Summary of House Bill 5850 (Michigan, 2025-2026)
Purpose
- The bill aims to strengthen cybersecurity and physical security protections for public water supplies in Michigan. It adds a new section (Sec. 8a) to the Safe Drinking Water Act and updates penalties under Sec. 21.
Key Provisions
1) Security requirements for public water supplies (Sec. 8a)
- Critical infrastructure protections: Public water supplies must implement security measures to guard against:
- Cyberattacks
- Physical attacks or cyber disruptions to critical functions (e.g., pumping, storage, monitoring, cooling, fire suppression)
- Cyber compromise
- Risk-based cybersecurity and resilience program:
- Must be aligned with nationally recognized frameworks and guidance, notably the NIST Cybersecurity Framework and guidance from the Cybersecurity and Infrastructure Security Agency (CISA)
- The bill specifies alignment with recognized guidance but does not require adherence to any single framework or technology.
- Applicable systems and controls:
- Safety-critical systems that can default to a safe state
- Redundant cooling and thermal controls
- Fire suppression capable of operating independently of remote commands
- On-site manual override access
- Segmentation of safety-critical systems from public-facing networks (to limit exposure)
- Incident response and disaster recovery planning:
- Plans must include: roles and responsibilities, communication/notification procedures, system restoration priorities, and procedures for coordinating with emergency responders
2) Definitions (Sec. 8a(5))
- Critical infrastructure: Waterworks system and associated safety-critical operational technology essential for safe and reliable drinking water.
- Safety-critical systems: Operational technology and related systems necessary for safe operation and to prevent public health, safety, or reliability risks.
3) Penalties and enforcement (Sec. 21)
- For violations of the Safe Drinking Water Act or related rules/orders: misdemeanor with fines up to $5,000 per day, and/or up to 1 year imprisonment.
- Violations of Sec. 8a: civil fines up to $25,000 per day per violation; each day constitutes a separate violation. Prosecution may be brought by the county prosecutor or the attorney general.
- Minor offenses (a defined term): Violations of permits that do not functionally impair waterworks operation or public health protection are considered minor offenses (for procedural purposes).
4) Effective date
- Enacting section provides that the act takes effect 90 days after enactment.
Additional notes
- The bill was introduced and referred to the Committee on Government Operations on April 22, 2026, with Rep. Reggie Miller as the sponsor and additional co-sponsors listed.
- The measure emphasizes a risk-based, flexible approach to cybersecurity and resilience, rather than mandating a single framework, while prioritizing critical safety-related operational technology and network segmentation.
Potential Impact
- Public water systems: Will need to assess and upgrade cyber and physical security measures, ensuring redundancy, manual overrides, and network segmentation are in place. They must develop and regularly update incident response and disaster recovery plans.
- State and local authorities: May incur compliance oversight, with penalties for non-compliance and civil fines for violations of Sec. 8a.
- Public health and safety: Aims to reduce risk of cyber or physical disruptions that could impact drinking water quality, reliability, and emergency response coordination.
- Industry guidance: Encourages alignment with established cybersecurity frameworks (e.g., NIST) and CISA guidance, offering a flexible approach to security technology choices.
Overall, HB 5850 proposes a proactive, structured framework to shield public water systems from cyber-physical threats, with clear planning, containment, and enforcement provisions.