In 2020, water utilities across the US were tasked with a critical two-part responsibility under the American Water Infrastructure Act (AWIA): conduct a Risk and Resilience Assessment (RRA) and create an Emergency Response Plan (ERP). Now, five years later, it’s time to revisit those efforts. And if your utility serves more than 3,300 people, this recertification isn’t optional it’s federally mandated.
For many utilities, particularly small to mid-sized systems, the original 2020–2021 certification process was no small task. Whether you managed the 2020 certification in-house or with consultant support, recertification offers a critical opportunity – not only to stay in compliance but to update your plans with new infrastructure, cybersecurity needs, and response strategies.
The AWIA requires utilities to evaluate risks to their water systems from malevolent acts, such as terrorism, and natural hazards, including floods, earthquakes, and severe weather events. These assessments and plans were first certified between 2020 and 2021, and now, five years later, utilities must review, update, and re-certify them to the U.S. Environmental Protection Agency (EPA).
Recertification isn’t simply a regulatory formality. It’s a critical process that ensures your utility’s risk management and emergency response strategies keep pace with evolving threats, changing infrastructure, and advances in technology. Since your initial certification, your system may have undergone significant changes: adding new treatment facilities, upgrading critical control systems, or expanding service areas. Additionally, cyber threats have grown increasingly sophisticated, requiring heightened attention.
This recertification process provides a valuable opportunity to reassess your vulnerabilities, strengthen your resilience, and confirm that your emergency response protocols remain practical and actionable for your current operations. It’s about safeguarding public health, maintaining regulatory compliance, and protecting your community’s trust in your water system.
By completing this process thoroughly now, you help avoid potential penalties and funding disruptions while ensuring your utility is prepared to respond effectively to any future emergencies.
To maintain compliance with the AWIA and avoid potential penalties or funding disruptions, your utility must update and certify two critical documents within federally mandated timelines: RRA and the ERP. Staying on top of these deadlines ensures your system remains prepared to face evolving risks while meeting EPA requirements.
Due: Based on population served – five years after your last certification.
Your RRA must be recertified within five years of your last certification. If you certified your RRA by the original deadline, the updated due dates based on population served are listed below. It’s important to verify your utility’s classification to avoid missing your specific deadline:
What to do:
Due: Within six months after RRA recertification.
What to do:
Both the RRA and ERP must be formally certified to the EPA, meaning you must notify the agency that your utility has completed these documents in accordance with AWIA requirements. This certification can be submitted through the EPA’s online portal, by email, or by mail, using the appropriate form: EPA Form 8170-1 for the Risk and Resilience Assessment and EPA Form 8170-2 for the Emergency Response Plan.
You are not required to submit the full RRA or ERP documents themselves, only the certification form. However, the EPA does reserve the right to request copies of your completed plans to confirm compliance. For that reason, it’s critical to maintain accurate, up-to-date documentation in case your utility is selected for review or audit.
It is important to note, these are not blanket deadlines. If your utility certified its RRA in April 2020, your next RRA is due in April 2025 – not June 2026. The five-year clock starts from the date of your previous certification.
While your 2020 RRA and ERP may provide a strong foundation, evolving threats, updated EPA guidance, and changes within your own system mean that a simple copy-and-paste update likely won’t cut it. Most utilities won’t need to start from scratch, but several factors may require a deeper and more deliberate update:
Failing to recertify your RRA and ERP isn’t just a compliance issue, it can have real financial and operational consequences. Under the Safe Drinking Water Act (SDWA) Section 1433, the EPA may exercise enforcement discretion against utilities that miss their certification deadlines. This includes the ability to bring an enforcement action and seek civil penalties not to exceed $69,733 per day of violation (adjusted annually for inflation), though any enforcement action would be considered on a case-by-case basis.
Beyond potential penalties, noncompliance could potentially jeopardize your utility’s eligibility for federal and state infrastructure funding, including through the Drinking Water State Revolving Fund (DWSRF). While no specific funding is designated for AWIA compliance, both the RRA and ERP often support or enable funding applications tied to system improvements.
Importantly, the EPA cannot extend deadlines under AWIA. Missing your scheduled recertification date automatically places your system out of compliance, regardless of circumstances.
Because recertification takes time – particularly when infrastructure, operations, or cybersecurity risks have evolved – beginning the process early is critical. Waiting too long puts your utility at risk of enforcement actions, funding ineligibility, and insufficient emergency preparedness.
Heather Schumacher, one of our water engineering experts, partners with a variety of utilities to efficiently develop comprehensive plans. Pairing her unique knowledge of hydraulics, digital data processing, and system planning experiences, Heather offers this advice:
If you’re unsure whether your 2020 plans still meet today’s standards, let’s talk. Our team is already supporting utilities across the country with 2026 recertifications – whether that means reviewing existing documentation, filling gaps in cybersecurity readiness, or managing the full update and certification process. We're ready to help you get a clear picture of what’s needed and make sure your system is ready well before the clock runs out.
Heather Schumacher is a staff engineer with SEH’s water team, specializing in water system modeling, planning, and risk management. She has extensive experience helping utilities comply with the American Water Infrastructure Act (AWIA), guiding clients through Risk and Resilience Assessments (RRAs) and Emergency Response Plans (ERPs) to keep systems resilient, compliant, and prepared for future challenges.