This bill proposes the establishment of a Water Risk and Resilience Organization (WRRO) , a new entity tasked with developing and implementing cybersecurity risk and resilience requirements for the water sector. The legislation defines "covered water systems" as community water systems and treatment works serving populations of 3,300 or more, emphasizing the need for these critical infrastructures to be cyber resilient , meaning they can withstand, adapt to, and recover from cybersecurity incidents. The Environmental Protection Agency (EPA) Administrator is responsible for issuing a final rule to select and certify the WRRO. To be certified, an organization must demonstrate advanced technical knowledge, include members with experience as water system owners or operators, and prove its ability to develop effective cybersecurity requirements. Crucially, the WRRO must establish rules ensuring its independence, fair allocation of costs, and just procedures for enforcing requirements and imposing penalties. The WRRO will file proposed cybersecurity risk and resilience requirements, along with implementation plans, with the Administrator for approval. The Administrator will approve requirements deemed "just, reasonable, and not unduly discriminatory," deferring to the WRRO's technical expertise on content. If a requirement is disapproved, the Administrator will remand it with specific recommendations, and the WRRO must either accept the recommendations, provide a reason for not accepting them, or withdraw the proposal. To ensure ongoing effectiveness, the WRRO is mandated to routinely monitor and assess the implementation and efficacy of approved cybersecurity requirements. This includes requiring annual self-attestations from covered water systems and conducting periodic third-party assessments at least every five years. The WRRO will also submit annual reports to the Administrator, containing only aggregated or anonymized findings to protect sensitive security information. Furthermore, the WRRO is empowered to impose penalties, up to $25,000 per day, on owners or operators of covered water systems for violations of approved cybersecurity requirements, following due process. These penalties are subject to review by the Administrator and any collected funds will be used to support WRRO training initiatives and resource capabilities. The bill clarifies that the WRRO is not a federal agency and preserves state authority as long as it is not inconsistent with federal cybersecurity requirements.