Objective

To assess the extent of implementation, as of February 2025, of the five recommendations included in our initial audit report, Oversight of Water Supply Emergency Plans (Report 2021-S-39).

About the Program

The Department of Health (DOH) is responsible for overseeing the delivery of drinking water to ensure that it’s suitable for people to drink. Its Bureau of Water Supply Protection assists with water system security, emergency preparedness and response, and the protection of critical drinking water system infrastructure. Nearly 95% of all New Yorkers receive water from public water supply systems in New York State. The State Public Health Law (Law) requires community water systems that supply drinking water to more than 3,300 people (Water Systems) to prepare and submit a Water Supply Emergency Plan (Plan) to DOH for approval at least once every 5 years. Plans must include both an Emergency Response Plan (ERP) and a Vulnerability Analysis Assessment (VA). In the VA, Water Systems identify any vulnerabilities that could be caused by non-intentional events, such as floods and power outages, as well as vulnerabilities to intentional events, such as vandalism and terrorism, along with an anticipated corrective action in place for any identified vulnerabilities.

Prior to final submission of its Plan, each Water System is required under the Law to publish a notice in the area it serves, stating that the proposed Plan is available for review and comment by the public. Information that a Water System determines could pose a security risk to its operation if publicly disclosed, such as the content of the VA, is exempt from this requirement. Amendments to the Law added a requirement that Water Systems include a Cybersecurity Vulnerability Assessment (CVA) in their VA, identifying vulnerabilities to terrorist attack and cyberattack, to be submitted to DOH by January 1, 2018. Pursuant to a 2016 Executive Law amendment, DOH must make a copy of the VA and CVA sections of each Plan (collectively referred to as an Assessment) available for DHSES’ review. Based on its review, DHSES may issue recommendations or general guidance to Water Systems to enhance protections against terrorist attack and cyberattack.

There are nearly 9,000 public water systems in New York State, including more than 2,800 community water systems. As of October 4, 2024, 313 of those systems were required to submit a Plan. As with our initial audit, we excluded the New York City Water System from our follow-up work.

The objectives of our initial audit, issued June 27, 2023, were to determine if DOH was providing sufficient guidance and oversight to ensure that Water System operators had completed and submitted updated ERPs timely, including VAs, to DOH as required. An additional objective was to determine whether DOH and DHSES were effectively collaborating to share relevant information regarding the VAs and to ensure that any recommended follow-up actions occur. The audit covered the period January 2017 to January 2023 for DOH and April 2019 to November 2022 for DHSES.

The audit found that Plans for most of the 317 Water Systems that were required to submit them were current and available. However, there were several instances where it had been more than 10 years since the last ERP or VA submission, and some Water Systems had never submitted a CVA. Further, there was limited participation by Local Health Department staff in calls and site visits where DHSES communicates recommendations to Water Systems. The audit also found little collaboration between DOH and DHSES to follow up on risks identified by DHSES reviews. Finally, the audit found that DOH didn’t verify whether Water Systems issued the required public notice of Plan availability.

Key Finding

DOH and DHSES officials have made significant progress in addressing the problems we identified in the initial audit report. Of the report’s five audit recommendations, four have been implemented and one has not been implemented.

Key Recommendation

Department officials are requested, but not required, to provide information about any actions planned to address any unresolved issues discussed in this follow-up within 30 days of the report’s issuance.