WQCD wants your input! - What does Excellence mean to the water sector?

Click here to take the survey!

Providing safe drinking water to the public has never been a simple task. While there are thousands of water systems, and operators that are working to install backflow devices to prevent contamination, maintaining and adjusting chlorine levels, sampling and managing all the documents to prove that the work is being done and safe water is being provided, seldom is there recognition for the work.

Continually improving a water system has never been so hard. As our scientific knowledge and discoveries of contaminants expand, so do the regulations and standards operators need to uphold. This increases the work and the amount of pressure that comes with operating an entire community drinking water system. While we are not physically present on a daily basis to observe and acknowledge the effort it takes to maintain such standards, we do appreciate and rely on the knowledge and passion it takes to maintain a culture of health - that is we look at our daily routines and emergencies through a lens of protecting people’s health. One way of showing our appreciation is through the Excellence Program Awards formerly known as the Pursuing Excellence Program. We intend on continuing and revitalizing the tradition of recognizing the wonderful public water systems that have been supplying safe and clean water by showing our gratitude and how much we value the work being done.

The Excellence Awards Program will distribute two recognition awards, the Outstanding Compliance Award and the Commitment Award. The Commitment Award will focus on recognizing entities that have been proactive in enhancing their water system by submitting a project they have done that embraces a continuous improvement approach. 

We understand that "excellence" is subjective and what is considered excellent in one system's circumstances may not be the same for another system in different circumstances.  Our aim is to understand what “excellence” means to you and ensure it reflects the achievements of water professionals who are delivering exceptional performance in our water systems. One entity might be putting in maximum effort in educational outreach for exposure of the industry to recruit new operators, while a different entity might find it more rewarding to assist smaller systems in bettering their water supply and process. 

We notice and value all the different ways operators are advancing the industry and want to make sure this Commitment Award is tailored to include the opinions of water systems. In order to take into account opinions of those working first-hand in the field, we have created a two-question excellence survey that includes different ways we believe a system can achieve excellence in the industry. There are various aspects of maintaining a water system included in this survey and we want to know which ones are valued the most within this community.

To customize this Commitment Award and reward projects that resonate with the survey results, we ask that you please take a couple seconds of your day to complete the survey. The link for the survey will be below. We appreciate every response and will make sure to take them into account when discussing what projects to award.

➽ Priscila Lopez, Drinking water coach- Excellence Program Manager 

Wildfire Planning and Recovery Playbook - 2025 Updates!

After a wet spring and variable monsoon season, wildfire season is again upon us in Colorado. As many of you are aware, our public water systems and local communities face a diverse and significant array of challenges when planning, responding, and recovering from wildfires. The best time to start planning for wildfires is right now, in advance of fires.

The Water Quality Control Division (WQCD), along with many state, federal, and local partners, have released a revised and updated version of our Wildfire Planning and Recovery Playbook, available on our Source Water Assessment and Protection website.  Several authors also hosted a webinar on July 25th, with the slide presentation and a recording available.

Pre-fire planning, response, and recovery is a team effort, and requires coordination across multiple jurisdictions, and administrative and physical boundaries. Each community wildfire event may present a unique set of circumstances that must be understood and conveyed to effectively navigate wildfire incidents. The centerpiece of the playbook is the comprehensive critical contacts list, outlining necessary points of contact along with each representative’s roles and responsibilities within the planning, response, and recovery process. Below is an example of the critical contacts list contained in the playbook.

The playbook also provides various actionable steps through each phase of the fire cycle, from planning through recovery.  Examples include identifying your values at risk, forming a recovery group and identifying partners, understanding prefire actions and resources, and roles and responsibilities of partners throughout the different phases of a wildfire incident. The playbook also includes 2 full pages of links to additional resources, including a list of funding programs and technical assistance partners.

The playbook is concise, usable, and accessible. The target audience for this playbook is public water systems, municipalities, counties, and tribes. The updated version reflects lessons learned from recent urban and suburban wildfires and the new Wildfire Ready Watersheds framework from the Colorado Water Conservation Board. Please contact the source water protection team at cdphe.wqswap@state.co.us with any questions or for more information.

➽ Robert Murphy, CPSS, Source Water Protection Program Coordinator

➽ Kristen Hughes, Source Water Protection Specialist

➽ John Duggan, Source Water & Emerging Contaminants Unit Manager

Upcoming EPA Cyber/Resilience Funding Cycle

EPA Announces Availability of $9 Million to Protect Drinking Water from Natural Hazards and Cybersecurity Threats

The U.S. Environmental Protection Agency (EPA) has announced over $9 million in grant funding through the new competitive Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability grant program, which will assist medium and large size public water systems with protecting drinking water sources from natural hazards, extreme weather events, and cybersecurity threats. The application period is open until October 6, 2025, and can be found on www.grants.gov under opportunity number EPA-OW-OGWDW-25-01, assistance listing number 66.488.

Learn More About The Grant Opportunity on EPA's Website

EPA will host a webinar on the Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability Grant Program on August 19th, from 2:00 to 3:00 PM ET. Please join us to learn more.

Register for EPA's August 19th Webinar

Cyber Alert EPA: Active Exploitation of Microsoft SharePoint Vulnerabilities

The U.S. EPA is issuing this alert to inform water and wastewater system owners and operators about the active exploitation of security vulnerabilities in Microsoft SharePoint that allows attackers to mislead the system into thinking they are a trusted user, also known as network spoofing, and remotely run malicious code, known as a remote code execution (RCE). This exploit enables unauthorized access specifically to Microsoft SharePoint servers, which are hosted and operated on-site. The Cybersecurity and Infrastructure Security Agency (CISA) has issued a cybersecurity alert on this malicious activity, publicly reported as “ToolShell.” 

Mitigations

All drinking water and wastewater systems with Microsoft SharePoint servers are strongly encouraged to implement the following mitigations immediately to enhance resilience against this compromise:

• Apply the necessary security updates released by Microsoft.
• Configure Antimalware Scan Interface (AMSI) in SharePoint and deploy Microsoft Defender Antivirus on all SharePoint servers.
• Rotate ASP.NET machine keys, then after applying Microsoft’s security update, rotate ASP.NET machine keys again, and restart the Internet Information Services (IIS) web server.
• Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) from the internet.
• Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025.
• Monitor for malicious POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
• Update intrusion prevention system and web application firewall rules to block exploit patterns and anomalous behavior.
• Implement comprehensive logging to identify exploitation activity.
• Audit and minimize layout and admin privileges

For additional information on detection, prevention, and advanced threat hunting measures, drinking water and wastewater systems owners and operators are encouraged to visit Microsoft’s Disrupting active exploitation of on-premises SharePoint vulnerabilities and advisory as well as CISA’s cybersecurity alert.

Conclusion

The U.S. EPA requests that the Water Sector Coordinating Council (WSCC)/Government Coordinating Council (GCC) review this advisory and pass it along to all water & wastewater entities that may be susceptible to this threat. Additionally, we encourage the EPA Regions share the advisory with the state primacy agencies and direct implementation utilities.

Cybersecurity: NIST's Updated Password Guidelines & Sector Resources

The water and wastewater sectors are essential to daily life, and safeguarding them from cyber threats is crucial. The newly updated National Institute of Standards and Technology’s (NIST) password guidelines, along with the range of resources offered by the EPA and CISA, provide a strong foundation for improving cybersecurity across the industry. We encourage you and your colleagues to implement these new password guidelines and general cyber hygiene. Here’s a breakdown of the key updates and additional cybersecurity resources that can help strengthen your system's defenses.

NIST’s Updated Password Guidelines: What’s New?

In September 2024, NIST introduced new password management guidelines aimed at improving both security and user experience. The changes reflect a shift towards longer, more memorable passwords, and away from overly complex password requirements.

Key Updates:

1. Password Length: NIST now recommends using passwords or passphrases that are at least 15 characters long. The focus has shifted from enforcing complexity (e.g., mixing uppercase, numbers, and symbols) to prioritizing longer passwords that are easier to remember.
2. Password Composition: Gone are the days of forcing users to include specific character types. The new focus is on allowing longer, memorable passwords, which reduces the chances of people creating easily guessable passwords. 
3. Fewer Password Changes: Unless there’s evidence of a security breach, mandatory password changes are no longer required. This policy change helps users avoid creating predictable patterns due to frequent password resets.
4. Password Managers: NIST now strongly encourages the use of password manager software, which can generate and store strong, unique passwords for each account. It’s a vital tool to prevent the risk of password reuse across different accounts.
5. Avoid Password Hints & Security Questions: To minimize the risk of social engineering attacks, NIST advises against using password hints or security questions that could easily be guessed.
6. Multi-Factor Authentication (MFA): MFA is a non-negotiable security measure. By requiring more than just a password to access sensitive systems, MFA adds an additional layer of protection.

These updated guidelines emphasize simplicity and practicality, reducing user frustration while enhancing security. In an industry like water and wastewater, where systems are critical to public health, these updates offer a crucial balance of usability and protection.

Additional Cybersecurity Resources for the Water & Wastewater Sector

Alongside these password updates, there are also significant resources available to bolster cybersecurity across water and wastewater systems.

On March 13, 2025, the EPA will host a cybersecurity briefing for the water and wastewater sector. The session will cover unclassified threats, along with available funding and technical resources from the Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA). Here are a few resources to explore:

• CDPHE Security Toolbox - Provides Colorado specific guidance for planning for and responding to cybersecurity and physical security attacks. 
• EPA Cybersecurity for the Water Sector - Get comprehensive guidance and tools to safeguard water systems against cyber threats.
• CISA Water and Wastewater Cybersecurity Toolkit - A practical set of tools to strengthen your water sector infrastructure against cyber threats.

By staying informed and adopting the latest cybersecurity practices, water and wastewater utilities can ensure a secure future, protecting critical infrastructure from evolving threats.

➽ Kyra Gregory, Drinking Water Training Specialists 

EPA PFAS Rule Update: What Colorado Water Systems Need to Know

The division is closely monitoring recent developments from the EPA regarding its 2024 drinking water PFAS Rule. While the EPA has signaled potential changes to the regulation, the official rulemaking timeline remains unchanged, with Colorado’s adoption scheduled for August 11, 2025. The division is committed to maintaining clarity for water systems and intends to highlight this federal uncertainty in its Statement of Basis and Purpose that is part of the rulemaking. The division is committed to communicating with water systems when federal action occurs and proposing revisions to Colorado’s PFAS rule to align with federal requirements before the Water Quality Control Commission.

Resources: 

• CDPHE - Regulating per- and polyfluoroalkyl substances (PFAS) in drinking water
• CDPHE - PFAS mapping (includes PFAS in treated drinking water map and data) 
• CDPHE - PFAS Grant program

EPA’s Announced Changes

In May 2025, the EPA announced that it may significantly revise the 2024 PFAS Rule. Proposed changes include:

• Removing and reconsidering regulations for four PFAS compounds: PFNA, PFHxS, HFPO-DA (GenX), and PFBS.
• Retaining Maximum Contaminant Levels (MCLs) and monitoring requirements for PFOA and PFOS only.
• Eliminating the Hazard Index concept and its associated MCL for PFAS mixtures.
• Extending the compliance deadline for PFOA and PFOS MCLs from 2029 to 2031.

These changes are planned to occur via a revised PFAS Rule proposal in Fall 2025, and anticipated finalization in Spring 2026.

It’s important to note that, so far, EPA’s announcement has not indicated changes to the requirements for initial monitoring of six PFAS compounds by the April 2027 compliance deadline.

Colorado’s Approach

Colorado is moving forward with adopting the PFAS rule this summer to retain full Safe Drinking Water Act primacy. This ensures that the division, not EPA, will continue to oversee PFAS compliance, monitoring, and enforcement across Colorado systems.

To account for the evolving federal landscape, the division has included a “federal flexibility provision” in its rule language. This provision allows for the automatic extension or stay of any deadlines or requirements altered by the final federal PFAS Rule, minimizing disruption for water systems.

Why Primacy Matters

Colorado’s decision to adopt the rule in 2025 avoids a primacy extension agreement with EPA. Under such an agreement, EPA would have authority over PFAS compliance while the state catches up. This would fragment regulatory oversight, complicate compliance for Colorado’s water systems, and limit our decision-making authority during this period. We believe that the division can provide the best decisions for water systems and their customers in Colorado.

The division’s experience with the Lead and Copper Rule Revisions (LCRR) demonstrated the benefit of timely rule adoption. Being one of the few states to implement LCRR on schedule allowed the division to retain control and better support systems through technical and operational challenges. The same advantages apply here.

Operational Implications for Water Systems

Drinking water data across Colorado shows that PFOA and PFOS are the primary PFAS compounds detected in public water supplies in Colorado. The removal of other compounds from the federal rule should not change which systems require PFAS treatment in Colorado. However, there may be impacts to treatment plant design and operation, which the division will work to consider during rule implementation.

In the meantime, systems are encouraged to stay engaged and continue monitoring for PFAS to meet initial monitoring requirements. The division will provide ongoing updates and technical assistance throughout this evolving process.

Stay Informed

The division is committed to supporting Colorado’s water systems during this transition. As the revised federal rule develops, Colorado will adapt, but always with the goal of maintaining clarity, consistency, and strong public health protections.

➽ Haley Orahood, Regulatory Development and Implementation Specialist

New resource alert - W/WW Operator Resources Webpage

* While Aqua Talk is a safe drinking water information hub, the information below is also helpful to your wastewater friends, so please pass it along!

We encourage you to bookmark the Operator Resources webpage and visit regularly for updates and guidance tailored to your role as a certified operator. 

We are excited to announce that the Water Quality Control Division (Division) recently developed a new resource designed specifically for Colorado certified water and wastewater operators, or for those interested in entering the workforce. It is a single webpage that serves as a one-stop shop, bringing together all the essential information, tools, and resources operators need to know.

From certification, examination, and renewal details to information on training and funding opportunities, regulatory requirements, and guidance documents, everything you need is now conveniently located in one place. There is also a direct link to the CCWP Portal and contact information for CCWP, Division, and Board staff. Say goodbye to the hassle of navigating several sites to track down information!

If you have any questions about or issues with this webpage, please contact Jessica Morgan cdphe.facilityoperator@state.co.us.

➽ Jessica Morgan, Liaison to the Water & Wastewater Facility Operators Certification Board