AWIA Certification Is Just the Beginning: Strengthening Physical Security

You filed your Risk and Resilience Assessment.
You certified your Emergency Response Plan.
The deadline came and went, and the documents are now done.
So, the security obligation is behind you, right?
Not quite. For many utilities, AWIA certification feels like the finish line. The Risk and Resilience Assessment (RRA) is filed. The Emergency Response Plan (ERP) is certified. The compliance deadline is behind you.
But in reality, that’s when the harder part begins.
AWIA doesn’t just require utilities to complete an assessment. It assumes you’ll be able to demonstrate that the physical and operational controls described in that assessment continue to work for the next five years.
The question is no longer, “Did we certify on time?”
It’s “Could we demonstrate our physical security program if an inspector arrived tomorrow?”
What Certifying Actually Commits You To
AWIA requires community drinking water systems serving more than 3,300 people to maintain a current Risk and Resilience Assessment and Emergency Response Plan, reviewing and recertifying both every five years.
Certification, however, isn’t the end of the process.
EPA does not collect the documents at certification, but it reserves the right to request and inspect them. Whatever your RRA says about your physical security program becomes something you may eventually be asked to demonstrate in surprise inspections – something many utilities have noted have increased in frequency over the past few years.
For many California utilities, expectations extend beyond the federal requirements. The California State Water Resources Control Board maintains additional emergency preparedness and security expectations, while many wastewater agencies operate under comparable state regulations and funding requirements.
The result is the same: compliance isn’t measured only by what was written in the assessment. It’s measured by how well those security controls continue to function in practice.
Physical Security Is a Public Health Control
Cybersecurity dominates most conversations around AWIA—and for good reason. Federal agencies continue to warn about nation-state actors targeting water infrastructure, while EPA inspections routinely uncover weaknesses such as exposed remote access and default credentials.
But AWIA doesn’t separate cyber security from physical security.
The law requires utilities to assess the resilience of treatment facilities, storage sites, distribution infrastructure, source water, and physical barriers alongside their digital systems because either can disrupt safe drinking water operations.
That’s an important distinction.
At a water facility, a perimeter breach can quickly become a process problem. An intruder who reaches chemical storage, chlorine systems, or other critical treatment infrastructure isn’t simply trespassing—they have the potential to create a public health event.
EPA’s physical security guidance is built around preventing exactly that outcome: detecting and stopping an intrusion before it reaches operational systems.
The consequences aren’t theoretical. Physical attacks, vandalism, and theft continue to disrupt water utilities across the country, from copper theft at remote pump stations to damage that interrupts service and requires costly repairs.
Physical security isn’t simply about protecting facilities.
It’s about protecting the continuity and safety of the water supply.
What Inspectors Really Want to See
Certification confirms that an RRA and ERP exist.
An inspection asks a different question:
Can you demonstrate that your security controls actually work?
For physical security, that distinction matters.
A written policy describing restricted access is useful. Being able to immediately produce video footage, access records, and alarm history showing how that policy operates in practice is significantly stronger.
That challenge grows as utilities expand.
Showing security coverage at one treatment plant is straightforward. Demonstrating consistent monitoring across dozens of reservoirs, wells, pump stations, tanks, and unmanned facilities is considerably more difficult—especially when evidence lives across disconnected systems or manual records.
This is where physical security becomes less about installing cameras and more about creating operational visibility that can be demonstrated when needed.
A Five-Question Reality Check
Whether you’re considering new technology or simply reviewing the assessment already on file, these questions are worth asking.
Coverage
Do you have visibility across every remote facility—including wells, reservoirs, tanks, pump stations, and treatment plants—or are there blind spots?
Access
Can you demonstrate who entered restricted areas, when they entered, and quickly revoke access when responsibilities change?
Retention
Is video retained long enough—and easy enough to retrieve—to support both investigations and regulatory requests?
Alarm Verification
When an alarm is triggered at a remote facility, can operators verify what’s happening before dispatching personnel?
Critical Process Areas
Are chemical storage, chlorine systems, and other critical process areas specifically protected, or are they treated as just another part of the perimeter?
If any of those questions are difficult to answer, that gap didn’t disappear when certification was submitted.
It remains part of the assessment you’re responsible for maintaining.
Funding Improvements May Already Exist
Budget often becomes the reason physical security improvements are delayed.
Fortunately, many don’t require entirely new funding strategies.
EPA identifies physical security improvements as eligible uses of the Drinking Water State Revolving Fund (DWSRF), while larger infrastructure projects may qualify for WIFIA financing. Connecting proposed security upgrades directly to findings already documented in your RRA can help demonstrate measurable risk reduction rather than simply requesting new equipment.
Where Modern Physical Security Fits
Most RRAs don’t fall short because utilities lack cameras.
They fall short because demonstrating security across dozens—or hundreds—of geographically dispersed facilities is difficult.
Modern cloud-managed physical security platforms simplify that challenge by bringing video, access control, alarms, and audit history into a single interface. Instead of piecing together evidence from multiple systems during an inspection or investigation, security teams can quickly verify alarms, retrieve footage, review access events, and document what happened across every facility from one place.
For utilities managing distributed infrastructure, that operational visibility delivers value every day—not just during an audit.
That’s where Rhombus fits. Our cloud-managed platform helps utilities centralize physical security across treatment plants, pump stations, reservoirs, and other remote facilities while providing the visibility and evidence needed to support both day-to-day operations and long-term compliance.
The Next Five Years Start Now
Certification is an important milestone, but it isn’t the end of AWIA compliance.
For the next five years, your Risk and Resilience Assessment becomes the benchmark against which your physical security program may be measured.
The best time to close any gaps isn’t when an inspector asks about them.
It’s while you still have time to strengthen the systems already protecting your people, your infrastructure, and the communities that depend on them.



