Infrastructure Security Spring 2022 Report

Cybersecurity Legislation Passed in the 117^th Congress

Bipartisan Infrastructure Bill (H.R. 3684 “Infrastructure Investment and Jobs Act”)

On November 15, 2021, President Biden signed the “Infrastructure Investment and Jobs Act,” H.R. 3684, which includes a number of provisions pertinent to energy cybersecurity. This includes the Enhancing Grid Security through Public-Private Partnerships Act, which directs the DOE to collaborate with a diverse array of stakeholders, including industry participants, states and federal agencies, to create a plan to create better security around utilities’ physical and cyber operations, and the Cyber Sense Act, which direct DOE to work with electric utilities to establish a voluntary Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system. A summary of the cybersecurity provisions in the law is included below.

• Sec. 40121. Enhancing grid security through public-private partnerships. Directs DOE to establish a program, in consultation with electricity subsector stakeholders, to promote and advance the physical security and cybersecurity of electric utilities, with priority provided to utilities with fewer resources. Provision was passed by itself in the House by voice vote in the current and last Congress. No funding provided for program but could be funded through appropriations under Sec. 40125.
• Sec. 40122. Energy cyber sense program. Directs DOE to work with electric utilities to establish a voluntary Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system.
• Sec. 40123. Incentives for advanced cybersecurity technology investment. Directs FERC to establish incentive-based rate treatments for interstate transmission and wholesale electricity sales to encourage the deployment of advanced cybersecurity technologies.
• Sec. 40124. Rural and municipal utility advanced cybersecurity grant and technical assistance program. Establishes DOE grant and technical assistance program to deploy advanced cybersecurity technology for rural cooperative and municipal utilities. $250 million appropriated to DOE Office of Cybersecurity, Energy Security, and Emergency Response for program.
• Sec. 40125. Enhanced grid security. Establishes DOE research and development program for energy sector advanced cybersecurity technologies. Also directs DOE to establish a cyber-testing and mitigation program to identify vulnerabilities in the energy sector and directs DOE to establish other operational support and risk assessment programs to secure electric, natural gas, and oil transmission and delivery. $300 million appropriated to DOE Office of Cybersecurity, Energy Security, and Emergency Response – $250 million for research and development program and $50 million for operational support program. $50 million to DOE Office of Electricity for risk assessment program.
• Sec. 40126. Cybersecurity plan. Allows DOE to require that any recipient of any funding under the energy portion of the infrastructure bill submit a cybersecurity plan demonstrating cybersecurity maturity.
• Sec. 70601 and 70602. Cyber response and recovery act. Allows the Secretary of Homeland Security to declare a significant cybersecurity incident. Declaration would allow DHS to use a $20 million Cyber Response and Recovery Fund to help pay for response efforts and put DHS in charge of coordinating all support provided by federal government for the cybersecurity incident. $100 million appropriated to DHS Cybersecurity and Infrastructure Security Agency for program.

FY22 National Defense Authorization Act

On December 27, 2021, the President signed the FY22 National Defense Authorization Act (NDAA) conference report containing compromise language between the House and Senate Armed Services Committee. The bill contains a number of cybersecurity provisions summarized included below.

• Sec. 866. Report on Cybersecurity Maturity Model Certification effects on small business. Requires the Secretary of Defense to submit a report, not later than 180 days, to the Committees on Armed Services of the Senate and the House of Representatives on the effects the Cybersecurity Maturity Model Certification has on small businesses.
• Sec. 1118. Occupational Series for Digital Career Fields. Directs the Office of Personnel Management to establish occupational series covering Federal Government positions in the fields of software development, software engineering, data science, and data management. This will allow federal agencies to hire staff directly for their data expertise.
• Sec. 1508. Coordination between United States Cyber Command and private sector. Voluntary process to be set up by US Cyber Command to engage with private sector information tech/cyber companies to protect against foreign cyber actors.
• Sec. 1533. Report on the Cybersecurity Maturity Model Certification program. Requires the Secretary of Defense to submit a report, not later than 90 days, to the Committees on Armed Services of the Senate and the House of Representatives on the plans of the Secretary for the Cybersecurity Maturity Model Certification program in consideration of the recent internal review of the program and recent efforts by the Secretary to improve the cybersecurity of the defense industrial base.
• Sec. 1541. Capabilities of the Cybersecurity and Infrastructure Security Agency to identify threats to industrial control systems. Clarifies the Department of Homeland Security’s Cybersecurity and Infrastructure Security Administration (CISA) lead federal role, coordinating with Sector Risk Management Agencies, to identify and mitigate cybersecurity threats to industrial control systems, including supervisory control and data acquisition systems.
• Sec. 1546. Cyber incident response plan. Requires CISA to update its cyber incident response plan not less often than biennially.
• Sec. 1547. National cyber exercise program. Directs CISA to build on its existing work by codifying a National Cyber Exercise Program, in order to test U.S. response plans for major cyber incidents. Also codifies CISA's work on model exercises that can be readily used by state/local governments and businesses to test the safety and security of their own critical infrastructure.
• Sec. 1548. CyberSentry Program of the Cybersecurity and Infrastructure Security Agency. Authorizes the CyberSentry critical ICS cybersecurity program within the DHS Cybersecurity and Infrastructure Security Agency, which allows CISA to enter into strategic, voluntary partnerships with priority ICS owners and operators to provide enhanced cyber threat monitoring and detection.
• Sec. 1550. Pilot program on public-private partnerships with internet ecosystem companies to detect and disrupt adversary cyber operations. Requires the Secretary of Defense to establish a pilot program for voluntary public-private partnerships with internet ecosystem companies to discover and disrupt the use of the platforms, systems, services, and infrastructure of such companies by malicious cyber actors. The White House opposed this provision.