U.S. Environmental Protection Agency Interpretive Memorandum Addressing Cybersecurity: Arkansas/Missouri/Iowa Attorney Generals File Petition for Review in the Eighth Circuit Court of Appeals

Walter Wright Jr.
Mitchell, Williams, Selig, Gates & Woodyard, P.L.L.C.
Contact
LinkedIn
Facebook
X
Send
Embed

Mitchell, Williams, Selig, Gates & Woodyard, P.L.L.C.

Download PDF

The Arkansas, Missouri, and Iowa Attorney Generals (collectively “Arkansas AG”) filed on April 17th a Petition for Review (“Petition”) in the Federal Eighth Circuit Court of Appeals addressing a March 3rd Memorandum issued by the United States Environmental Protection Agency (“EPA”) titled:

Addressing PWS Cybersecurity in Sanitary Surveys or an Alternate Process (“Memorandum”)

See previous March 9th post describing the Memorandum.

The Petition is styled States of Missouri, Arkansas, Iowa v. Michael Regan, In His Official Capacity as Administrator of the U.S. Environmental Protection Agency, et al., 23-1787.

The EPA Memorandum expressed concern that some public water systems (“PWS”) had failed to adopt basic cybersecurity best practices. It purported to clarify that states must:

. . . evaluate the cybersecurity of operational technology used by a PWS when conducting PWS sanitary surveys or through other state programs.

The Memorandum provided what EPA characterized as “various approaches” to include cybersecurity in PWS sanitary surveys or other state programs.

The Arkansas AG’s Petition initially states that:

. . . EPA’s March 3, 2023 Cybersecurity Rule requires States to change how they conduct sanitary surveys under the Safe Drinking Water Act and imposes increased technology costs on small (and rural) Public Water Systems. EPA’s new authority springs from re-“interpreting” the words “equipment” and “operation” for a physical on-site inspection to include cybersecurity infrastructure even though the words “cybersecurity” or “internet” are absent from the 2019 guidance. And EPA uses its new power to require a mandatory enforcement scheme that burdens States and rural Public Water Systems.

The Petition argues that the Memorandum is in fact a rule that was promulgated without the required public notice procedures.

Additional arguments include:

  • The scheme by which Congress intended to regulate cybersecurity under America’s Water Infrastructure Act (“AWIA") of 2018 requires only community water systems serving over 3,300 people to, among other actions, assess the risk and resilience of electronic, computer, or other automated systems, including the security of such systems.
  • Per the AWIA, for PWSs serving over 3,300 people no community water system is required under state or local law to provide an assessment to any state, region, or local governmental entity solely by reason set forth and certain cited authorities that the system submit a certification to the EPA Administrator
  • The Memorandum intrudes on States’ authority

A copy of the Petition can be downloaded here.

Written by:

Mitchell, Williams, Selig, Gates & Woodyard, P.L.L.C.
Mitchell, Williams, Selig, Gates & Woodyard, P.L.L.C.
Contact
more
less

Mitchell, Williams, Selig, Gates & Woodyard, P.L.L.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide