Water utilities, wastewater systems, and municipal public works agencies operate industrial control systems that were never designed with cybersecurity in mind — and adversaries have noticed. Since 2021, documented cyberattacks on U.S. water sector OT/SCADA infrastructure have increased by over 300%, including the Oldsmar, Florida water treatment incident where an attacker attempted to alter chemical dosing levels remotely. AWIA Section 2013 and CISA's Cybersecurity Performance Goals now create a federal compliance framework for risk assessment and remediation — but most municipal operators lack the asset visibility and documented change management records that auditors require. OxMaint's CMMS and asset management platform provides the operational technology asset register, patch tracking, and documented maintenance records that support AWIA Section 2013 compliance and CISA alignment.
Blog · Municipal Government · OT/SCADA Cybersecurity
Municipal Cybersecurity for OT/SCADA: AWIA Section 2013 and CISA Alignment
AWIA Section 2013 risk assessment, CISA Cybersecurity Performance Goals, OT asset registers, and CMMS-tracked patch records — the operational playbook for water sector compliance
EPA deadline: Water systems serving > 3,300 persons must certify AWIA Section 2013 risk assessment and emergency response plan to EPA — penalties up to $25,000/day for non-compliance
300%
Increase in water sector OT cyberattacks since 2021
72%
Water utilities with outdated OT asset inventories
$25K
Per-day EPA penalty for AWIA non-compliance
What This Guide Covers
01 · AWIA Section 2013 Requirements
02 · CISA CPG for Water Utilities
03 · OT Asset Register Framework
04 · Patch & Change Management
05 · CMMS as Compliance Evidence
06 · Risk Assessment Checklist
01 — AWIA Section 2013: What Municipal Water Systems Must Do
America's Water Infrastructure Act Section 2013 requires community water systems serving more than 3,300 persons to conduct a Risk and Resilience Assessment (RRA) and develop an Emergency Response Plan (ERP). The law mandates specific cybersecurity elements that most utilities are not fully addressing in their current documentation.
| AWIA Requirement |
Applies To |
Certification Deadline |
CMMS Documentation Role |
| Risk and Resilience Assessment (RRA) |
All systems > 3,300 persons |
Every 5 years (rolling) |
OT asset inventory, system interconnection map, vulnerability record |
| Cybersecurity threat assessment |
All systems > 3,300 persons |
Included in RRA cycle |
SCADA asset register, firmware versions, patch history |
| Emergency Response Plan (ERP) |
All systems > 3,300 persons |
6 months after RRA certification |
Maintenance procedure records, alternate operation runbooks |
| Physical security assessment |
All systems > 3,300 persons |
Included in RRA |
Facility inspection records, access control PM logs |
| Monitoring practices review |
All systems > 3,300 persons |
Included in RRA |
Sensor calibration records, SCADA alarm response logs |
02 — CISA Cybersecurity Performance Goals for Water Utilities
CISA's Cross-Sector Cybersecurity Performance Goals (CPGs), updated in 2023 and aligned to NIST CSF 2.0, provide a prioritised baseline for OT environments. For water and wastewater systems, CISA identifies specific CPGs as highest priority given the consequence-of-failure risk of chemical dosing, treatment bypass, and pump station manipulation.
CPG Priority 1
OT Asset Inventory
Maintain a current, documented inventory of all OT assets — PLCs, RTUs, HMIs, historians, engineering workstations, and network devices. Include firmware version, communication protocol, and last-patched date. CISA considers this foundational — no other CPG is achievable without it.
OxMaint role: Asset register with firmware fields, change log, and last-service timestamp
CPG Priority 1
OT Network Segmentation Evidence
Document the separation between IT and OT networks, including firewall rules, DMZ configuration, and jump server controls. AWIA auditors require configuration documentation — not just verbal assertions. Network change records belong in a change management system tied to asset records.
OxMaint role: Network device asset records with configuration change work orders
CPG Priority 2
Patch and Vulnerability Management
Apply patches to OT systems within defined timelines — CISA recommends 15 days for exploited-in-wild vulnerabilities and 60 days for critical CVEs. For OT environments where patching requires vendor coordination and system downtime, documented patch schedules and deferred patch justifications are accepted by auditors.
OxMaint role: Patch work orders with approval workflow, deferral justification, and closed status log
CPG Priority 2
Remote Access Controls
Document all remote access pathways to OT systems — vendor VPN accounts, remote desktop sessions, cellular modem connections on pump stations. Each pathway should have an associated maintenance record showing who has access, when access was last reviewed, and what systems are reachable.
OxMaint role: Remote access asset records, vendor access work orders, annual access review tasks
CPG Priority 3
Incident Response Documentation
Maintain documented procedures for cyber incident response specific to OT/SCADA systems, including manual operation fallback procedures. Demonstrate that field operators have been trained on manual operations when SCADA is unavailable — training records and procedure sign-offs constitute this evidence.
OxMaint role: Training completion records, procedure acknowledgement sign-offs per asset
CPG Priority 3
Vendor & Supply Chain Risk
Document all third-party vendors with access to OT systems — SCADA integrators, PLC programmers, instrumentation contractors. Each vendor interaction should produce a work order record in the CMMS showing what system was accessed, what changes were made, and by whom.
OxMaint role: Vendor work order records with asset access log and sign-off by internal supervisor
03 — OT Asset Register: What to Document for AWIA Compliance
The OT asset inventory is the single most important document in an AWIA Section 2013 Risk and Resilience Assessment. Without a current, accurate inventory of control system components, no risk assessment can be considered complete — and EPA reviewers specifically check for cybersecurity-relevant asset data fields that most SCADA historians and paper records don't capture.
Required Asset Fields — AWIA Cybersecurity Scope
| Field | Why It Matters for AWIA | OxMaint Field |
|---|
| Asset name & unique ID | Required for vulnerability mapping and incident attribution | Asset record — custom ID |
| Manufacturer & model | Enables CVE matching against CISA ICS-CERT advisories | Asset record — manufacturer |
| Firmware / software version | Determines patch applicability and end-of-life risk | Asset record — firmware field |
| Communication protocol | Modbus, DNP3, EtherNet/IP — protocol risk varies | Asset record — custom attribute |
| Network segment / VLAN | Confirms OT/IT segmentation for CISA CPG | Asset location / group tag |
| Last patch date | Evidence of patch management programme | Last closed WO date — patch category |
| Remote access enabled (Y/N) | Identifies external attack surface | Asset record — custom attribute |
| Criticality rating | Prioritises risk mitigation resources | Asset criticality field |
04 — Patch & Change Management: The Audit Evidence Gap
For most municipal water utilities, the weakest point in AWIA Section 2013 and CISA CPG compliance is patch management documentation. SCADA vendors may have patched systems during scheduled maintenance visits — but without a work order record capturing which patch was applied, which system, and who approved it, that evidence doesn't exist for auditors.
1
Monitor ICS-CERT and Vendor Advisories
Subscribe to CISA ICS-CERT weekly advisories for all OT vendors in your asset register. When a relevant CVE is published, create an OxMaint work order against the affected asset — capturing the CVE number, severity rating, and required action before the 15-day or 60-day window starts.
2
Document Patch Application or Justified Deferral
When a patch is applied, close the work order with the patch version, installation date, and technician ID. When a patch must be deferred — due to vendor testing requirements or operational constraints — document the deferral justification, compensating control applied, and target remediation date. Both actions are acceptable to CISA auditors; undocumented gaps are not.
3
Maintain Firmware Change Log Per Asset
Every firmware update, configuration change, and software modification to an OT asset should generate a work order in OxMaint, creating an automatic change log tied to the asset record. This log is the primary evidence document for AWIA RRA cybersecurity sections and CISA CPG patch management verification.
Build Your AWIA-Compliant OT Asset Register in OxMaint
OxMaint provides the OT asset inventory, patch work order tracking, vendor access logs, and compliance report export that water utility managers need for AWIA Section 2013 certification and CISA CPG alignment. Most utilities are live with their asset register within two weeks.
05 — AWIA Risk Assessment Checklist: Cybersecurity Elements
Asset Inventory
All SCADA/HMI systems documented with firmware version
All PLCs and RTUs in asset register with communication protocol
Engineering workstations and historians documented
Network devices with OT access included in inventory
Remote access pathways mapped to asset records
Patch & Change Management
ICS-CERT advisory monitoring process documented
Patch work orders created for all critical CVEs
Deferral justifications on file for unpatched systems
Firmware change log current for all OT assets
Vendor access work orders on file for all site visits
Incident Response
Manual operation procedures documented per system
Operator manual-mode training records on file
Incident response contacts and escalation path documented
CISA reporting obligation acknowledged in ERP
Annual tabletop exercise record with sign-off
Expert Review
TP
Thomas Pryor
OT/SCADA Cybersecurity Consultant — Water & Wastewater Sector, 19 years · GICSP Certified, Former EPA Technical Reviewer
"The most consistent failure I see in municipal AWIA Section 2013 submissions is not a technical gap — it is a documentation gap. Utilities have patched their PLCs, they have segmented their networks, they have changed default passwords. But when the EPA reviewer asks for the evidence, the answer is 'we know we did it but it's not written down anywhere.' That answer does not satisfy a federal compliance requirement. CISA CPGs are designed to be verifiable — you need records. A CMMS like OxMaint solves this problem at its root: every maintenance action on every OT asset creates a dated, technician-attributed record that becomes your audit evidence automatically. I now recommend OxMaint to every water utility I work with specifically because it makes the documentation discipline the default mode of operation — not a separate compliance exercise done in a panic before the certification deadline."
Frequently Asked Questions
What water systems are covered by AWIA Section 2013?
AWIA Section 2013 applies to community water systems (CWS) serving more than 3,300 persons under the Safe Drinking Water Act. These systems must conduct a Risk and Resilience Assessment (RRA) every 5 years and certify completion to EPA. The RRA must include cybersecurity threats, malicious acts, and resilience of electronic, computer, or other automated systems — specifically covering SCADA and OT control infrastructure. Systems between 3,300 and 50,000 persons have slightly reduced documentation requirements, but the cybersecurity elements apply to all systems above the threshold.
OxMaint supports RRA documentation for systems of all sizes.
How does CISA's Cybersecurity Performance Goals differ from AWIA requirements?
AWIA Section 2013 is a federal compliance requirement with certification deadlines and EPA enforcement. CISA's Cybersecurity Performance Goals (CPGs) are voluntary guidance aligned to NIST CSF 2.0, providing a prioritised baseline of security practices for critical infrastructure operators including water utilities. However, CISA CPG alignment is increasingly cited by EPA reviewers as evidence of a mature cybersecurity programme in AWIA RRA evaluations — and CISA CPG practices overlap substantially with AWIA RRA cybersecurity elements. Meeting CPGs is the most efficient path to demonstrating AWIA cybersecurity compliance.
Book a demo to see how OxMaint supports both frameworks.
Can OxMaint serve as the OT asset register for AWIA Section 2013 compliance?
Yes — OxMaint's asset management module supports all required OT asset fields for AWIA cybersecurity compliance: manufacturer, model, firmware version, communication protocol, network location, criticality rating, remote access status, and maintenance history. Custom attributes allow utilities to add any AWIA-specific data fields not covered by standard asset record fields. The asset register is searchable, exportable, and linked to all associated work orders — providing a complete asset-to-action evidence chain that EPA and CISA auditors require. All data is retained with full timestamp and user attribution. Start building your register at
app.oxmaint.ai.
What happens if a water utility misses an AWIA Section 2013 certification deadline?
EPA has authority to impose civil penalties of up to $25,000 per day for failure to certify a completed Risk and Resilience Assessment or Emergency Response Plan under AWIA Section 2013. EPA may also require corrective action plans and impose additional compliance timelines. Beyond financial penalties, non-compliant utilities face increased scrutiny in subsequent audit cycles and may be required to engage an EPA-approved third-party reviewer for their next RRA. Early engagement with the documentation process — including building an OT asset register and patch management records — is the most effective way to avoid deadline risk. Contact
OxMaint's team for a compliance readiness assessment.
AWIA Compliance Starts With an Asset Register You Can Actually Defend
OxMaint gives municipal water utilities the OT asset inventory, patch work order records, vendor access logs, and compliance documentation that AWIA Section 2013 and CISA CPG alignment require — built from your day-to-day maintenance operations, not a separate compliance exercise.
