Intended Audience: Municipal leaders, water and wastewater utility managers, and IT professionals responsible for operational continuity, risk management, or compliance with DOH and DEC cybersecurity rules.

With new cybersecurity regulations coming into effect for New York’s water and wastewater utilities, many organizations are asking the same question—how do we meet these complex requirements without overwhelming our limited budgets or staff?

The answer: you don’t have to do it alone.

Introduction

The new cybersecurity mandates from the Department of Health (DOH) and Department of Environmental Conservation (DEC) mark a major shift for New York’s public water and wastewater systems. These rules require new levels of accountability—cyber risk assessments, incident reporting, operator training, and stronger governance.

But compliance doesn’t have to be costly or complicated. Whether your system serves a few thousand residents or a major metropolitan area, Natsar offers practical, right-sized solutions to help you comply confidently and build lasting resilience.

Local Expertise, Global Perspective

Natsar is a licensed, insured, and bonded cybersecurity company based in New York’s Capital Region—a small business that understands the realities faced by New York’s critical infrastructure utilities. We combine local insight with national and international critical infrastructure experience—helping utilities meet state and federal cybersecurity mandates with confidence.

You don’t need to hire a large national firm that charges enterprise-level rates for generic solutions.

Natsar brings extensive experience supporting critical infrastructure organizations worldwide, including:

• Securing sensitive national security programs within the United States

• Assisting state, local, tribal, and territorial (SLTT) governments

• Helping small and rural utilities improve cybersecurity and compliance programs

• Securing critical infrastructure entities around the world on behalf of the U.S. government

That global expertise—combined with local understanding—drives Natsar’s goal of helping utilities strengthen cybersecurity, meet state and federal requirements, and maintain operational resilience efficiently and affordably.

How Natsar Can Help

Natsar delivers full-spectrum cybersecurity support aligned with the requirements of both DOH (10 NYCRR Subpart 5-1, Appendix 5-E) and DEC (6 NYCRR Parts 616, 650, 750).

Table showing how Natsar can help New York water utilities meet new requirements

Governance and vCISO Services

Both rulemakings require utilities to designate an executive or qualified individual responsible for cybersecurity. For smaller or mid-sized organizations, hiring a full-time Chief Information Security Officer (CISO) isn’t practical.

That’s where Natsar’s Virtual Chief Information Security Officer (vCISO) services come in. Our vCISO offering provides all the benefits of a seasoned cybersecurity executive—strategic leadership, policy oversight, regulatory reporting, and risk management—without the full-time cost.

Through our vCISO engagements, Natsar:

• Serves as your designated cybersecurity leader or supports your internal executive

• Oversees risk assessments, policy updates, and compliance documentation

• Leads incident response planning and regulatory coordination

• Provides board and leadership briefings to demonstrate ongoing compliance

Cybersecurity Vulnerability Assessments (CVA)

We conduct and document your required CVA, identifying risks, prioritizing mitigations, and aligning outcomes with both state and federal frameworks (NIST CSF, AWIA, EPA guidance). Natsar can maintain your CVA cadence annually—or sooner if your infrastructure changes.

Incident Response Planning and Tabletop Exercises

We help organizations develop Incident Response Plans (IRPs) that integrate directly with their Emergency Response Plans (ERPs), as required by both DOH and DEC. Our Incident Response Program Toolkit provides templates, policies, and practical guidance to help you prepare.

We also conduct tabletop exercises to validate response procedures and ensure staff readiness before a real incident occurs.

Operator and Staff Cybersecurity Training

Both agencies now require cybersecurity training for certified operators and staff. Natsar provides tailored training programs that meet or exceed state mandates:

• Water system operators: at least one hour every three years

• Wastewater operators: 2–4 hours every five years, depending on grade

We also offer awareness sessions for management and IT teams to strengthen cybersecurity culture.

Monitoring, Reporting, and Audit Readiness

Larger systems must implement network monitoring and maintain logs—three years for DOH, one-year minimum for DEC. Our vCISO service ensures these monitoring and reporting processes are designed efficiently, with scalable solutions for smaller utilities.

We also help utilities prepare for third-party audits, maintain compliance documentation, and ensure readiness for inspections from DOH or DEC.

Bottom Line

New York’s new water and wastewater cybersecurity regulations are clear: cybersecurity governance is no longer optional. Whether you need full compliance support or just help filling the gaps, Natsar provides the expertise, flexibility, and affordability your organization needs to get—and stay—secure.

Get ahead of the deadlines. Schedule a consultation with Natsar today to see how our vCISO, CVA, and IR program services can help you meet every requirement with confidence.

Subscribe to Natsar's Blog for more practical guidance, expert tips, and resources.If you found this helpful, please share your thoughts in the comments section. Your engagement guides future content!