THE BLUF
This was a quiet week from the federal advisory pipeline — no new water-sector-specific CISA advisories or ICS alerts were published in the past seven days, and EPA's cybersecurity page shows no new guidance. Do not mistake quiet for safe. The CISA KEV catalog added six new actively exploited vulnerabilities this week, but none of them directly impact common small-to-mid-size utility IT or OT infrastructure. That means this week is your window to act on the items from the last several briefings that are still sitting on your to-do list. If you missed the June 30, 2026 AWIA deadline — whether it was your ERP (50,000–99,999 pop.) or your RRA (3,301–49,999 pop.) — every day you remain uncertified extends your legal exposure. Utilities in the 3,301–49,999 tier still have a second deadline approaching: updated Emergency Response Plans are due December 31, 2026, which means you should already be actively drafting. The SimpleHelp authentication bypass (CVE-2026-48558) and SharePoint deserialization vulnerability (CVE-2026-45659) from last week remain on the KEV catalog and under active exploitation — if you haven't acted on those, they should be your Monday morning priority. Use this quieter week to close gaps, run a tabletop, and verify your IT contractor's remote access posture. The adversary isn't taking a break just because the advisory feeds are slow.
THREAT INTELLIGENCE
🔴 [REGULATORY MANDATE] AWIA Post-Deadline Exposure Continues — Second Deadline Approaching for Smaller Utilities
No new EPA enforcement guidance was published in the past seven days. The regulatory posture remains unchanged:
Utilities serving 50,000–99,999 people: If you did not certify your updated Emergency Response Plan (ERP) by June 30, 2026, you are currently non-compliant with AWIA Section 2013.
Utilities serving 3,301–49,999 people: If you did not certify your recertified Risk and Resilience Assessment (RRA) by June 30, 2026, you are currently non-compliant. Your updated ERP is legally due December 31, 2026 — that deadline is now fewer than six months away.
EPA certification requires formal submission via the agency's online webform. There is no published grace period. Non-compliance puts federal funding eligibility at risk and creates personal legal exposure for utility executives. Source: EPA Cybersecurity for the Water Sector
🟡 [ACTIVE THREAT INTEL] No New Water-Sector-Specific Federal Advisories in the Past 7 Days
A review of CISA's Cybersecurity Alerts & Advisories page and the ICS Advisories feed shows no new water-and-wastewater-sector-specific advisories were published between July 5 and July 12, 2026. The most recent water-relevant advisory remains AA26-097A (April 7, 2026), covering Iranian-affiliated cyber actors exploiting programmable logic controllers across U.S. critical infrastructure. The most recent pro-Russia hacktivist advisory remains AA25-343A (December 9, 2025). Both advisories remain active and applicable — the underlying threat actor campaigns have not been declared resolved. Source: CISA Cybersecurity Alerts & Advisories
🟡 [ACTIVE THREAT INTEL] WaterISAC — Check for Member Alerts and Sector-Specific Threat Feeds
While no new public federal advisories target the water sector this week, WaterISAC may have posted member-only threat intelligence, indicators of compromise, or operational alerts relevant to your utility. Members should log in and review any postings from the past seven days. If your utility is not a WaterISAC member, membership is available at no cost for eligible water and wastewater utilities and provides access to sector-specific threat intelligence, incident reporting support, and peer coordination. Source: WaterISAC (Member Login Required)
Subscribe to The CIP Briefing to read the rest.
Become a premium subscriber to unlock the full Compliance Log, specific vulnerability mitigation steps, and the complete Action Plan.
Upgrade