Full Report
A bipartisan bill introduced to Congress last week would help small and rural water utilities adopt modern cybersecurity protections and digital monitoring tools. The Futureproofing Local Operations for Water Systems, or FLOWS, Act, introduced by Sens. John Boozman, R-Ark., and Mark Kelly, D-Ariz., would create a federal grant program to help rural communities upgrade water, wastewater…
Analysis Summary
# Regulation/Compliance: FLOWS Act of 2026 (Proposed)
## Overview
The **Futureproofing Local Operations for Water Systems (FLOWS) Act** is a bipartisan legislative proposal designed to modernize the cybersecurity posture of small and rural water utilities. Recognizing that these entities often lack the capital and technical expertise to defend against sophisticated cyber threats, the bill establishes a $50 million annual federal grant program to fund the adoption of modern industrial control systems (ICS), artificial intelligence (AI), and real-time digital monitoring tools.
## Key Details
- **Issuing Authority:** U.S. Congress (Introduced by Sens. Boozman and Kelly); Program administered by the Environmental Protection Agency (EPA).
- **Effective Date:** Pending (Introduced March 2026).
- **Jurisdiction:** United States; Rural and small-community water systems.
- **Status:** Proposed (Bipartisan Bill).
## Requirements
### Mandatory Requirements
*Note: As this is a grant-funding bill rather than a direct mandate, the "requirements" primarily relate to eligibility and usage of funds.*
1. **Grant Alignment:** Funds must be used specifically for wastewater, stormwater, or drinking water system upgrades.
2. **Modernization Standards:** Projects must incorporate updated Industrial Control Systems (ICS) or digital monitoring tools.
3. **Application Process:** Utilities must apply through the EPA’s designated grant framework to prove "limited resource" status.
### Recommended Practices
1. **AI Integration:** Utilization of artificial intelligence software for predictive maintenance and threat detection.
2. **Real-Time Sensing:** Implementation of advanced modeling platforms and real-time sensing to identify leaks or system intrusions.
3. **Sustainable Maintenance:** Leveraging grant funds not just for initial purchase, but for the ongoing maintenance contracts of cybersecurity software.
## Affected Organizations
- **Industries:** Water, Wastewater, and Stormwater Utilities.
- **Organization Size:** Small and rural utilities with limited ratepayer bases.
- **Geographic Scope:** Rural communities across the United States.
## Compliance Timeline
- **March 2026:** Bill introduced to Congress.
- **TBD:** Legislative review, potential amendment, and floor vote.
- **Post-Enactment:** EPA to establish the grant application window and eligibility criteria.
- **Annual Cycle:** $50 million authorized annually upon passage.
## Implementation Guidance
### Assessment Phase
- **Gap Analysis:** Small utilities should assess current ICS/SCADA vulnerabilities and identify "end-of-life" hardware or software.
- **Cost Estimation:** Calculate the total cost of ownership, including both the purchase price and long-term software licensing/maintenance.
### Implementation Phase
- **Grant Application:** Prepare justifications highlighting the lack of local matching funds (as this bill uniquely waives the local funding match requirement).
- **Vendor Selection:** Identify solutions that offer modern cybersecurity protections (e.g., encryption, multi-factor authentication, AI-driven monitoring).
### Validation Phase
- **EPA Reporting:** Recipients will likely be required to demonstrate successful deployment of the funded technologies.
- **Operational Audits:** Periodic review of digital monitoring tools to ensure they are effectively alerting personnel to anomalies.
## Technical Requirements
While the bill does not prescribe specific software versions, it prioritizes:
- **Industrial Control Systems (ICS) Upgrades:** Modernizing the hardware/software that manages physical water processes.
- **Real-Time Digital Tools:** Systems capable of providing continuous data on system health and security.
- **Advanced Modeling:** Platforms that simulate system behavior to detect deviations caused by cyberattacks.
## Penalties & Enforcement
- **Fines:** Not applicable (this is an incentive-based/funding bill).
- **Other Consequences:** Utilities that fail to modernize remain highly vulnerable to ransomware and state-sponsored disruption (e.g., pro-Iran hacker threats mentioned in context).
- **Enforcement:** The EPA will oversee the proper use of grant funds through federal auditing standards.
## Related Standards
- **NIST Cybersecurity Framework (CSF):** Implementation of these funds will likely be expected to align with NIST standards for "Protect" and "Detect" functions.
- **AWWA G430:** American Water Works Association standard for Security Practices for Operations and Management.
## Resources
- **Official Documentation:** [boozman.senate.gov/.../flows-act.pdf](https://www.boozman.senate.gov/public/_cache/files/1/3/137176d8-4be9-4320-9a2e-f4e5d583d088/FD12649E0E3EFD76C2AC5AF5EB3078C1EA86578B06AC866DB707C78DF9ECED13.flows-act.pdf)
- **Guidance Documents:** EPA Cybersecurity for the Water Sector.
## Practical Recommendations
- **Engage Now:** Small utilities should not wait for the bill to pass to begin drafting a "Cybersecurity Improvement Plan." Having a shelf-ready plan increases the likelihood of a successful grant application once funds are released.
- **Focus on Sustainability:** Because this bill covers **maintenance costs**, utilities should prioritize high-end security software that they previously could not afford to keep updated.