RRA Recertification Deadline: June 30, 2026 for water utilities serving 3,301–49,999 — days remaining ◆ EPA Enforcement: 70% of inspected water utilities found in active violation ◆ SCADA Alert: Iranian threat actors actively targeting water system PLCs ◆ New York Water Utilities: Three new state cyber rules now in effect ◆ Wastewater Operators: 24-hour incident reporting now mandatory in NY ◆ Penalty Exposure: $69,733 per day per SDWA §1433 violation ◆ Federal Reporting: CIRCIA 72-hour incident rule anticipated — final rule pending ◆ RRA Recertification Deadline: June 30, 2026 for water utilities serving 3,301–49,999 — days remaining ◆ EPA Enforcement: 70% of inspected water utilities found in active violation ◆ SCADA Alert: Iranian threat actors actively targeting water system PLCs ◆ New York Water Utilities: Three new state cyber rules now in effect ◆ Wastewater Operators: 24-hour incident reporting now mandatory in NY ◆ Penalty Exposure: $69,733 per day per SDWA §1433 violation ◆ Federal Reporting: CIRCIA 72-hour incident rule anticipated — final rule pending ◆

70% of water utilities are in EPA violation. We can fix that.

The compliance operating system for America's 156,000 public water systems. AWIA, EPA SDWA §1433, CISA OT, CIRCIA, and the new state mandates — tracked, evidenced, and certifiable from one dashboard.

→ Subscribe to Sentinel → See Pricing

$69,733

Per-day SDWA
penalty

26.6M

Americans
at risk

Federal & state
mandates tracked

RRA Recertification

Emergency Response Plan

SCADA Security

Incident Reporting

State Mandates

Wastewater Compliance

Vulnerability Assessment

EPA Inspection Ready

This is not
a drill.

EPA inspections are up. The second AWIA recertification cycle is live. New York and Indiana enacted parallel state mandates. Insurers underwrite the same control stack. The average small water utility has zero in-house cybersecurity capacity.

70%

Of inspected systems are in active SDWA §1433 violation

EPA's 2024 Enforcement Alert documented widespread incomplete RRAs, default passwords, shared credentials, and open internet ports across small and mid-size utilities.

Source · EPA Enforcement Alert 2024

$69K/day

SDWA civil penalty exposure per violation

EPA may pursue civil penalties up to $69,733 per day under SDWA §1414, plus criminal exposure under 18 U.S.C. §1001 for false certifications.

Source · 40 CFR §19 · EPA AWIA Materials

24h

Mandatory incident reporting windows arrive in 2026

NY DEC wastewater rules took effect March 2026 with 24-hour oral incident reporting. CIRCIA's 72-hour federal rule expected Q4 2026.

Source · NY DEC 6 NYCRR Parts 616/650/750

KORVA Sentinel tracks AWIA §2013 cybersecurity compliance for U.S. community water systems — risk assessments, emergency response plans, incident reporting, and certification evidence across 17 federal and state mandates. Built for the June 30, 2026 recertification deadline and every cycle after it.

See the platform →

From chaos to certifiable evidence in three steps.

No security team required. No consultants on retainer. Built for the utility GM, the operations director, and the lone IT contractor who got handed the cyber file.

Configure your utility profile

Enter SDWA ID, population served, system class, and state. Sentinel auto-loads every requirement that applies — federal, state, and sector-specific — with deadlines pre-mapped to your compliance cycle.

Comply

Work the dashboard, not a binder

Status by requirement. Risk by domain. Evidence binder per control. AXIOM AI advisor explains regulator language in plain English. Templates, checklists, and SOPs auto-generated for your size class.

Certify

Produce the proof on demand

One-click certification packets. Inspector-ready files. CIRCIA-ready incident workflows with timestamped escalation. Annual review attestations and 5-year retention handled automatically.

Every mandate. Every deadline. One screen.

app.korva.systems · sentinel · tri-county-tx-0047

LIVE

Compliant

requirements met

Action Now

immediate

In Review

pending

Upcoming

90 days

Score

32%

posture

Compliance Posture

32 / 100

Requirement

Deadline

Status

Default Password Elimination

All OT/SCADA devices · CISA AA26-097A

IMMEDIATE

ACTION NOW

Risk & Resilience Assessment (RRA)

AWIA §2013 · 5-year cycle

JUN 30 2026

UPCOMING

Emergency Response Plan (ERP)

Within 6 months of RRA

DEC 31 2026

IN REVIEW

CIRCIA 72-Hour Incident Reporting

CISA · 6 U.S.C. §681b

Q4 2026

PENDING

OT/IT Network Segmentation

CISA · NIST CSF 2.0

ONGOING

COMPLIANT

— Actual product UI · Live data · AXIOM advisor embedded —

One system. Every mandate.

Sentinel maps the full regulatory topology — federal, state, sector, and insurer-driven — to your specific utility profile, then operationalizes the work.

5-year recertification, on autopilot.

Risk & Resilience Assessment and Emergency Response Plan tracking with deadline-aware certification workflow. Pre-mapped templates for systems under 50,000. EPA Administrator certification packet in minutes.

RRA template pre-populated for your size class
ERP must-update window tracked from RRA
Cyber, physical, chemical, financial scope
5-year document retention, EPA-request ready
Signed certification with chain-of-authority
Wastewater (WWTP) voluntary parallel coverage

Authority · AWIA §2013 · SDWA §1433 · EPA Enforcement Alert 2024

Close the gaps EPA inspectors are finding.

Default password elimination. OT/IT segmentation. MFA on remote access. Asset inventory. ICS-CERT advisory tracking. Full WaterISAC Fundamentals coverage, mapped to your devices.

Device-by-device default credential remediation
Network segmentation architecture documentation
MFA enrollment tracking — staff & vendor
Asset inventory: PLCs, HMIs, RTUs, sensors
CISA Malcolm IDS integration guidance
30-day patch cadence with audit log

Authority · CISA AA23-335A · AA26-097A · WaterISAC 12 Fundamentals · NIST CSF 2.0

72 hours. 24 hours. The clock starts whether you're ready.

Pre-built incident workflows with timestamped escalation, regulator-ready notice templates, and decision trees that walk you through "is this a covered incident?" in real time.

CIRCIA 72-hour covered incident workflow
Ransomware payment 24-hour separate report
NY DEC 24-hour oral / 30-day written
NY DOH 24-hour public health hazard
FBI IC3 + OFAC sanctions checklist
Forensic evidence with chain of custody

Authority · CIRCIA 2022 · 6 U.S.C. §681b · NY DEC · NY DOH

Your state's rules, plus the ones coming next.

New York's three-rule cyber stack. Indiana SEA 459. Texas TCEQ. New Jersey WQAA. Every active state mandate and every bill in committee — so you never get blindsided by a deadline.

NY DOH Appendix 5-E (community water >3,300)
NY DEC 6 NYCRR Parts 616/650/750 wastewater
NY PSC Part 1200 (water-works >50,001)
Indiana SEA 459 — annual CVA + biennial cert
Texas TCEQ 30 TAC §290.41 self-assessment
Legislative monitor — bills, drafts, comments

Authority · NYS DOH · NYS DEC · NYS PSC · IDEM · TCEQ

The compliance advisor on every question.

AXIOM is trained on the full federal and state water-cyber regulatory corpus — and on your specific utility profile. Ask anything in plain English. Get answers tied to your actual deadlines and your actual next move.

Plain-English explanation of any regulation
"What's at stake if I miss this deadline?"
Context-aware to your utility profile
Saves conversation history per requirement
Generates SOPs, policies, and templates
References federal & state statutes inline

When EPA shows up, the file is ready.

Every artifact a regulator can ask for, organized, versioned, and producible in under five minutes. Asset inventories. Credential policies. Training records. Incident logs. Self-assessment forms. Certification packets.

Document version history with sign-off
10-day NY PSC document production ready
5-year retention auto-managed (AWIA)
Annual review attestation generator
Board / senior officer report exports
Audit packet — one-click compile & export

Authority · AWIA Retention · NY PSC Part 1200 · Indiana SEA 459

Three layers. One path to compliant.

Start where you are. Diagnose your gaps, get the plan to close them, then run the system that keeps you compliant on every cycle. Pick a layer, pay, and start — no consultations, no sales calls, no waiting.

Layer 01 · Diagnose

AI Compliance Risk Snapshot

$250ONE-TIME

Know exactly where you stand against every federal and state mandate that applies to your utility — in 24 hours, without a consultant.

Gap detection across all applicable mandates
Deadline exposure timeline
Risk score and posture summary
Plain-English findings report

→ Buy Now

Layer 02 · Plan

Compliance Implementation Plan

$1,995ONE-TIME

A done-for-you roadmap that turns your gaps into a sequenced, deadline-aware execution plan your team can actually follow.

Requirement-by-requirement breakdown
Sequenced execution roadmap
Documentation requirements per control
Vendor and resource recommendations

→ Buy Now

Best for June 2026

AWIA Recertification Bundle

Self-Service $3,500 One-time

PE-Sealed $15,000 Inquire

Layers 01 + 02 packaged for the June 30, 2026 recertification deadline. Self-service or add a licensed P.E. seal — your call.

AWIA-formatted RRA & ERP deliverables
Risk Snapshot + Implementation Plan included
Sequenced 90-day execution timeline
PE-sealed deliverable available as add-on

Buy Self-Service Inquire · PE Seal

Layer 03 · Operate

Ongoing Compliance System

from $750/MONTH

Three tiers built around your scale — Sentinel Lite from $750/mo for small systems, Sentinel at $1,500/mo for AWIA-mandated utilities, and Sentinel Plus for large authorities. Same compliance engine at every tier. Find the plan that fits your system and budget.

Live evidence tracking per requirement
Vendor risk monitoring
Incident-readiness workflows
Audit prep + reporting on demand
AXIOM AI advisor included
Inspector-ready file always current

→ Compare Tiers

Your regulatory expert, on call.

Built on the full federal and state water-cyber regulatory corpus, and tuned to your utility's specific profile. AXIOM explains AWIA in plain English, walks you through the CIRCIA decision tree in real time, and drafts the SOPs you'd have paid a consultant $5,000 to write.

Plain-English regulation explainers
Context-aware to your utility
Generates policies, SOPs, templates
Inline statute references

AXIOM

SESSION · LIVE

YOU

What happens if we miss the June 30 RRA deadline?

AXIOM

Tri-County Water District #7 serves 8,400, putting you in the 3,301–49,999 cohort with an RRA deadline of June 30, 2026. Missing it triggers SDWA §1433 violation exposure: civil penalties up to $69,733/day, plus criminal exposure under 18 U.S.C. §1001 for false certifications. EPA's 2024 Enforcement Alert specifically named cyber as an active enforcement priority. Want me to build the recertification packet now?

Ask AXIOM about your compliance posture...

Built for every U.S. water system facing federal and state cyber mandates

AWIA§2013 SDWA§1433 / §1431 CISAOT & ICS CIRCIA2022 NISTCSF 2.0 AWWAG430-24

NY DOHAppendix 5-E NY DEC6 NYCRR 616/650/750 NY PSCPart 1200 IndianaSEA 459 TexasTCEQ §290 WaterISAC12 Fundamentals

We spent six weeks of staff time and $14K of consultant hours on the first cycle. With Sentinel, we did the second recertification in a single Saturday — and the inspector packet was already organized. This is what compliance was supposed to feel like.

— Utility General Manager Community Water System · 12,400 Population · Texas

Questions a utility GM actually asks.

If yours isn't here, ask AXIOM directly — or talk to a KORVA compliance lead.

My utility serves under 3,300. Does any of this apply to me?

AWIA §2013 only applies to community water systems serving more than 3,300, and most state cyber rules use the same threshold. But CISA OT guidance, EPA enforcement posture, insurer underwriting, and several state laws (Indiana SEA 459 covers smaller facilities) still touch you. KORVA Sentinel scopes the regulatory map to your specific profile.

We already paid a consultant for our RRA in 2021. Why do we need this?

AWIA requires recertification every 5 years. Your 2021 RRA expires this cycle. The second recertification deadline for systems serving 3,301–49,999 is June 30, 2026. EPA expects an updated RRA reflecting current threats. The consultant model also doesn't give you the ongoing evidence trail regulators now expect.

Is CIRCIA actually live yet?

Not as of May 2026. CISA's final rule is expected Q4 2026. But the smart move is to build your reporting workflows now — not after the rule drops with a 72-hour clock attached. Sentinel pre-builds the workflows so when CIRCIA goes final, you flip a switch instead of building a process under deadline pressure.

We're in New York. How does Sentinel handle the three new state rules?

NY DOH Appendix 5-E (drinking water, effective March 11, 2026, full compliance January 1, 2027), NY DEC 6 NYCRR Parts 616/650/750 (wastewater, effective March 26, 2026), and NY PSC Part 1200 (covered utilities, effective June 1, 2026) are each separately tracked in Sentinel with their distinct deadlines, reporting windows, and certification cycles.

What happens if EPA inspects us tomorrow?

If you're a Sentinel subscriber: the inspector-ready file is already organized. Asset inventory, credential policy, training records, RRA, ERP, certification — all producible in under five minutes. EPA's 2024 Enforcement Alert specifically called out the absence of these artifacts in the 70%+ of utilities found in violation.

How is this different from hiring a managed cyber service?

Managed cyber services deliver controls. Sentinel delivers defensible evidence of controls. Most utilities have at least some controls in place — what they lack is the documentation, certification packet, and audit trail that proves it to a regulator or insurer. Sentinel is built for that gap.

June 30, 2026 · — days remaining

Built for America's water authority — community, non-community, and the systems Washington forgot.

The deadline doesn't move.
The penalty is $69,733 per day.
Start the assessment now.