Indiana § 13-18-16.5-1 Cybersecurity vulnerability assessment; reporting requirements

Indiana Statutes

§ 13-18-16.5-1 — Cybersecurity vulnerability assessment; reporting requirements

Indiana § 13-18-16.5-1

Art. 18WATER POLLUTION CONTROL

Ch. 16.5Public Water and Wastewater Cybersecurity

This text of Indiana § 13-18-16.5-1 (Cybersecurity vulnerability assessment; reporting requirements) is published on Counsel Stack Legal Research, covering Indiana primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.

Bluebook

Ind. Code § 13-18-16.5-1 (2026).

Text

(a)This chapter applies to an entity that:

(1)is:

(A)a community water system (as defined in IC 13-11-2-35.5(b)) with a population of five hundred (500) or more;

(B)a publicly owned treatment works (as defined in IC 13-11-2-177.5); or

(C)a semipublic facility (as defined in 327 IAC 5-1.5-59) with a classification of Class III or Class IV (as described in 327 IAC 5-23-3(4) and 327 IAC 5-23-3(5)); and

(2)utilizes:

(A)a computerized system to monitor and control the processes of the entity's operation from a central location; or

(B)another vulnerable monitoring or management system identified by the department.

(b)An entity shall do the following:

(1)Conduct a cybersecurity vulnerability assessment at least once per calendar year.

(2)Before September 1 of each year, provide the off

Free access — add to your briefcase to read the full text and ask questions with AI

(a) This chapter applies to an entity that:
(1) is:
(A) a community water system (as defined in IC 13-11-2-35.5(b)) with a population of five hundred (500) or
more;
(B) a publicly owned treatment works (as defined in IC 13-11-2-177.5); or
(C) a semipublic facility (as defined in 327 IAC 5-1.5-59) with
a classification of Class III or Class IV (as described in 327 IAC
5-23-3(4) and 327 IAC 5-23-3(5)); and
(2) utilizes:
(A) a computerized system to monitor and control the processes
of the entity's operation from a central location; or
(B) another vulnerable monitoring or management system
identified by the department.
(b) An entity shall do the following:
(1) Conduct a cybersecurity vulnerability assessment at least once
per calendar year.
(2) Before September 1 of each year, provide the office of
technology established by IC 4-13.1-2-1 with the name and
contact information of any individual who will act as the primary
reporter of a cybersecurity incident.
(3) Beginning in 2026, not later than December 31 of each
even-numbered year, submit a certification to the department via
a secured portal verifying that the entity:
(A) completed the assessment described in subdivision (1);
(B) mitigated or has documented plans to mitigate identified
vulnerabilities; and
(C) updated emergency response plans to account for
vulnerabilities and mitigating procedures.
(4) When an actual or reasonably suspected cybersecurity breach
occurs, report the cybersecurity incident to the office of
technology established by IC 4-13.1-2-1:
(A) either:
(i) not later than twenty-four (24) hours after discovery of the
cybersecurity incident, if the cybersecurity incident impacts
the operations of the entity; or
(ii) not later than two (2) business days after discovery of the
cybersecurity incident, if the cybersecurity incident does not
impact the operations of the entity; and
(B) in a format prescribed by the chief information officer of
the office of technology.
(c) In conducting an assessment under subsection (b)(1), the entity
shall utilize an assessment tool or framework approved by the
department and the office of technology established by IC 4-13.1-2-1.
(d) An assessment conducted under subsection (b)(1) is confidential
under IC 5-14-3-4(b)(19).