Senate Bill 1118 directs the Environmental Protection Agency to develop and run a program that increases participation of drinking water systems and treatment works in the Water Information Sharing and Analysis Center (Water ISAC). The program must both encourage membership and offset costs necessary to initiate or maintain membership, expand EPA cooperation with the Water ISAC on incident data collection and analysis, and strengthen the ISAC’s monitoring and preparedness tools for malicious attacks and natural hazards.
The bill gives the EPA one year after enactment to have the program in place and authorizes $10 million per year for fiscal years 2026 and 2027, available until expended. For utilities, public health officials, and security vendors, the measure creates a narrowly focused federal push to broaden sector situational awareness — but it leaves key questions about eligibility, the scope of “offset” payments, and long‑term funding unanswered.
At a Glance
What It Does
Requires EPA, within one year of enactment, to develop and carry out a program that increases participation of community water systems and treatment works in the Water ISAC, reimburses or offsets costs tied to membership, enhances EPA–ISAC data collection and analysis, and improves the ISAC’s monitoring and preparedness tools.
Who It Affects
Directly affects community water systems (as defined in the Safe Drinking Water Act), publicly owned treatment works (under the Clean Water Act), the Water ISAC itself, and state/local water and emergency management authorities that rely on sector threat intelligence.
Why It Matters
This is a targeted federal effort to expand threat‑information coverage across the water sector and to reduce financial barriers for utilities to access the Water ISAC. It signals a federal role in underwriting information‑sharing capacity but does not create a permanent funding stream or detailed program rules.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
SB1118 tasks the EPA with creating a program to grow and sustain water‑sector participation in the Water Information Sharing and Analysis Center. The bill ties the program specifically to community water systems (using the Safe Drinking Water Act definition) and to treatment works (using the Clean Water Act definition), so both drinking water and wastewater operators are in scope.
EPA must set the program up within one year of the law taking effect.
The program has four linked aims: encourage and maintain membership in the Water ISAC; reimburse or otherwise offset costs that systems incur to join or stay members; expand EPA’s coordination with the Water ISAC for incident data collection and threat analysis; and strengthen the ISAC’s tools and materials for monitoring sector status and improving preparedness for malevolent acts and natural hazards. The bill does not prescribe the administrative vehicle EPA must use — it leaves room for grants, cooperative agreements, contracts, or other mechanisms to deliver cost offsets and technical support.Funding is modest and time‑limited: the statute authorizes $10 million for each of FY2026 and FY2027, available until expended.
Practically, EPA will need to translate these broad tasks into eligibility rules, application and reimbursement processes, outreach to small and rural systems, and data‑sharing agreements with the Water ISAC. The measure explicitly references existing statutory definitions for key terms, anchoring its scope to current drinking water and wastewater law.Because the bill centers on incentivizing participation rather than mandating it, implementation will be an exercise in program design: defining what counts as a reimbursable cost, establishing who qualifies for assistance, coordinating with state primacy agencies and other federal partners, and setting metrics for whether expanded ISAC membership actually improves detection, response, and recovery outcomes for the sector.
The Five Things You Need to Know
EPA must develop and carry out the program not later than one year after the law’s enactment.
The program must offset costs that community water systems and treatment works incur that are necessary to initiate or maintain Water ISAC membership.
EPA must expand cooperation with the Water ISAC on incident data collection and threat analysis and enhance the ISAC’s monitoring, preparedness tools, and materials for malevolent acts and natural hazards.
Congress authorized $10,000,000 for each of fiscal years 2026 and 2027 to carry out the program; those funds are available until expended.
Key terms in scope are tied to existing statutes: ‘community water system’ (SDWA sec. 1401), ‘natural hazard’ (SDWA sec. 1433(h)), and ‘treatment works’ (CWA sec. 212).
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Establishes the Act’s name as the 'Water Intelligence, Security, and Cyber Threat Protection Act of 2025.' This is purely nominal but signals the bill’s twin focus on intelligence/information sharing and cyber/physical threat protection for water systems.
Definitions and statutory anchors
Defines the covered entities by reference to existing federal law: community water systems per the Safe Drinking Water Act, natural hazards per SDWA section 1433(h), and treatment works per the Clean Water Act. By anchoring to those definitions the bill inherits established regulatory boundaries — for example, which systems are 'community' systems — and narrows scope to public water and sewage infrastructure rather than broader private water services or industrial water users.
Program requirements: membership, cost offsets, coordination, and capacity
Directs EPA to develop and carry out a program, within one year, with four objectives: (1) encourage and support participation of community water systems and treatment works in the Water ISAC; (2) offset costs necessary to initiate or maintain Water ISAC membership; (3) expand EPA coordination with the Water ISAC on incident data collection and analysis; and (4) enhance the ISAC’s tools and materials for monitoring sector status and improving preparedness for malicious acts and natural hazards. The provision is programmatic rather than prescriptive: it sets outcomes but leaves EPA to design eligibility, payment mechanisms, data‑sharing agreements, and operational processes.
Authorized funding
Authorizes $10 million for each of fiscal years 2026 and 2027, with those funds available until expended to implement the program. The authorization is limited in duration and size, meaning EPA will likely need to prioritize short‑term outreach and lower‑cost interventions or seek additional appropriations for sustained support.
This bill is one of many.
Codify tracks hundreds of bills on Environment across all five countries.
Explore Environment in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Small and rural community water systems — the bill explicitly offsets membership costs, lowering a common financial barrier that keeps smaller systems from participating in sector information sharing and receiving timely threat indicators.
- Publicly owned treatment works — wastewater operators gain access to Water ISAC intelligence and enhanced EPA coordination, which can speed detection and response to contamination, cyber intrusions, or operational threats.
- Water Information Sharing and Analysis Center (Water ISAC) — stands to receive broader participation, improved incident feeds, and federal support to expand its monitoring and preparedness offerings.
- State and local public health and emergency management agencies — better sectorwide data and EPA–ISAC coordination can improve situational awareness and cross‑jurisdictional response planning.
- Cybersecurity and resilience service providers — increased demand for onboarding, training, and technical assistance as more utilities join the ISAC and seek to act on threat intelligence.
Who Bears the Cost
- Environmental Protection Agency — must design, administer, and staff the program within a one‑year deadline, create eligibility and reimbursement rules, and coordinate with the Water ISAC and other partners.
- Federal budget/taxpayers — the bill authorizes $20 million total over two years; funding decisions and appropriations execution will be borne by the federal budget process.
- Utilities — even with cost offsets, utilities will incur administrative burdens to apply, meet membership requirements, onboard staff to use ISAC resources, and produce incident data for sharing.
- Water ISAC — while the ISAC benefits from greater membership and some federal support, it may also face operational strain to absorb new members and expand analytics and monitoring functions.
- State primacy programs and local governments — may need to coordinate with EPA outreach and integration efforts, potentially diverting staff time to support participation or data standards.
Key Issues
The Core Tension
The central dilemma is between rapidly expanding centralized information sharing to improve sectorwide detection and response, and the practical costs and risks that such centralization imposes on small, locally managed utilities and on federal agencies. The bill tries to lower the financial barrier to participation, but it does not resolve who bears long‑term costs, how to protect sensitive incident data, or how to sustain the capability beyond a two‑year authorization.
The bill creates a focused, short‑term mechanism to broaden ISAC participation but leaves several implementation questions unresolved. 'Offset costs' is undefined: EPA will need to decide whether reimbursements cover membership fees only, associated IT and staffing costs, travel and training, or other indirect expenses. That choice will materially affect how many small systems can realistically join and sustain membership.
The statute’s one‑year deadline forces an upfront program design choice about simplicity versus precision: simple eligibility rules maximize speed but risk uneven targeting; detailed rules delay benefits to systems that need them now.
Data sharing and liability are another open area. Expanding incident data collection and EPA–ISAC coordination raises questions about who owns incident reports, how sensitive cybersecurity details are protected, and whether utilities face legal exposure when sharing information.
The bill does not specify privacy protections, liability shields, or integration with existing DHS/CISA information‑sharing regimes, so EPA will need to negotiate agreements and possibly seek interagency alignment. Finally, the funding is modest and temporary; absent a plan for sustained investment, short-term gains in participation could evaporate once appropriations lapse, leaving the sector with higher expectations but without ongoing federal support.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.