IR-06	Incident Reporting	AWWA Sec 6
IR-08	Incident Response Plan	Sec 2013(b)AWWA Sec 6

PE Physical and Environmental Protection

Control	Name	AWIA References
PE-02	Physical Access Authorizations	AWWA Sec 3
PE-03	Physical Access Control	AWWA Sec 3

PL Planning

Control	Name	AWIA References
PL-01	Security Planning Policy And Procedures	AWWA Sec 1
PL-02	System Security Plan	AWWA Sec 1

PM Program Management

Control	Name	AWIA References
PM-01	Information Security Program Plan	AWWA Sec 1
PM-02	Information Security Program Leadership Role	AWWA Sec 1
PM-03	Information Security and Privacy Resources	AWWA Sec 1
PM-05	System Inventory	AWWA Sec 2
PM-06	Measures of Performance	AWWA Sec 1
PM-09	Risk Management Strategy	Sec 2013(a)AWWA Sec 1
PM-11	Mission and Business Process Definition	Sec 2013(a)
PM-13	Security and Privacy Workforce	AWWA Sec 8

PS Personnel Security

Control	Name	AWIA References
PS-01	Personnel Security Policy And Procedures	AWWA Sec 8
PS-02	Position Categorization	AWWA Sec 8
PS-03	Personnel Screening	AWWA Sec 8
PS-06	Access Agreements	AWWA Sec 8

RA Risk Assessment

Control	Name	AWIA References
RA-01	Risk Assessment Policy And Procedures	Sec 2013(a)
RA-02	Security Categorization	Sec 2013(a)AWWA Sec 2
RA-03	Risk Assessment	Sec 2013(a)
RA-05	Vulnerability Scanning	Sec 2013(a)
RA-07	Risk Response	Sec 2013(a)
RA-09	Criticality Analysis	Sec 2013(a)

SA System and Services Acquisition

Control	Name	AWIA References
SA-04	Acquisitions	AWWA Sec 7
SA-09	External Information System Services	AWWA Sec 7

SC System and Communications Protection

Control	Name	AWIA References
SC-07	Boundary Protection	AWWA Sec 4
SC-32	System Partitioning	AWWA Sec 4
SC-46	Cross Domain Policy Enforcement	AWWA Sec 4
SC-48	Sensor Relocation	AWWA Sec 5

SI System and Information Integrity

Control	Name	AWIA References
SI-04	Information System Monitoring Tools And Techniques	AWWA Sec 4AWWA Sec 5

SR Supply Chain Risk Management

Control	Name	AWIA References
SR-01	Policy and Procedures	AWWA Sec 7
SR-02	Supply Chain Risk Management Plan	AWWA Sec 7
SR-03	Supply Chain Controls and Processes	AWWA Sec 7
SR-06	Supplier Assessments and Reviews	AWWA Sec 7