Section 5-E.1 Applicability
Effective Date
Section 5-E.1 Applicability.
(a) Applicability. This Appendix, except for section 5-E.4 and paragraph 5.E-6(c)(6), shall apply to all community water systems which serve populations greater than 3,300 people, as defined by subdivisions 5-1.1(bj) and (az) of this Subpart referred to throughout this Appendix as “covered water system.” Section 5-E.4 and paragraph 5.E-6(c)(6) shall only apply to covered water systems that serve a combined wholesale and retail population of greater than 50,000. Section 5-E.7 shall apply to all drinking water operators certified in accordance with Subpart 5-4 of this Part and is not subject to the exclusions identified in Section 5-E.2.
(b) Covered water systems shall have until January 1, 2027, to comply with the requirements of this Appendix, provided that sections 5-E.7 and 5-E.9 of this Appendix shall be effective immediately upon adoption.
(c) All covered water systems shall:
(1) Prepare and submit a cybersecurity vulnerability analysis (CVA) in accordance with subdivision 5-1.33(c) of this subpart that incorporates the requirements of section 5-E.5 of this Appendix. The cybersecurity vulnerability analysis must be reviewed and updated annually.
(2) Report all vulnerabilities identified in the CVA that may impact a covered water system’s ability to comply with the requirements of this Subpart or any situation that may pose a risk to public health to the department within 48 hours of identification in accordance with section 5-1.77 of this Subpart.
(d) Non-compliance with any requirement of subdivision (c) shall be considered a significant deficiency as defined in subdivision 5-1.1(cn) of this Subpart. Significant deficiencies shall be corrected within 120 days in accordance with subdivisions 5-1.71(c) and 5-1.71(d) of this Subpart.