BPCCC Regulation Stakeholder Process Starting

The Division will be updating the Backflow Prevention and Cross Connection Control Program (BPCCC) regulation (in Regulation 11 Section 11.39) in 2023 and the first stakeholder meeting will be on November 9, 2022. Information on the proposed rulemaking and stakeholder sign up is available on our website here. 

The BPCCC rule was originally adopted with stakeholder consensus in 2015 and became effective in 2016. Minor modifications to the rule were made with stakeholder engagement in 2018 and 2020. Three major milestones took effect in 2022. The first, is the final milestone for the staged implementation of the BPCCC surveys that started in 2016 that required suppliers to achieve the survey compliance ratio of 1.0 by December 31, 2021. The second major milestone that took effect in 2022 is the final backflow prevention assembly annual testing compliance ratio must be > 0.90 starting December 31, 2021 and each year after. The third major milestone was the “90 Day Requirement.” This means that beginning January 1, 2022, for each backflow prevention assembly not tested during the previous calendar year, the supplier must ensure the backflow prevention assembly is tested no later than 90 days after the active date of the backflow prevention assembly in the following calendar year. 

Field Services has been identifying violations during sanitary surveys related to these requirements in 2022 and numerous water suppliers have voiced concerns about the requirements and the corresponding Tier 2 public notification requirements. The Division heard these concerns and initiated an update of the rule focused on streamlining the sections to eliminate the tiered implementation structure that has passed, combining the assembly and method test ratios and addressing the “100% compliance” issue. The rulemaking will be scheduled for August 2023, with an effective date in 2024, however the stakeholder process will start in November 2022.

If you are interested in participating, please register for the stakeholder email list on our website here. Thank you for your engagement in the process!

➽ Heather Young, PE, CWP, Field Services Section Manager

➽ Tyson Ingels, PE, Lead Drinking Water Engineer

➽ Clayton Moores, PE, Field Unit I Manager

➽ Cameron Wilkins, PE, Field Unit II Manager

Using Emergency Drinking Water Sources: What Water System Should Know

This updated article was originally published in the spring 2010 edition of Aqua Talk.

For drinking water, an emergency source should only be used as the result of extreme circumstances and is otherwise kept offline. Emergency sources should be out of service and only used very rarely. An emergency source should only be used in a true emergency situation. Emergency examples include:

• Using sources to address natural disasters (e.g., fire/flood);
• Line breaks and water loss; or 
• Source water issues (e.g., a well dries up unexpectedly).

Additionally, emergency sources must be included as part of a water system’s inventory prior to its use and approved by the department. Unlike emergency sources, interim or seasonal sources are used intermittently or seasonally. They are often used to meet high water demand or to maintain water rights. These types of sources should be specifically listed as "interim" or "seasonal" in your monitoring plan.

If your system is experiencing an emergency situation and needs to use an emergency source, contact the department as soon as possible but no later than 24 hours after the source is used. During normal business hours, Monday through Friday, please contact your drinking water compliance specialist. Outside of normal business hours and days, please call the emergency response line at 1.877.518.6508. Additionally, you must collect a nitrate and total coliform sample at the emergency source. The sampling must be conducted within two calendar days of the source being into service. The department may also require additional sampling depending on the situation.

If your system needs to use the well for more than 30 days, the department recommends that suppliers collect lead and copper samples from a portion of its highest risk Lead and Copper Rules sample sites. The sample results could help the supplier determine if any lead release has occurred from the potential change in distribution system water quality. If there is an observed increase in the lead release, this information could be used to inform the public especially if there are concerns raised by customers. All drinking water lead results must be reported to the department. 

If you anticipate that your emergency source will be used for more than 90 days, you must: 

1. Notify the department and submit an updated Drinking Water System Inventory Form. When using the form, please make sure to change the availability designation for the source from “emergency” to “interim” or “permanent” (depending on the specific situation). 
2. If the emergency source has not already been approved as an “interim” or “seasonal” source, submit a Drinking Water Application for Construction Approval Form. The regulations require all sources to have design approval. Please note that the approval as an emergency source does NOT constitute an approval of the source for interim or permanent usage. Specific information regarding design approval can be found here. You may also contact the Engineering Section at 303.692.6298 or via email at CDPHE.WQEngReview@state.co.us.

The key to getting an emergency source activated quickly and in compliance is timely communication with the department.

2022 Operator Certification Board Vacancies

The Water and Wastewater Facility Operators Certification Board (WWFOCB) is a 10-member rulemaking body with oversight responsibility for the operator certification program and Regulation 100 plus supporting policies. Members are appointed by the governor to serve four-year terms. The board usually meets up to 10 times a year for half-day meetings. There is also an annual day-long training session, usually in August. While board members volunteer their time, they are entitled to reimbursement of travel expenses.

Currently, there is a vacancy on the WWFOCB:

• A member to achieve geographical representation and to reflect the various interests in the water and wastewater facility certification program. This board member must reside west of the continental divide. This board member is not required to be a certified operator.

The most effective board members have a strong interest in supporting public health and environmental protection through the operator certification program. They are good listeners who can articulate their perspectives in a professional and respectful way. When there is a difference of opinions, effective board members work toward building consensus.

If you are interested in serving on the WWFOCB, and you meet the criteria for the vacancy, please apply online at the Governor’s Office of Boards and Commissions.

Or contact the board office at cdphe.wwfocb@state.co.us for more information.

➽ Brandy Valdez-Murphy, WWFOCB Administrator 

Cybersecurity: Protecting your system = protecting public health

When our drinking water coaches present at conferences, schools, webinars, and on the road the first item that we all discuss is how we in the drinking water sector can work together to create a culture of health. There are many ways to create a shared culture. One of the first steps is to focus on our shared goal in our daily work of providing safe drinking water to the public. The basics of this shared goal are for water providers to follow the drinking water regulations and for the safe drinking water program to ensure that those regulations are being adhered to. As we know regulations can sometimes lag behind current needs and issues that arise in drinking water. So, the question remains, how can we go above and beyond the regulations to protect public health? 

In recent years cyberattacks have been on the rise for critical infrastructure providers, including water providers. Examples of recent attacks include: cutting off operators from their SCADA controls, holding customer billing data ransom, and attempting to alter dosing rates and contaminate the drinking water supply. While the EPA does not currently have any rules for the division to adopt as regulations for cybersecurity, we know this is a critical issue that has the potential to affect systems of all sizes. 

The Infrastructure Investment and Jobs Act (Public Law No. 117-58) also known as the Bipartisan Infrastructure Law (BIL) requires the U.S. Environmental Protection Agency (EPA), in coordination with the Cybersecurity and Infrastructure Security Agency (CISA), to develop a Technical Cybersecurity Support Plan. This plan was released on August 22, 2022 and documents current and future steps that the EPA will take to increase their cybersecurity assistance for drinking water systems. In addition to sharing this report with the drinking water community the division would also like to share some resources and initial steps to help your system prepare for cyberattacks. Thank you for the work you do everyday to protect your communities. We hope these resources help with your efforts! 

Resources: 

• New to cybersecurity? Read this article from Simplilearn to learn about the most common types of cyberattacks and simple steps you can take to protect your system
• EPA: Technical Cybersecurity Support Plan for Public Water Systems - Report to Congress
• EPA: Cybersecurity Best Practices for the Water Sector
• CDPHE: Drinking Water Security Response Toolbox
• Cybersecurity Resources: The department gathered resources to help your system prepare and respond to cybersecurity attacks. 
• Guidance: Respond and Report Cyberattacks is a guidance document that can be used when your water/wastewater facility experiences a cybersecurity event. It outlines what steps to take, how to report the event, and what to expect after reporting the event

10 Questions for a Cybersecurity Dialogue within your organization

Does your system …

1. Keep an inventory of control system devices and ensure this equipment is not exposed to networks outside the utility? Never allow any machine on the control network to “talk” directly to a machine on the business network or on the Internet.
2. Segregate networks and apply firewalls? Classify IT assets, data, and personnel into specific groups, and restrict access to these groups.
3. Use secure remote access methods? A secure method, like a virtual private network, should be used if remote access is required.
4. Establish roles to control access to different networks and log system users? Role-based controls will grant or deny access to network resources based on job functions.
5. Require strong passwords and password management practices? Use strong passwords and have different passwords for different accounts.
6. Stay aware of vulnerabilities and implement patches and updates when needed? Monitor for and apply IT system patches and updates.
7. Enforce policies for the security of mobile devices? Limit the use of mobile devices on your networks and ensure devices are password protected.
8. Have an employee cybersecurity training program? All employees should receive regular cybersecurity training.
9. Involve utility executives in cybersecurity? Organizational leaders are often unaware of cybersecurity threats and needs.
10. Monitor for network intrusions and have a plan in place to respond? Be capable of detecting a compromise quickly and executing an incident response plan.

Please contact us at cdphe.wqdwtraining@state.co.us if you have any questions about any of these areas or need assistance with making improvements to your cybersecurity measures. 

➽ Kyra Gregory Drinking Water Training Specialist and CoWARN Administrator