SB1549 amends section 1433(g) of the Safe Drinking Water Act to expand eligible uses of Drinking Water Infrastructure Risk and Resilience grants to include participation in training programs and the purchase of training manuals and guidance relating to security and resilience, explicitly calling out protection from and response to cyberattacks. The bill also replaces the prior two-year eligibility window with a six-year window covering 2026 through 2031.
This change makes federal resilience grants an explicit funding source for workforce development, incident-response exercises, and curriculum materials aimed at water-sector cyber risks. For operators, state primacy agencies, and vendors, the bill creates non‑infrastructure funding pathways that could accelerate cyber training uptake across small and medium community water systems — but it does not itself appropriate funds or set standards for what constitutes acceptable training or outcomes.
At a Glance
What It Does
The bill revises the Risk and Resilience grant statute to authorize grant dollars for attendance at training programs and for buying training manuals and guidance focused on security and resilience, including measures to protect against and respond to cyberattacks. It also extends the statute’s eligible grant years from the previous short window to 2026–2031.
Who It Affects
Primary affected parties include community water systems (especially small and rural systems), state drinking-water primacy agencies that administer and pass through grants, the EPA Office of Water which issues program guidance, and private training vendors and consultants that provide cyber‑security curricula and incident-response training.
Why It Matters
The amendment reframes Risk and Resilience grants so federal dollars can underwrite human-capacity investments — operator skills, tabletop exercises, and playbooks — rather than only physical projects. That creates a pathway to scale basic cyber preparedness across the water sector, but implementation will hinge on EPA and states defining eligible activities, acceptable costs, and performance expectations.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
SB1549 makes two parallel changes to the Drinking Water Infrastructure Risk and Resilience Program: it lengthens the period during which grants may be awarded and it adds explicit authorization to use grant funds for training and training materials related to security and resilience. The training language is drafted to cover both preventive measures — "protecting community water systems from cyberattacks" — and reactive measures — "responding to cyberattacks" — and includes the purchase of manuals and guidance as an eligible cost.
Practically, the change means a state or system that applies for Risk and Resilience grant money can propose budgets for operator cyber awareness courses, SCADA/ICS security workshops, incident-response tabletop exercises, and buying standardized playbooks or training curricula. Because the bill authorizes purchase of manuals and guidance, procurements for curriculum and documented procedures are likely to be treated as allowable grant expenses, subject to whatever procurement and cost‑allowability rules apply to the grant program.The statute amends an existing SDWA provision (42 U.S.C. 300i–2(g)); it does not include appropriations language.
That means the amendment defines eligible uses and timing but does not itself provide money. Implementation will require EPA and state agencies to translate the statutory allowance into program guidance: defining eligible training types, allowable cost categories (tuition, travel, contractor fees, printed or digital materials), grant reporting requirements, and success metrics.
For small systems with limited IT staff, the new eligibility creates an opportunity to buy recurring training or subscription-based courses, but it also raises questions about how to ensure training quality, measure effectiveness, and avoid one-off or duplicative expenditures.Because the statute uses inclusive language — "including" — states and EPA will retain discretion to interpret the scope of security and resilience training. That flexibility is useful for tailoring programs to local need, but it also creates potential variability across states in what gets funded and how outcomes are reported.
Utilities, state program managers, and training vendors should prepare to document learning objectives, instructor qualifications, and follow-up or exercise plans when seeking grant reimbursement.
The Five Things You Need to Know
The bill amends 42 U.S.C. 300i–2(g) (the Drinking Water Infrastructure Risk and Resilience Program) to change eligible program language.
It replaces the prior grant-year window (previously listed as 2020 and 2021) with a new six-year window: 2026 through 2031.
The amendment inserts an explicit allowable use authorizing "participation in training programs, and the purchase of training manuals and guidance materials" related to security and resilience.
The statutory text specifically calls out training for both "protecting community water systems from cyberattacks" and "responding to cyberattacks," making preparedness and incident response eligible activities.
The bill does not appropriate funds or specify grant amounts, timing of appropriations, or detailed performance standards — it changes eligibility and timing but leaves funding and implementation mechanics to appropriations and agency guidance.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title — Water Cybersecurity Enhancement Act of 2025
A one-line provision that supplies the act’s short title. This is standard drafting: it does not affect substance but is how the amendment will be cited in reports and guidance.
Extend the grant eligibility window to 2026–2031
The bill replaces the dates previously listed in paragraph (1) and paragraph (6) with a six‑year coverage period, "2026 through 2031." That creates a statutory window during which Risk and Resilience grants can be awarded for the enumerated eligible activities. The longer window enables multi‑year training programs and phased preparedness efforts, but actual award timing and size remain subject to annual appropriations and EPA/state grant administration rules.
Authorize grant-funded training and purchase of manuals and guidance on cyber security and response
The bill removes the existing subparagraph (F) and replaces it with language that expressly permits grant funds to cover participation in training and the purchase of training manuals and guidance materials related to security and resilience. The text goes further than generic "security" language by specifying both preventive and reactive cyber activities. Mechanically, this makes costs like tuition, vendor‑led workshops, exercise facilitation, and curriculum procurement plausibly allowable under the program—subject to federalauthority on allowable costs and state pass-through rules. The provision’s use of "including" suggests the list is illustrative, so EPA and states will decide the boundaries of eligible training.
This bill is one of many.
Codify tracks hundreds of bills on Infrastructure across all five countries.
Explore Infrastructure in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Small and rural community water systems — gain a federal funding path to pay for operator cyber awareness, SCADA/ICS security training, tabletop exercises, and playbooks that otherwise might be unaffordable.
- State drinking-water primacy agencies — receive statutory authority to pass through grant dollars for statewide training initiatives and to coordinate multi-system exercises that build regional incident-response capability.
- Water-system operators and technicians — get expanded access to structured, grant-funded professional development focused on cyber risks and response procedures, improving on-the-ground preparedness.
- Cybersecurity training vendors and consultants — see a new addressable market for curricula, manuals, exercise facilitation, and subscription training products tailored to water systems.
- Regional mutual-aid networks and emergency managers — can use grant-eligible training to align utility response plans with local emergency-response and public-health procedures.
Who Bears the Cost
- EPA and state program offices — must update guidance, develop eligibility criteria, and oversee grant compliance for a broader set of activities without this bill providing accompanying appropriations for administrative scaling.
- Local utilities (especially small systems) — will need to allocate staff time for training and documentation, and may bear upfront costs or administrative burdens in preparing grant applications and post-award reporting.
- Congress and federal taxpayers — if Congress chooses to fund grants in the extended window, appropriations will determine the program’s reach; absent new appropriations the statutory change alone does not spend money.
- Grant reviewers and auditors — will face added complexity assessing training quality and ensuring that purchased materials and exercises produce measurable resilience improvements rather than one‑off workshops with poor follow‑through.
Key Issues
The Core Tension
The bill balances two legitimate objectives—rapidly scaling cyber preparedness across hundreds of small water systems through flexible grant eligibility, and ensuring that federal dollars produce durable, measurable improvements—without prescribing how to reconcile them. Grant flexibility speeds access to training but risks funding low-value or one-off activities; stricter standards would improve accountability but could slow help to utilities that urgently need basic cyber skills.
The bill’s core change is permissive: it expands what grant funds may pay for but does not attach performance metrics, certification standards, or dedicated funding. That creates two implementation challenges.
First, without minimum standards or EPA-issued definitions, states may have wide latitude in approving training that varies in quality and effectiveness. Second, because the bill does not appropriate money, the statute creates an entitlement of eligibility rather than a guaranteed funding stream; program impact will depend on future appropriations and state prioritization.
There is also a trade-off between short-term capacity building and long-term capability. Grant-funded workshops and manuals can quickly raise awareness, but cybersecurity improvements often require sustained investments in personnel, monitoring, and technical controls.
The statute makes procurement of materials eligible, but it leaves unresolved whether recurring subscription services, vendor-hosted labs, or systems integration work that accompanies training are covered. Finally, the broad "including" language gives flexibility but increases the risk of inconsistent implementation across states and potential overlap with other federal cybersecurity resources (e.g., CISA programs), raising coordination and duplication concerns that EPA and states will need to manage.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.