42 USC CHAPTER 162, SUBCHAPTER I, Part B: Cybersecurity

From Title 42—THE PUBLIC HEALTH AND WELFARECHAPTER 162—ENERGY INFRASTRUCTURESUBCHAPTER I—GRID INFRASTRUCTURE AND RESILIENCY

Part B—Cybersecurity

§18721. Enhancing grid security through public-private partnerships

(a) Definitions

In this section:

(1) Bulk-power system; Electric Reliability Organization

The terms "bulk-power system" and "Electric Reliability Organization" has the meaning given the terms in section 824o(a) of title 16.

(2) Electric utility; State regulatory authority

The terms "electric utility" and "State regulatory authority" have the meanings given the terms in section 796 of title 16.

(b) Program to promote and advance physical security and cybersecurity of electric utilities

(1) Establishment

The Secretary, in coordination with the Secretary of Homeland Security and in consultation with, as the Secretary determines to be appropriate, the heads of other relevant Federal agencies, State regulatory authorities, industry stakeholders, and the Electric Reliability Organization, shall carry out a program—

(A) to develop, and provide for voluntary implementation of, maturity models, self-assessments, and auditing methods for assessing the physical security and cybersecurity of electric utilities;

(B) to assist with threat assessment and cybersecurity training for electric utilities;

(D) to provide training to electric utilities to address and mitigate cybersecurity supply chain management risks;

(E) to advance, in partnership with electric utilities, the cybersecurity of third-party vendors that manufacture components of the electric grid;

(F) to increase opportunities for sharing best practices and data collection within the electric sector; and

(G) to assist, in the case of electric utilities that own defense critical electric infrastructure (as defined in section 824o–1(a) of title 16), with full engineering reviews of critical functions and operations at both the utility and defense infrastructure levels—

(i) to identify unprotected avenues for cyber-enabled sabotage that would have catastrophic effects to national security; and

(ii) to recommend and implement engineering protections to ensure continued operations of identified critical functions even in the face of constant cyber attacks and achieved perimeter access by sophisticated adversaries.

(2) Scope

In carrying out the program under paragraph (1), the Secretary shall—

(A) take into consideration—

(i) the different sizes of electric utilities; and

(ii) the regions that electric utilities serve;

(B) prioritize electric utilities with fewer available resources due to size or region; and

(i) existing Department and Department of Homeland Security programs; and

(ii) existing programs of the Federal agencies determined to be appropriate under paragraph (1).

(c) Report on cybersecurity of distribution systems

Not later than 1 year after November 15, 2021, the Secretary, in coordination with the Secretary of Homeland Security and in consultation with, as the Secretary determines to be appropriate, the heads of other Federal agencies, State regulatory authorities, and industry stakeholders, shall submit to Congress a report that assesses—

(1) priorities, policies, procedures, and actions for enhancing the physical security and cybersecurity of electricity distribution systems, including behind-the-meter generation, storage, and load management devices, to address threats to, and vulnerabilities of, electricity distribution systems; and

(2) the implementation of the priorities, policies, procedures, and actions assessed under paragraph (1), including—

(A) an estimate of potential costs and benefits of the implementation; and

(B) an assessment of any public-private cost-sharing opportunities.

(d) Protection of information

Information provided to, or collected by, the Federal Government pursuant to this section the disclosure of which the Secretary reasonably foresees could be detrimental to the physical security or cybersecurity of any electric utility or the bulk-power system—

(1) shall be exempt from disclosure under section 552(b)(3) of title 5; and

(2) shall not be made available by any Federal agency, State, political subdivision of a State, or Tribal authority pursuant to any Federal, State, political subdivision of a State, or Tribal law, respectively, requiring public disclosure of information or records.

(Pub. L. 117–58, div. D, title I, §40121, Nov. 15, 2021, 135 Stat. 949.)

Statutory Notes and Related Subsidiaries

Wage Rate Requirements

For provisions relating to rates of wages to be paid to laborers and mechanics on projects for construction, alteration, or repair work funded under div. D or an amendment by div. D of Pub. L. 117–58, including authority of Secretary of Labor, see section 18851 of this title.

§18722. Energy cyber sense program

(a) Definitions

In this section:

(1) Bulk-power system

The term "bulk-power system" has the meaning given the term in section 824o(a) of title 16.

(2) Program

The term "program" means the voluntary Energy Cyber Sense program established under subsection (b).

(b) Establishment

The Secretary, in coordination with the Secretary of Homeland Security and in consultation with the heads of other relevant Federal agencies, shall establish a voluntary Energy Cyber Sense program to test the cybersecurity of products and technologies intended for use in the energy sector, including in the bulk-power system.

(c) Program requirements

In carrying out subsection (b), the Secretary, in coordination with the Secretary of Homeland Security and in consultation with the heads of other relevant Federal agencies, shall—

(1) establish a testing process under the program to test the cybersecurity of products and technologies intended for use in the energy sector, including products relating to industrial control systems and operational technologies, such as supervisory control and data acquisition systems;

(2) for products and technologies tested under the program, establish and maintain cybersecurity vulnerability reporting processes and a related database that are integrated with Federal vulnerability coordination processes;

(3) provide technical assistance to electric utilities, product manufacturers, and other energy sector stakeholders to develop solutions to mitigate identified cybersecurity vulnerabilities in products and technologies tested under the program;

(4) biennially review products and technologies tested under the program for cybersecurity vulnerabilities and provide analysis with respect to how those products and technologies respond to and mitigate cyber threats;

(5) develop guidance that is informed by analysis and testing results under the program for electric utilities and other components of the energy sector for the procurement of products and technologies;

(6) provide reasonable notice to, and solicit comments from, the public prior to establishing or revising the testing process under the program;

(7) oversee the testing of products and technologies under the program; and

(8) consider incentives to encourage the use of analysis and results of testing under the program in the design of products and technologies for use in the energy sector.

(d) Protection of information

(1) shall be exempt from disclosure under section 552(b)(3) of title 5; and

(e) Federal Government liability

Nothing in this section authorizes the commencement of an action against the United States with respect to the testing of a product or technology under the program.

(Pub. L. 117–58, div. D, title I, §40122, Nov. 15, 2021, 135 Stat. 950.)

Statutory Notes and Related Subsidiaries

Wage Rate Requirements

§18723. Rural and municipal utility advanced cybersecurity grant and technical assistance program

(a) Definitions

In this section:

(1) Advanced cybersecurity technology

The term "advanced cybersecurity technology" means any technology, operational capability, or service, including computer hardware, software, or a related asset, that enhances the security posture of electric utilities through improvements in the ability to protect against, detect, respond to, or recover from a cybersecurity threat (as defined in section 650 of title 6).

(2) Bulk-power system

The term "bulk-power system" has the meaning given the term in section 824o(a) of title 16.

(3) Eligible entity

The term "eligible entity" means—

(A) a rural electric cooperative;

(B) a utility owned by a political subdivision of a State, such as a municipally owned electric utility;

(C) a utility owned by any agency, authority, corporation, or instrumentality of 1 or more political subdivisions of a State;

(D) a not-for-profit entity that is in a partnership with not fewer than 6 entities described in subparagraph (A), (B), or (C); and

(E) an investor-owned electric utility that sells less than 4,000,000 megawatt hours of electricity per year.

(4) Program

The term "Program" means the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program established under subsection (b).

(b) Establishment

Not later than 180 days after November 15, 2021, the Secretary, in coordination with the Secretary of Homeland Security and in consultation with the Federal Energy Regulatory Commission, the North American Electric Reliability Corporation, and the Electricity Subsector Coordinating Council, shall establish a program, to be known as the "Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program", to provide grants and technical assistance to, and enter into cooperative agreements with, eligible entities to protect against, detect, respond to, and recover from cybersecurity threats.

(c) Objectives

The objectives of the Program shall be—

(1) to deploy advanced cybersecurity technologies for electric utility systems; and

(2) to increase the participation of eligible entities in cybersecurity threat information sharing programs.

(d) Awards

(1) In general

The Secretary—

(A) shall award grants and provide technical assistance under the Program to eligible entities on a competitive basis;

(B) shall develop criteria and a formula for awarding grants and providing technical assistance under the Program;

(C) may enter into cooperative agreements with eligible entities that can facilitate the objectives described in subsection (c); and

(D) shall establish a process to ensure that all eligible entities are informed about and can become aware of opportunities to receive grants or technical assistance under the Program.

(2) Priority for grants and technical assistance

In awarding grants and providing technical assistance under the Program, the Secretary shall give priority to an eligible entity that, as determined by the Secretary—

(A) has limited cybersecurity resources;

(B) owns assets critical to the reliability of the bulk-power system; or

(e) Protection of information

(1) shall be exempt from disclosure under section 552(b)(3) of title 5; and

(f) Authorization of appropriations

There is authorized to be appropriated to the Secretary to carry out this section $250,000,000 for the period of fiscal years 2022 through 2026.

(Pub. L. 117–58, div. D, title I, §40124, Nov. 15, 2021, 135 Stat. 953; Pub. L. 117–263, div. G, title LXXI, §7143(d)(3), Dec. 23, 2022, 136 Stat. 3663.)

Editorial Notes

Amendments

2022—Subsec. (a)(1). Pub. L. 117–263 substituted "section 650 of title 6" for "section 1501 of title 6".

Statutory Notes and Related Subsidiaries

Wage Rate Requirements

§18724. Enhanced grid security

(a) Definitions

In this section:

(1) Electric utility

The term "electric utility" has the meaning given the term in section 796 of title 16.

(2) E-ISAC

The term "E-ISAC" means the Electricity Information Sharing and Analysis Center.

(b) Cybersecurity for the energy sector research, development, and demonstration program

(1) In general

The Secretary, in coordination with the Secretary of Homeland Security and in consultation with, as determined appropriate, other Federal agencies, the energy sector, the States, Indian Tribes, Tribal organizations, territories or freely associated states, and other stakeholders, shall develop and carry out a program—

(A) to develop advanced cybersecurity applications and technologies for the energy sector—

(i) to identify and mitigate vulnerabilities, including—

(I) dependencies on other critical infrastructure;

(II) impacts from weather and fuel supply;

(III) increased dependence on inverter-based technologies; and

(IV) vulnerabilities from unpatched hardware and software systems; and

(ii) to advance the security of field devices and third-party control systems, including—

(I) systems for generation, transmission, distribution, end use, and market functions;

(II) specific electric grid elements including advanced metering, demand response, distribution, generation, and electricity storage;

(III) forensic analysis of infected systems;

(IV) secure communications; and

(V) application of in-line edge security solutions;

(B) to leverage electric grid architecture as a means to assess risks to the energy sector, including by implementing an all-hazards approach to communications infrastructure, control systems architecture, and power systems architecture;

(D) to develop workforce development curricula for energy sector-related cybersecurity; and

(E) to develop improved supply chain concepts for secure design of emerging digital components and power electronics.

(2) Authorization of appropriations

There is authorized to be appropriated to the Secretary to carry out this subsection $250,000,000 for the period of fiscal years 2022 through 2026.

(c) Energy sector operational support for cyberresilience program

(1) In general

The Secretary may develop and carry out a program—

(A) to enhance and periodically test—

(i) the emergency response capabilities of the Department; and

(ii) the coordination of the Department with other agencies, the National Laboratories, and private industry;

(B) to expand cooperation of the Department with the intelligence community for energy sector-related threat collection and analysis;

(D) to expand industry participation in E-ISAC; and

(E) to provide technical assistance to small electric utilities for purposes of assessing and improving cybermaturity levels and addressing gaps identified in the assessment.

(2) Authorization of appropriations

There is authorized to be appropriated to the Secretary to carry out this subsection $50,000,000 for the period of fiscal years 2022 through 2026.

(d) Modeling and assessing energy infrastructure risk

(1) In general

The Secretary, in coordination with the Secretary of Homeland Security, shall develop and carry out an advanced energy security program to secure energy networks, including—

(A) electric networks;

(B) natural gas networks; and

(2) Security and resiliency objective

The objective of the program developed under paragraph (1) is to increase the functional preservation of electric grid operations or natural gas and oil operations in the face of natural and human-made threats and hazards, including electric magnetic pulse and geomagnetic disturbances.

(3) Eligible activities

In carrying out the program developed under paragraph (1), the Secretary may—

(A) develop capabilities to identify vulnerabilities and critical components that pose major risks to grid security if destroyed or impaired;

(B) provide modeling at the national level to predict impacts from natural or human-made events;

(D) conduct exercises and assessments to identify and mitigate vulnerabilities to the electric grid, including providing mitigation recommendations;

(E) conduct research on hardening solutions for critical components of the electric grid;

(F) conduct research on mitigation and recovery solutions for critical components of the electric grid; and

(G) provide technical assistance to States and other entities for standards and risk analysis.

(4) Savings provision

Nothing in this section authorizes new regulatory requirements.

(5) Authorization of appropriations

There is authorized to be appropriated to the Secretary to carry out this subsection $50,000,000 for the period of fiscal years 2022 through 2026.

(Pub. L. 117–58, div. D, title I, §40125, Nov. 15, 2021, 135 Stat. 954.)

Statutory Notes and Related Subsidiaries

Wage Rate Requirements

§18725. Cybersecurity plan

(a) In general

The Secretary may require, as the Secretary determines appropriate, a recipient of any award or other funding under this division—

(1) to submit to the Secretary, prior to the issuance of the award or other funding, a cybersecurity plan that demonstrates the cybersecurity maturity of the recipient in the context of the project for which that award or other funding was provided; and

(2) establish a plan for maintaining and improving cybersecurity throughout the life of the proposed solution of the project.

(b) Contents of cybersecurity plan

A cybersecurity plan described in subsection (a) shall, at a minimum, describe how the recipient described in that subsection—

(1) plans to maintain cybersecurity between networks, systems, devices, applications, or components—

(A) within the proposed solution of the project; and

(B) at the necessary external interfaces at the proposed solution boundaries;

(2) will perform ongoing evaluation of cybersecurity risks to address issues as the issues arise throughout the life of the proposed solution;

(3) will report known or suspected network or system compromises of the project to the Secretary; and

(4) will leverage applicable cybersecurity programs of the Department, including cyber vulnerability testing and security engineering evaluations.

(c) Additional guidance

Each recipient described in subsection (a) should—

(1) maximize the use of open guidance and standards, including, wherever possible—

(A) the Cybersecurity Capability Maturity Model of the Department (or a successor model); and

(B) the Framework for Improving Critical Infrastructure Cybersecurity of the National Institute of Standards and Technology; and

(2) document—

(A) any deviation from open standards; and

(B) the utilization of proprietary standards where the recipient determines that such deviation necessary.

(d) Coordination

The Office of Cybersecurity, Energy Security, and Emergency Response of the Department shall review each cybersecurity plan submitted under subsection (a) to ensure integration with Department research, development, and demonstration programs.

(e) Protection of information

(1) shall be exempt from disclosure under section 552(b)(3) of title 5; and

(Pub. L. 117–58, div. D, title I, §40126, Nov. 15, 2021, 135 Stat. 956.)

Editorial Notes

References in Text

This division, referred to in subsec. (a), is div. D of Pub. L. 117–58, Nov. 15, 2021, 135 Stat. 923, which enacted this chapter and enacted and amended numerous other sections and notes in the Code. For complete classification of div. D to the Code, see Tables.

Statutory Notes and Related Subsidiaries

Wage Rate Requirements

§18726. Savings provision

Nothing in this part affects the authority, existing on the day before November 15, 2021, of any other Federal department or agency, including the authority provided to the Secretary of Homeland Security and the Director of the Cybersecurity and Infrastructure Security Agency in title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.).

(Pub. L. 117–58, div. D, title I, §40127, Nov. 15, 2021, 135 Stat. 957.)

Editorial Notes

References in Text

The Homeland Security Act of 2002, referred to in text, is Pub. L. 107–296, Nov. 25, 2002, 116 Stat. 2135. Title XXII of the Act is classified generally to subchapter XVIII (§651 et seq.) of chapter 1 of Title 6, Domestic Security. For complete classification of this Act to the Code, see Short Title note set out under section 101 of Title 6 and Tables.