Cyber on Tap, Part Two: New York's Water Cybersecurity Regulation Is Now in Force

By Patrick Miller

New York's Appendix 5-E cybersecurity regulation for public water systems took effect March 11, 2026.Governor Hochul's office has described it as the first mandatory, enforceable water cybersecurity framework in the country, a claim that deserves a footnote. New Jersey's Board of Public Utilities established cybersecurity program requirements for jurisdictional water and wastewater utilities in 2016, and the state's Water Quality Accountability Act extended those requirements more broadly in 2017, with further amendments in 2021. What distinguishes New York's rule is its structure: a single, purpose-built regulatory instrument covering all community water systems above the population threshold, with a unified compliance framework from adoption. The policy lineage matters for understanding where the sector is heading.

Overview

In July 2025, Ampyx Cyber published an analysis of New York's proposed cybersecurity regulation for drinking water and wastewater systems, covering the structure of the draft rule, the tiered requirements, the cost implications, and the historical context set by the EPA's short-lived and subsequently withdrawn federal mandate. At that point, the public comment period was open and the compliance clock had not started. That has changed.

On March 11, 2026, Governor Hochul announced the formal adoption of Appendix 5-E to 10 NYCRR Part 5, Subpart 5-1, the cybersecurity requirements for public water systems. Two provisions took effect immediately: cybersecurity incident reporting and certified operator training. All other requirements have a compliance deadline of January 1, 2027. For covered systems, the work of getting compliant is not a future planning exercise. It starts now.

This post does not relitigate the July 2025 analysis. It builds on it, focusing on what the final rule actually requires, what it means for the specific operators it covers, and what the state has made available to support implementation. It closes with a broader question: if the federal government is retreating from sector-specific cybersecurity regulation, what happens when states start filling the void?

Who Is In Scope?

Appendix 5-E applies to all community water systems in New York that serve more than 3,300 people. There are 318 publicly owned systems that meet that threshold. Of those, 37 serve populations above 50,000 and are subject to enhanced requirements, including a designated cybersecurity individual, mandatory network logging, and a five-year program certification cycle.

The regulation covers both drinking water systems (under Department of Health; DOH) and wastewater systems (under Department of Environmental Conservation; DEC), with parallel rules issued simultaneously. The analysis here focuses on the DOH drinking water side, which has the most developed implementation support, but the structural requirements across both tracks are closely aligned.

The scope is intentionally defined around connected systems. A covered water system that operates with no physical or logical connections between its OT and any IT or external networks can apply for an exclusion from most of the regulation's requirements under Section 5-E.2. That exclusion does not apply to training or incident reporting. The exclusion pathway is discussed in more detail below.

What Is Required: Tiered by System Size

The regulation creates a two-tier structure. The foundation applies to all covered systems (3,300+). The enhanced layer applies to the largest systems (50,000+). The table below maps the requirements across both tiers.

The CVA: Annual Review, Not Annual Submission

The cybersecurity vulnerability analysis is the foundation of the compliance program. It must be reviewed and updated annually, and it must be updated within 30 days of any major infrastructure change. However, the CVA is not submitted to DOH annually. It is submitted every five years as part of the Water Supply Emergency Response Plan, or upon major infrastructure change. DOH can request it at any time, and it must be available on short notice. This distinction matters for planning: the annual effort is internal, but the document must be substantive enough to survive external scrutiny on demand.

The CVA must assess risks to all IT and OT assets that could affect the system's ability to comply with Subpart 5-1, based on both the likelihood of exploitation and the operational consequences if a vulnerability is successfully exploited. It must identify remediation actions and must be approved by an authorized representative. For 50,000+ systems, that approval must come from the designated individual.

The Cybersecurity Program: Function Over Format

The program requirement in Section 5-E.6 is not a documentation exercise. The regulation specifies the functional outcomes the program must produce: identity and access management, asset inventory, defensive architecture, incident detection and response, and recovery. DOH has published a program template that maps to these requirements, but the template is a starting point, not a ceiling. Systems are expected to tailor it to their size, complexity, and operational structure.

The access control requirements deserve particular attention. MFA is mandatory for any individual accessing OT from an external network. OT and IT user accounts must be separated. Each user must have unique credentials for OT access whenever the technology can support it. Remote access to OT must be disabled unless operationally necessary, and access must be limited to the minimum functionality required to monitor or operate the system. Default passwords are prohibited. These are not aspirational recommendations. They are regulatory requirements with documented compensating control provisions for situations where specific controls are technically infeasible.

The Exclusion: Real, but Rigorous

Systems that can demonstrate full OT isolation, meaning no physical or logical connections between OT and any IT or external network, can apply to exclude themselves from most of the program requirements (true air gaps are extremely rare). Note that the exclusion does not eliminate training or incident reporting obligations.

The exclusion request form requires documented verification of physical isolation (verified by walkthrough), logical isolation (verified by network discovery scan), and external network isolation. It also requires information from the OEM on whether remote diagnostics are possible. The process is designed to force actual verification rather than assumed isolation. Many systems that believe they are air-gapped will discover during this process that a vendor connection, a cellular telemetry device, or a billing integration creates a path they had not fully traced. That discovery is the point.

The Compliance Timeline

Two requirements were effective immediately upon adoption on March 11, 2026. Any covered water system that experiences a cybersecurity incident must report it to DOH within 24 hours, and any certified drinking water operator must complete one hour of approved cybersecurity training within their three-year certification cycle. Neither of these obligations waits for the January 2027 deadline. Neither is subject to the exclusion provisions.

Everything else, the full cybersecurity program, the CVA, the access controls, the asset inventory, the incident response plan, and the vulnerability reporting process, has a deadline of January 1, 2027. Ten months from adoption. For a small water system that has never formally documented its OT access controls or conducted a structured CVA, that is a meaningful amount of work on a compressed timeline. For larger systems that have already implemented comparable controls, the effort may be more about documentation than remediation.

Non-compliance with the CVA and vulnerability reporting requirements is treated as a significant deficiency under Subpart 5-1. Significant deficiencies must be corrected within 120 days. DOH has stated that the initial enforcement posture will prioritize guidance and technical assistance over punitive action, but the regulatory mechanism for escalation is in place.

Resources Available to Covered Systems

New York has invested meaningfully in implementation support alongside the regulation, which distinguishes this approach from most sector cybersecurity mandates that have historically imposed requirements without corresponding resources.

The SECURE grant program, funded at $2.5 million, is a competitive program. Not every applicant will receive funding. Systems should not defer compliance work pending a grant award. The grants are most useful as a supplement to a compliance effort already underway, particularly for capital investments like segmentation improvements or monitoring infrastructure.

For the smallest covered systems, the DOH CVA checklist is the most practical entry point. The 39-question format, mapped to NIST CSF categories, gives systems a structured way to document their current state and identify gaps. It is not a professional-grade threat assessment, and larger or more complex systems will likely need third-party support to conduct a CVA that withstands scrutiny. The 2017 DOH guidance on CVA options (still referenced in implementation materials) recognizes independent professional assessors with ISACA, ISC2, or SANS credentials as acceptable alternatives to the checklist for more complex environments.

What Happens When the Federal Government Steps Back

New York's action does not exist in a vacuum. To understand what it means beyond the state's borders, it helps to place it against two pieces of recent federal history.

In March 2023, the EPA attempted to require states to evaluate the cybersecurity of public water systems as part of their routine sanitary surveys. By October 2023, the agency had withdrawn the rule following legal challenges from several states and water utility associations who argued the EPA had exceeded its authority. The withdrawal left federal cybersecurity oversight of the water sector largely voluntary and fragmented, dependent on CISA guidance documents, EPA technical assistance programs, and the good intentions of individual systems.

Now layer on the Trump administration's National Cyber Strategy, released March 6, 2026, which Ampyx Cyber analyzed in detail earlier this month. Pillar Two of that strategy explicitly calls for reducing compliance burdens and streamlining sector-specific regulation. The language around costly checklists signals that the current administration views regulatory proliferation as a problem to be solved, not a baseline to build from. The strategy is a vision document, not an implementation plan, but the directional signal is clear: the federal government is not currently moving toward more comprehensive sector-specific cybersecurity requirements.

The result is a policy environment where states that want enforceable cybersecurity standards for their water systems must establish them independently. New York is the first to do it. It will likely not be the last.

The Case for Other States Moving

Water infrastructure is locally governed. The vast majority of community water systems are operated by municipalities, water authorities, or small utilities that have no meaningful federal compliance relationship on cybersecurity. In the absence of a federal floor, a state government that takes its public health obligations seriously has a straightforward argument for acting: if we do not establish minimum standards, no one will.

New York's regulatory architecture is also a functional model. The tiered structure, differentiated by population served, is defensible on proportionality grounds. The technology-neutral approach, requiring documented outcomes rather than specific products, reduces the risk of rapid obsolescence. The accompanying grant program and technical assistance structure addresses the most common political objection from underfunded systems. Other states can adapt this model without starting from scratch, and at least one already has a decade of experience to draw on.

New Jersey is the clearest precedent. The New Jersey Board of Public Utilities established cybersecurity program requirements for jurisdictional water and wastewater utilities by Board Order in March 2016. The following year, the Water Quality Accountability Act extended similar requirements to all water utilities with more than 500 service connections and an internet-connected control system. After enforcement gaps emerged. Some utilities argued they were not covered because their control system only connected to their enterprise network rather than directly to the internet, the WQAA was amended in 2021 to close those loopholes, require conformance with NIST CSF, CIS Controls, or ISO/IEC 27000, and mandate cybersecurity insurance. That is nearly a decade of iterative regulatory development, compliance friction, and legislative refinement before New York's Appendix 5-E was finalized. States looking to follow New York's lead do not need to theorize about what works. They can look at what New Jersey learned the hard way about scope definitions, enforcement gaps, and the difference between a requirement that covers jurisdictional utilities and one that covers the whole sector.

The Risk of Multiple State Frameworks

The same conditions that make state-level action understandable also create a structural risk. If 10 or 20 or 50 states develop independent cybersecurity frameworks for water systems, each with different scope thresholds, different technical requirements, different reporting timelines, and different enforcement mechanisms, the result is a compliance landscape that is administratively fragmented and technically inconsistent.

Multi-state water authorities, systems that operate across state lines, and the vendors and consultants who serve the sector will face the same problem that has emerged in other areas where state-level regulation has outpaced federal standards: each jurisdiction requires a separately maintained compliance program, and the marginal cost of each additional requirement falls disproportionately on the smallest and least-resourced operators. This would be exacerbated if the same approach is taken for infrastructures that typically span state lines such as electric, gas, and transportation.

This is not an argument against state action. In the current federal environment, state action is likely the only path to enforceable standards in the water sector. But it is an argument for states to coordinate on structure and definitions as they develop their own frameworks, and for industry associations to engage actively in that process rather than simply opposing each rule as it emerges. The question is not whether water systems should have mandatory cybersecurity requirements. That question is settled, at least in New York. The question is whether the country ends up with a coherent approach or a patchwork that imposes compliance costs without producing proportionate security outcomes.

The National Cyber Strategy's Pillar Four explicitly names water utilities alongside the electricity grid, financial systems, and hospitals as critical infrastructure that must be hardened. It calls for working with state, local, tribal, and territorial authorities as a complement to national efforts. If that language is backed by any substantive federal coordination mechanism, particularly around definitions, baseline standards, and information sharing, it could reduce the fragmentation risk. If it remains aspirational, states will continue building independently, and the patchwork will grow.

What Covered Systems Should Do Right Now

If your system serves more than 3,300 people in New York, the following is not a planning checklist. These are operational steps with regulatory timelines attached.

• Confirm your incident reporting process is in place. The 24-hour reporting requirement is already in effect. Know what constitutes a reportable cybersecurity incident under Section 5-E.3(e), know who at your organization is responsible for making the determination and filing the report, and know where the reporting portal is (cyber-reporting.ny.gov/cybersecurity-incident). This is the one requirement that cannot wait for any deadline.

• Verify your certified operators are tracking toward their training requirement. DOH has approved two training programs as of adoption: the Illinois State Water Survey's Basic Cybersecurity Measures course and the EPA's Cybersecurity 101, 102, and 103 series. Both are available online. One hour every three years is a low bar, but it is a bar, and it applies immediately.

• Assess your CVA status. If your system has an existing Emergency Response Plan with a cybersecurity vulnerability component, review it against the Section 5-E.5 requirements. If you have not conducted a structured CVA, start now. The January 2027 deadline is less than a year away and the CVA is the foundation everything else is built on.

• Evaluate the exclusion question honestly. If you believe your OT is fully isolated, work through the exclusion request form as a verification exercise before submitting it. Physical walkthrough, network discovery scan, OEM confirmation. You may confirm isolation, or you may discover a connection you did not know existed. Either outcome is useful.

• Apply for the SECURE grant if you qualify. Applications opened March 11, 2026. The program funds assessments (up to $50,000) and implementation upgrades (up to $100,000). Even if you are not awarded a grant, the application process forces a structured review of your current cybersecurity posture.

• If you are a 50,000+ system, identify your designated individual now. This person needs demonstrable cybersecurity knowledge and practical experience in system protection or risk management. That qualification is owned by the system, not defined by DOH, but it needs to be documentable. The designated individual's name and contact information must be included in your Water Supply Emergency Response Plan.

New York has built a compliance infrastructure around this regulation that is more complete than what most sector mandates provide at launch: a regulatory text, a published FAQ, a CVA checklist, a program template, a certification template, an exclusion process, a grant program, and no-cost technical assistance. The tools are available. The deadline is real. For covered systems, the remaining variable is execution.

Featured Posts