The bill amends Section 1433(g) of the Safe Drinking Water Act to expand the Drinking Water Infrastructure Risk and Resilience Program’s allowable uses to include participation in training programs and the purchase of training manuals and guidance materials that relate to protecting community water systems from cyberattacks and responding to them. It also replaces the previous eligible grant years (2020–2021) with a new multi-year window covering 2026 through 2031.
This is a narrowly scoped statutory change: it authorizes federal grant support specifically for training and materials tied to cyber security and incident response for community water systems, and it extends the period during which such grants can be awarded. The provision signals a federal emphasis on workforce and operational readiness in the water sector, while leaving decisions about funding levels, program administration, and whether to fund capital cybersecurity upgrades to existing EPA grant procedures and appropriations processes.
At a Glance
What It Does
The bill amends the SDWA’s grant language to permit spending on cybersecurity-related training and on training manuals and guidance under the Drinking Water Infrastructure Risk and Resilience Program, and it changes the program’s eligible grant years from 2020–2021 to 2026–2031.
Who It Affects
Community water systems and the entities that support them (state primacy agencies, utilities, and third-party trainers) are the immediate targets for the new allowable grant activities. EPA and state program administrators will implement and oversee grant awards under existing program rules.
Why It Matters
By codifying cyber training as an eligible use of resilience grants, the bill directs federal resilience funding toward workforce capacity and incident-response preparedness in the water sector—a priority as operational-technology attacks grow. However, it does not explicitly authorize funding for hardware or capital cybersecurity upgrades, which keeps the focus on people and processes rather than immediate infrastructure replacement.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The Water Cybersecurity Enhancement Act of 2025 makes two modest but consequential changes to the Safe Drinking Water Act’s risk-and-resilience grant language. First, it swaps the program’s one-time grant window (previously identified as 2020 and 2021) for a multi-year authorization covering 2026 through 2031.
Second, it inserts explicit statutory authority to use those grants for participation in training programs and the purchase of training manuals and guidance tied to security and resilience, and it names cyberattacks—both protection and response—as example topics.
Those changes attach directly to the Drinking Water Infrastructure Risk and Resilience Program. Practically, that means eligible grant recipients under the program can propose training courses, tabletop exercises, curricula, and printed or digital guidance materials that teach water-system employees how to harden systems, detect intrusions, and respond to cyber incidents.
The bill’s text focuses on “community water systems,” so the intended beneficiaries are the local utilities that deliver drinking water and their workforces.Notably, the amendment narrows the allowable uses to training and materials; it does not expand or change the law to authorize grants for purchasing cybersecurity hardware, replacing control-system components, or funding long-term managed security services. Implementation will therefore depend on EPA’s existing rules and the availability of appropriations for the program.
That creates a standard two-step: Congress must appropriate funds, and EPA (likely working with state primacy agencies) must set application, selection, and reporting requirements for any training awards.Operationally, the provision raises implementation questions that EPA and states will need to resolve: how to define eligible training, how to vet vendors and curricula (including proprietary versus open-source materials), how to handle sensitive cyber-incident information, and how to measure training outcomes against actual increases in resilience. The law creates authority for capacity building but leaves the hard choices—funding levels, oversight, evaluation, and coordination with other federal cybersecurity programs—to the administering agencies.
The Five Things You Need to Know
The bill amends Safe Drinking Water Act section 1433(g) to expand allowable grant uses to include training programs and the purchase of training manuals and guidance for security and resilience.
It explicitly identifies protecting community water systems from cyberattacks and responding to cyberattacks as authorized training topics.
The legislation replaces the limited grant window “2020 and 2021” with a new authorization covering 2026 through 2031.
The statutory change focuses on workforce development and educational materials; it does not authorize capital equipment purchases or direct funding for control‑system replacements.
Grants operate under the existing Drinking Water Infrastructure Risk and Resilience Program framework, so award procedures, eligibility specifics, and funding remain subject to EPA rules and congressional appropriations.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
This single-line provision sets the bill’s name: the “Water Cybersecurity Enhancement Act of 2025.” It has no substantive effect on program administration but indicates the sponsor’s policy focus for interpretation and outreach.
Extends grant eligibility years
The bill replaces the previous date language in paragraph (1) that limited grants to 2020 and 2021 with a new multi-year range, 2026 through 2031. That change re-opens the statutory window for awarding competitive or formula grants under this subsection over a six-year span. Practically, reauthorizing the period is necessary before EPA can obligate funds specifically under this language if agency guidance or appropriations reference the statutory eligibility period.
Adds training and materials for cybersecurity to allowable uses
This is the operative change: the bill replaces an existing subparagraph with one that lists 'participation in training programs, and the purchase of training manuals and guidance materials, relating to security and resilience' and then clarifies that those materials include measures for protecting community water systems from cyberattacks and for responding to cyberattacks. The provision narrows the new authority to training and guidance rather than opening the door to a broad suite of resilience investments. The plain wording will require EPA and grant applicants to define eligible training activities, allowable costs, and documentation requirements for audit and reporting purposes.
Aligns other cross-references to the new date range
The bill changes the date reference in paragraph (6) to match the new 2026–2031 time frame. This is a technical but important alignment so other program triggers or deadlines that reference paragraph (6) operate consistently across the statute. In practice, agencies will need to check internal program language and guidance to ensure administrative schedules and reporting cycles sync with the amended statutory window.
This bill is one of many.
Codify tracks hundreds of bills on Infrastructure across all five countries.
Explore Infrastructure in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Small and medium community water systems — gain federal support to train operators and managers on cyber risk recognition and incident response without having to redirect funds from other operational needs.
- Water-sector workforce and operators — receive access to standardized training, manuals, and guidance that can elevate baseline cybersecurity competencies across utilities with limited in-house expertise.
- Third-party training providers and NGOs — stand to win more contracts and grant-funded engagements to develop curricula, run exercises, and produce guidance materials tailored to water systems.
- State primacy agencies and technical-assistance programs — can use grant-backed training to raise statewide resilience and reduce the burden on state incident-response resources during a cyber event.
Who Bears the Cost
- EPA and state program administrators — inherit expanded oversight responsibilities to review training proposals, vet vendors, and monitor outcomes; agencies may need additional staff or funding to manage these tasks.
- Congressional appropriators and taxpayers — the bill authorizes grant authority but does not appropriate funds; any new training awards require appropriations, which will be an additional budgetary decision.
- Community water systems (time and matching costs) — while training costs may be covered by grants, systems must still allocate staff time to participate; some applicants may face administrative costs to apply or to meet reporting requirements.
- Private vendors delivering training — must meet vetting and performance expectations set by EPA and grantees, and may face competition and pricing pressure as the program attracts multiple providers.
Key Issues
The Core Tension
The bill confronts a core trade-off: invest quickly in people by funding training and guidance (which is relatively fast and scalable) or expand programs to finance capital upgrades and sustained operational security (which is costlier and slower). Strengthening human capacity reduces near-term risk, but without parallel funding for technical fixes and ongoing monitoring, training can only go so far in reducing systemic cyber vulnerability.
The amendment creates useful legal authority to fund cyber-focused training, but it leaves several implementation decisions unresolved. The statute authorizes training and materials but is silent on whether certain related expenses—like travel, instructor fees, or subscription access to proprietary simulation platforms—are eligible.
EPA will need to supply implementing guidance that balances flexibility for grantees with safeguards against funding inappropriate or duplicative purchases.
Another open question is coordination. Water utilities already intersect with federal cybersecurity programs (for example, CISA, EPA’s own guidance, and state cyber initiatives).
The bill does not mandate coordination protocols or data‑sharing rules, nor does it address handling of sensitive incident information that might arise during exercises. Those gaps raise operational and legal questions about liability, information protection, and duplication of effort.
Finally, the bill prioritizes training while not authorizing capital investments for control-system upgrades; that creates a policy mismatch when training identifies hardware or software vulnerabilities that require funding beyond what training grants cover.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.