America's Water Infrastructure Act Section 2013 — SP 800-53 Coverage
How well do NIST SP 800-53 Rev 5 controls address each AWIA requirement? This analysis maps from framework clauses back to SP 800-53, with expert coverage weightings and gap identification.
Clause-by-Clause Analysis
Sorted by clauseAWWA Sec 1 Governance and Risk Management
Rationale
PM-01 information security program establishes the overarching cybersecurity governance structure for the water utility. PM-02 senior information security officer designates cybersecurity leadership responsibility equivalent to the utility's cybersecurity coordinator role. PM-03 information security resources addresses budget allocation and staffing for cybersecurity initiatives. PM-09 risk management strategy covers the strategic governance layer for risk-based decision making across IT and OT domains. PL-01 planning policy establishes the security planning framework. PL-02 system security and privacy plans provides the system-level security documentation requirements. PM-06 measures of performance addresses cybersecurity program effectiveness measurement and reporting to utility leadership.
Gaps
Water utility governance structures differ significantly from typical enterprise IT governance. Many water utilities are governed by elected boards, municipal councils, or special district commissions with limited cybersecurity expertise. Small utility resource constraints (utilities serving 3,300-10,000 people often have fewer than 10 total staff) make dedicated cybersecurity roles impractical. Integration with Safe Drinking Water Act compliance programs, state drinking water program requirements, and EPA oversight mechanisms are sector-specific governance requirements. The AWWA guidance emphasizes risk management approaches scaled to utility size and resources, which is not addressed by SP 800-53's enterprise-focused governance model.
AWWA Sec 2 Asset Management
Rationale
CM-08 system component inventory provides the foundation for inventorying IT and OT assets including SCADA systems, ICS components, and network infrastructure. PM-05 system inventory addresses the organizational-level inventory of all information systems and their boundaries. RA-02 security categorization supports the classification of water system assets by criticality based on their role in treatment and distribution. CM-02 baseline configuration documents the approved hardware, software, and firmware configurations for water utility control systems and IT infrastructure.
Gaps
Water utility OT asset management involves specialized components not typically found in enterprise IT environments including programmable logic controllers (PLCs), remote terminal units (RTUs), chemical feed systems (chlorine analyzers, fluoride dosing equipment), flow meters, pressure transducers, level sensors, and SCADA telemetry infrastructure. Legacy systems are extremely common in the water sector with many utilities operating PLCs and RTUs that are 15-25 years old with no vendor support. The asset management challenge extends to distributed physical infrastructure (pump stations, elevated storage tanks, well houses, distribution valve vaults) connected via cellular modems, licensed radio, or leased lines that must be inventoried and secured.
AWWA Sec 3 Access Control
Rationale
AC-02 account management addresses the creation, modification, and removal of user accounts for SCADA, historian, and business systems. AC-03 access enforcement provides the logical access control mechanisms. AC-06 least privilege restricts users to the minimum access needed for their operational role. AC-07 unsuccessful logon attempts provides brute force protections for control system interfaces. AC-17 remote access covers the secure access requirements for remote monitoring and management of water system SCADA. IA-02 identification and authentication requires unique user identification for system access. IA-05 authenticator management addresses password and credential management. PE-02 physical access authorizations covers authorization for physical access to treatment plants, pump stations, and control rooms. PE-03 physical access control addresses locks, card readers, and other physical access mechanisms at water facilities.
Gaps
Water utility access control faces unique challenges not addressed by SP 800-53 including remote pump stations and well houses that may be unmanned and located in rural areas requiring both physical and electronic access controls with limited connectivity. Emergency access during water main breaks, treatment upsets, or natural disasters requires rapid operator access that may conflict with strict authentication requirements. Shared credentials on legacy SCADA systems (many older HMI workstations support only a single shared login) are common and difficult to remediate without full system replacement. Seasonal and part-time operators, common in small utilities, complicate personnel access management.
AWWA Sec 4 Network Security
Rationale
SC-07 boundary protection addresses network perimeter controls and segmentation between IT and OT networks at water utilities. SC-32 system partitioning supports the architectural separation of SCADA/ICS networks from business networks and the internet. AC-04 information flow enforcement controls data flows between network segments including OT-to-IT data transfers (historian data, SCADA alarms). SI-04 system monitoring provides network monitoring capabilities for detecting anomalous traffic. CA-07 continuous monitoring addresses the ongoing assessment of network security posture. SC-46 cross-domain policy enforcement supports the controlled exchange of data between different security domains within the water utility network.
Gaps
Water utility networks face unique challenges including highly distributed sites (pump stations, tanks, well houses) connected via cellular modems, licensed radio frequencies, or leased telephone lines with limited bandwidth insufficient for enterprise-grade security monitoring. SCADA communication protocols such as Modbus TCP/RTU, DNP3 (Distributed Network Protocol 3), and OPC UA lack native security features and require protocol-aware firewalls or gateways for protection. Small utility resource constraints limit the ability to deploy and maintain network segmentation, firewalls, and intrusion detection systems. Many water utilities share network infrastructure with municipal IT departments, complicating segmentation and security responsibility boundaries.
AWWA Sec 5 Detection and Monitoring
Rationale
AU-02 event logging defines the auditable events for water utility IT and OT systems. AU-06 audit record review, analysis, and reporting covers the review of security event logs from SCADA, historians, and network devices. SI-04 system monitoring provides the general framework for intrusion detection and anomaly monitoring. CA-07 continuous monitoring addresses the ongoing security assessment program. SC-48 sensor relocation supports adaptive positioning of monitoring sensors within the utility network. IR-05 incident monitoring tracks and documents security events for trend analysis and response coordination.
Gaps
Water process monitoring extends far beyond traditional IT security monitoring to include detection of chemical dosing anomalies (unexpected chlorine residual changes, pH deviations, fluoride concentration spikes), pressure and flow deviations that may indicate physical tampering or unauthorized access to distribution infrastructure, and treatment process parameter changes that could affect public health. EPA Water Security Division guidance recommends integration of process control monitoring with cybersecurity monitoring to detect attacks that manipulate physical processes. Limited SOC (Security Operations Center) capability in small and medium utilities means most water systems lack 24/7 monitoring capability and rely on SCADA alarm callout systems designed for process alarms rather than security events.
AWWA Sec 6 Incident Response
Rationale
IR-01 incident response policy establishes the cyber incident response governance framework for the water utility. IR-02 incident response training covers training for utility staff involved in detecting and responding to cyber incidents. IR-04 incident handling addresses the core detection, analysis, containment, eradication, and recovery phases of cyber incident response. IR-05 incident monitoring provides the tracking and documentation of cyber security incidents. IR-06 incident reporting covers the reporting of incidents to appropriate authorities. IR-08 incident response plan provides the lifecycle for developing, testing, and maintaining the cyber incident response plan.
Gaps
Water-specific incident response coordination requires engagement with WaterISAC (Water Information Sharing and Analysis Center) for threat intelligence and incident coordination, EPA for regulatory notification, and state drinking water agencies for public health impact assessment. Public health notification requirements under the Safe Drinking Water Act may be triggered by cyber incidents that affect treatment processes or water quality. Treatment process recovery procedures after a cyber incident (verifying chemical dosing rates, flushing contaminated water, restarting treatment processes in correct sequence) require specialized water treatment expertise beyond typical IT incident response. Coordination with public health departments for potential contamination events and issuing public advisories (boil water notices, do-not-use orders) are sector-specific incident response obligations.
AWWA Sec 7 Supply Chain and Vendor Management
Rationale
SR-01 supply chain risk management policy establishes the vendor risk management governance framework. SR-02 supply chain risk assessment addresses the identification and evaluation of risks from SCADA vendors, integrators, and service providers. SR-03 supply chain controls and processes covers the implementation of security requirements in procurement and vendor management. SA-04 acquisition process addresses security requirements in procurement specifications for water utility technology. SA-09 external system services covers the management of third-party services including cloud-based SCADA, remote monitoring services, and managed security providers. SR-06 supplier assessments and reviews supports the ongoing evaluation of vendor security practices.
Gaps
The water utility vendor landscape presents unique supply chain challenges not addressed by SP 800-53 including a small vendor ecosystem where a handful of SCADA/ICS vendors dominate the market (e.g., Xylem/Sensus, Hach, SUEZ/Veolia), creating concentration risk. Long-term vendor relationships spanning decades are common as water utilities maintain SCADA systems for 15-25 years with the same integrator. Municipal procurement requirements (competitive bidding, lowest responsible bidder rules) may conflict with security-driven vendor selection. Limited vendor security assessment capability in small utilities means most water systems accept vendor default configurations. System integrator access to SCADA systems during commissioning, maintenance, and troubleshooting creates persistent third-party access that is difficult to monitor.
AWWA Sec 8 Workforce Security
Rationale
AT-01 security awareness and training policy establishes the training governance framework. AT-02 security awareness training provides general cybersecurity awareness for all water utility staff. AT-03 role-based training addresses specialized training for SCADA operators, network administrators, and other personnel with privileged access to water control systems. PS-01 personnel security policy establishes the personnel security governance framework. PS-02 position risk designation supports the categorization of water utility positions based on access to critical systems and sensitive information. PS-03 personnel screening covers background checks and vetting for personnel with access to water system controls. PS-06 access agreements addresses the documentation of acceptable use and security responsibilities for water utility staff. PM-13 information security workforce addresses the development of a cybersecurity-capable workforce within the utility.
Gaps
Water utility workforce challenges include small staff sizes (many utilities have fewer than 10 employees total) where operators perform multiple functions including treatment, distribution, maintenance, and IT/SCADA administration with limited time for dedicated cybersecurity training. Limited cyber expertise among water operators whose primary training and certification is in water treatment and distribution operations, not information technology. Cross-functional operators who must manage both physical processes and digital systems create unique insider risk profiles. WaterISAC training resources and EPA cybersecurity guidance provide sector-specific training content not available through general security awareness programs. State certification requirements for water operators focus on treatment and distribution competency with emerging but limited cybersecurity components.
Sec 2013(a) Risk and Resilience Assessment
Rationale
RA-01 risk assessment policy establishes the governance foundation for conducting risk and resilience assessments. RA-02 security categorization supports the classification of water system assets by criticality and impact. RA-03 risk assessment provides the core methodology for identifying threats and vulnerabilities across physical, cyber, and operational domains. RA-05 vulnerability monitoring and scanning addresses the ongoing identification of system weaknesses. RA-07 risk response covers the development of risk treatment plans based on assessment findings. RA-09 criticality analysis supports the prioritization of water system components based on mission impact. PM-09 risk management strategy provides the overarching strategic framework for risk-based decisions. PM-11 mission/business process definition supports identification of critical water treatment and distribution functions.
Gaps
AWIA Section 2013(a) requires water utility-specific risk assessment covering treatment processes, distribution system integrity, source water protection, and chemical handling/storage safety that are not addressed by general-purpose SP 800-53 risk controls. EPA certification requirements mandate that utilities certify completion of assessments to the EPA Administrator within specific timelines. The mandatory 5-year reassessment cycle and the requirement to assess resilience of pipes and constructed conveyances, physical barriers, water collection/treatment/storage/distribution facilities, electronic/computer/automated systems, and the monitoring practices of the system are sector-specific obligations beyond SP 800-53 scope.
Sec 2013(b) Emergency Response Plan
Rationale
IR-01 incident response policy establishes the emergency response governance framework. IR-02 incident response training covers training requirements for personnel involved in cyber and physical emergency response. IR-04 incident handling addresses the detection, analysis, containment, eradication, and recovery phases of incident response. IR-08 incident response plan provides the plan development, testing, and update lifecycle. CP-01 contingency planning policy establishes the planning framework for service continuity during emergencies. CP-02 contingency plan addresses the development of plans for maintaining or restoring water service during disruptions. CP-04 contingency plan testing covers exercise and validation of emergency procedures.
Gaps
AWIA Section 2013(b) requires water-specific emergency response elements not addressed in SP 800-53 including boil water advisory procedures, alternative water supply arrangements (bottled water distribution, interconnections with neighboring utilities, mobile treatment units), and public notification protocols mandated under the Safe Drinking Water Act. EPA coordination requirements mandate that ERPs be certified to the EPA Administrator within 6 months of completing the risk assessment. State primacy agency notification procedures, coordination with local emergency planning committees (LEPCs), and integration with community-wide emergency response plans are sector-specific obligations. The ERP must address strategies and resources to improve resilience including physical security and cybersecurity of the water system.
Methodology and Disclaimer
This coverage analysis maps from AWIA clauses/requirements back to NIST SP 800-53 Rev 5 controls, assessing how well the SP 800-53 control set addresses each framework requirement.
Coverage weighting represents an informed estimate based on control-objective alignment, not a definitive compliance determination. Weightings consider whether SP 800-53 controls address the intent of each framework requirement, even where terminology and structure differ.
This analysis should be validated by qualified assessors for use in compliance or audit activities. The authoritative source for any compliance determination is always the framework itself.