Small System Risk and Resilience Assessment Checklist

On this page:

A risk and resilience assessment (RRA) helps water and wastewater utilities systematically assess threats from malevolent acts and natural hazards that could threaten water or wastewater service. This guidance is intended for small water or wastewater systems serving fewer than 50,000 people. For larger water or wastewater systems, EPA recommends the Vulnerability Self-Assessment Tool (VSAT) Web 3.0 or an alternate risk assessment method.

EPA has two versions of this guidance available, one for drinking water utilities and one for wastewater utilities. Please select the appropriate type of checklist for your utility below. 

Small System Risk and Resilience Assessment Checklist for Drinking Water Utilities

This checklist will assist community water systems (CWSs) serving over 3,300 people with developing an RRA in accordance with Safe Drinking Water Act section 1433/America’s Water Infrastructure Act (AWIA) section 2013. CWSs serving 3,300 or fewer people and non-CWSs are not required to conduct RRAs under SDWA section 1433. EPA recommends, however, that these water systems voluntarily use this or other guidance to learn how to conduct RRAs and address threats from malevolent acts and natural hazards they may face. 

SDWA section 1433 requires CWSs serving over 3,300 people to submit only a certification of completion of an RRA and an ERP; therefore, do not submit the RRA and ERP documents to U.S. EPA. Once your RRA is complete, please visit EPA's How to Certify Your RRA or ERP webpage for information on how to certify. 

July 2024 Updates to the Small System RRA Checklist for Drinking Water Utilities

EPA originally published the Small System RRA Checklist for Drinking Water Utilities in May 2020. This document was updated in July 2024 to incorporate updates to version 3.0 of EPA’s Baseline Information on Malevolent Acts Relevant to Community Water Systems and to assist CWSs with reviewing and, as needed, revising their RRAs in anticipation of the upcoming certification deadlines. Here is a summary of the updates made to the July 2024 version:

  • “Cyberattack on Process Control Systems” and “Cyberattack on Business Enterprise Systems”, which were presented as separate malevolent acts in the original version, have been combined into a single threat, “Cyberattack”.
  • “Accidental Contamination” of source and finished water, which were presented as malevolent acts in the original version, have been eliminated (intentional contamination threats were retained).
  • The definition of “Electronic, Computer, or Other Automated Systems” has been updated to align with terminology commonly used in the cybersecurity field.
  • Added Table 11: Checklist of Priority Cybersecurity Practices for Water Systems to provide a method to evaluate cybersecurity at a CWS using CISA’s Cross-Sector Cybersecurity Performance Goals.

Both a PDF and a Microsoft Word version of the checklist are available for download depending on your preference:

Small System Risk and Resilience Assessment Checklist for Wastewater Utilities

This checklist will assist wastewater utilities with developing an RRA. Wastewater systems are not required to conduct RRAs under SDWA section 1433. EPA recommends, however, that wastewater systems voluntarily use this or other guidance to learn how to conduct RRAs and address threats from malevolent acts and natural hazards they may face. 

Both a PDF and a Microsoft Word version of the checklist are available for download depending on your preference:

How to Use the RRA Checklist

A recording of a past EPA workshop on RRAs, which includes a demonstration of how to use the RRA checklist, can be found below.

Water Resilience

Contact Us about Water Resilience
Contact Us to ask a question, provide feedback, or report a problem.
Last updated on July 30, 2024