Collapse to view only § 18721. Enhancing grid security through public-private partnerships

§ 18721. Enhancing grid security through public-private partnerships
(a) DefinitionsIn this section:
(1) Bulk-power system; Electric Reliability Organization
(2) Electric utility; State regulatory authority
(b) Program to promote and advance physical security and cybersecurity of electric utilities
(1) EstablishmentThe Secretary, in coordination with the Secretary of Homeland Security and in consultation with, as the Secretary determines to be appropriate, the heads of other relevant Federal agencies, State regulatory authorities, industry stakeholders, and the Electric Reliability Organization, shall carry out a program—
(A) to develop, and provide for voluntary implementation of, maturity models, self-assessments, and auditing methods for assessing the physical security and cybersecurity of electric utilities;
(B) to assist with threat assessment and cybersecurity training for electric utilities;
(C) to provide technical assistance for electric utilities subject to the program;
(D) to provide training to electric utilities to address and mitigate cybersecurity supply chain management risks;
(E) to advance, in partnership with electric utilities, the cybersecurity of third-party vendors that manufacture components of the electric grid;
(F) to increase opportunities for sharing best practices and data collection within the electric sector; and
(G) to assist, in the case of electric utilities that own defense critical electric infrastructure (as defined in section 824o–1(a) of title 16), with full engineering reviews of critical functions and operations at both the utility and defense infrastructure levels—
(i) to identify unprotected avenues for cyber-enabled sabotage that would have catastrophic effects to national security; and
(ii) to recommend and implement engineering protections to ensure continued operations of identified critical functions even in the face of constant cyber attacks and achieved perimeter access by sophisticated adversaries.
(2) ScopeIn carrying out the program under paragraph (1), the Secretary shall—
(A) take into consideration—
(i) the different sizes of electric utilities; and
(ii) the regions that electric utilities serve;
(B) prioritize electric utilities with fewer available resources due to size or region; and
(C) to the maximum extent practicable, use and leverage—
(i) existing Department and Department of Homeland Security programs; and
(ii) existing programs of the Federal agencies determined to be appropriate under paragraph (1).
(c) Report on cybersecurity of distribution systemsNot later than 1 year after November 15, 2021, the Secretary, in coordination with the Secretary of Homeland Security and in consultation with, as the Secretary determines to be appropriate, the heads of other Federal agencies, State regulatory authorities, and industry stakeholders, shall submit to Congress a report that assesses—
(1) priorities, policies, procedures, and actions for enhancing the physical security and cybersecurity of electricity distribution systems, including behind-the-meter generation, storage, and load management devices, to address threats to, and vulnerabilities of, electricity distribution systems; and
(2) the implementation of the priorities, policies, procedures, and actions assessed under paragraph (1), including—
(A) an estimate of potential costs and benefits of the implementation; and
(B) an assessment of any public-private cost-sharing opportunities.
(d) Protection of informationInformation provided to, or collected by, the Federal Government pursuant to this section the disclosure of which the Secretary reasonably foresees could be detrimental to the physical security or cybersecurity of any electric utility or the bulk-power system—
(1) shall be exempt from disclosure under section 552(b)(3) of title 5; and
(2) shall not be made available by any Federal agency, State, political subdivision of a State, or Tribal authority pursuant to any Federal, State, political subdivision of a State, or Tribal law, respectively, requiring public disclosure of information or records.
(Pub. L. 117–58, div. D, title I, § 40121, Nov. 15, 2021, 135 Stat. 949.)
§ 18722. Energy cyber sense program
(a) Definitions
In this section:
(1) Bulk-power system
(2) Program
(b) Establishment
(c) Program requirements
In carrying out subsection (b), the Secretary, in coordination with the Secretary of Homeland Security and in consultation with the heads of other relevant Federal agencies, shall—
(1) establish a testing process under the program to test the cybersecurity of products and technologies intended for use in the energy sector, including products relating to industrial control systems and operational technologies, such as supervisory control and data acquisition systems;
(2) for products and technologies tested under the program, establish and maintain cybersecurity vulnerability reporting processes and a related database that are integrated with Federal vulnerability coordination processes;
(3) provide technical assistance to electric utilities, product manufacturers, and other energy sector stakeholders to develop solutions to mitigate identified cybersecurity vulnerabilities in products and technologies tested under the program;
(4) biennially review products and technologies tested under the program for cybersecurity vulnerabilities and provide analysis with respect to how those products and technologies respond to and mitigate cyber threats;
(5) develop guidance that is informed by analysis and testing results under the program for electric utilities and other components of the energy sector for the procurement of products and technologies;
(6) provide reasonable notice to, and solicit comments from, the public prior to establishing or revising the testing process under the program;
(7) oversee the testing of products and technologies under the program; and
(8) consider incentives to encourage the use of analysis and results of testing under the program in the design of products and technologies for use in the energy sector.
(d) Protection of information
Information provided to, or collected by, the Federal Government pursuant to this section the disclosure of which the Secretary reasonably foresees could be detrimental to the physical security or cybersecurity of any component of the energy sector, including any electric utility or the bulk-power system—
(1) shall be exempt from disclosure under section 552(b)(3) of title 5; and
(2) shall not be made available by any Federal agency, State, political subdivision of a State, or Tribal authority pursuant to any Federal, State, political subdivision of a State, or Tribal law, respectively, requiring public disclosure of information or records.
(e) Federal Government liability
(Pub. L. 117–58, div. D, title I, § 40122, Nov. 15, 2021, 135 Stat. 950.)
§ 18723. Rural and municipal utility advanced cybersecurity grant and technical assistance program
(a) Definitions
In this section:
(1) Advanced cybersecurity technology
(2) Bulk-power system
(3) Eligible entity
The term “eligible entity” means—
(A) a rural electric cooperative;
(B) a utility owned by a political subdivision of a State, such as a municipally owned electric utility;
(C) a utility owned by any agency, authority, corporation, or instrumentality of 1 or more political subdivisions of a State;
(D) a not-for-profit entity that is in a partnership with not fewer than 6 entities described in subparagraph (A), (B), or (C); and
(E) an investor-owned electric utility that sells less than 4,000,000 megawatt hours of electricity per year.
(4) Program
(b) Establishment
(c) Objectives
The objectives of the Program shall be—
(1) to deploy advanced cybersecurity technologies for electric utility systems; and
(2) to increase the participation of eligible entities in cybersecurity threat information sharing programs.
(d) Awards
(1) In general
The Secretary—
(A) shall award grants and provide technical assistance under the Program to eligible entities on a competitive basis;
(B) shall develop criteria and a formula for awarding grants and providing technical assistance under the Program;
(C) may enter into cooperative agreements with eligible entities that can facilitate the objectives described in subsection (c); and
(D) shall establish a process to ensure that all eligible entities are informed about and can become aware of opportunities to receive grants or technical assistance under the Program.
(2) Priority for grants and technical assistance
In awarding grants and providing technical assistance under the Program, the Secretary shall give priority to an eligible entity that, as determined by the Secretary—
(A) has limited cybersecurity resources;
(B) owns assets critical to the reliability of the bulk-power system; or
(C) owns defense critical electric infrastructure (as defined in section 824o–1(a) of title 16).
(e) Protection of information
Information provided to, or collected by, the Federal Government pursuant to this section the disclosure of which the Secretary reasonably foresees could be detrimental to the physical security or cybersecurity of any electric utility or the bulk-power system—
(1) shall be exempt from disclosure under section 552(b)(3) of title 5; and
(2) shall not be made available by any Federal agency, State, political subdivision of a State, or Tribal authority pursuant to any Federal, State, political subdivision of a State, or Tribal law, respectively, requiring public disclosure of information or records.
(f) Authorization of appropriations
(Pub. L. 117–58, div. D, title I, § 40124, Nov. 15, 2021, 135 Stat. 953; Pub. L. 117–263, div. G, title LXXI, § 7143(d)(3), Dec. 23, 2022, 136 Stat. 3663.)
§ 18724. Enhanced grid security
(a) DefinitionsIn this section:
(1) Electric utility
(2) E-ISAC
(b) Cybersecurity for the energy sector research, development, and demonstration program
(1) In generalThe Secretary, in coordination with the Secretary of Homeland Security and in consultation with, as determined appropriate, other Federal agencies, the energy sector, the States, Indian Tribes, Tribal organizations, territories or freely associated states, and other stakeholders, shall develop and carry out a program—
(A) to develop advanced cybersecurity applications and technologies for the energy sector—
(i) to identify and mitigate vulnerabilities, including—(I) dependencies on other critical infrastructure;(II) impacts from weather and fuel supply;(III) increased dependence on inverter-based technologies; and(IV) vulnerabilities from unpatched hardware and software systems; and
(ii) to advance the security of field devices and third-party control systems, including—(I) systems for generation, transmission, distribution, end use, and market functions;(II) specific electric grid elements including advanced metering, demand response, distribution, generation, and electricity storage;(III) forensic analysis of infected systems;(IV) secure communications; and(V) application of in-line edge security solutions;
(B) to leverage electric grid architecture as a means to assess risks to the energy sector, including by implementing an all-hazards approach to communications infrastructure, control systems architecture, and power systems architecture;
(C) to perform pilot demonstration projects with the energy sector to gain experience with new technologies;
(D) to develop workforce development curricula for energy sector-related cybersecurity; and
(E) to develop improved supply chain concepts for secure design of emerging digital components and power electronics.
(2) Authorization of appropriations
(c) Energy sector operational support for cyberresilience program
(1) In generalThe Secretary may develop and carry out a program—
(A) to enhance and periodically test—
(i) the emergency response capabilities of the Department; and
(ii) the coordination of the Department with other agencies, the National Laboratories, and private industry;
(B) to expand cooperation of the Department with the intelligence community for energy sector-related threat collection and analysis;
(C) to enhance the tools of the Department and E-ISAC for monitoring the status of the energy sector;
(D) to expand industry participation in E-ISAC; and
(E) to provide technical assistance to small electric utilities for purposes of assessing and improving cybermaturity levels and addressing gaps identified in the assessment.
(2) Authorization of appropriations
(d) Modeling and assessing energy infrastructure risk
(1) In generalThe Secretary, in coordination with the Secretary of Homeland Security, shall develop and carry out an advanced energy security program to secure energy networks, including—
(A) electric networks;
(B) natural gas networks; and
(C) oil exploration, transmission, and delivery networks.
(2) Security and resiliency objective
(3) Eligible activitiesIn carrying out the program developed under paragraph (1), the Secretary may—
(A) develop capabilities to identify vulnerabilities and critical components that pose major risks to grid security if destroyed or impaired;
(B) provide modeling at the national level to predict impacts from natural or human-made events;
(C) add physical security to the cybersecurity maturity model;
(D) conduct exercises and assessments to identify and mitigate vulnerabilities to the electric grid, including providing mitigation recommendations;
(E) conduct research on hardening solutions for critical components of the electric grid;
(F) conduct research on mitigation and recovery solutions for critical components of the electric grid; and
(G) provide technical assistance to States and other entities for standards and risk analysis.
(4) Savings provision
(5) Authorization of appropriations
(Pub. L. 117–58, div. D, title I, § 40125, Nov. 15, 2021, 135 Stat. 954.)
§ 18725. Cybersecurity plan
(a) In generalThe Secretary may require, as the Secretary determines appropriate, a recipient of any award or other funding under this division—
(1) to submit to the Secretary, prior to the issuance of the award or other funding, a cybersecurity plan that demonstrates the cybersecurity maturity of the recipient in the context of the project for which that award or other funding was provided; and
(2) establish a plan for maintaining and improving cybersecurity throughout the life of the proposed solution of the project.
(b) Contents of cybersecurity planA cybersecurity plan described in subsection (a) shall, at a minimum, describe how the recipient described in that subsection—
(1) plans to maintain cybersecurity between networks, systems, devices, applications, or components—
(A) within the proposed solution of the project; and
(B) at the necessary external interfaces at the proposed solution boundaries;
(2) will perform ongoing evaluation of cybersecurity risks to address issues as the issues arise throughout the life of the proposed solution;
(3) will report known or suspected network or system compromises of the project to the Secretary; and
(4) will leverage applicable cybersecurity programs of the Department, including cyber vulnerability testing and security engineering evaluations.
(c) Additional guidanceEach recipient described in subsection (a) should—
(1) maximize the use of open guidance and standards, including, wherever possible—
(A) the Cybersecurity Capability Maturity Model of the Department (or a successor model); and
(B) the Framework for Improving Critical Infrastructure Cybersecurity of the National Institute of Standards and Technology; and
(2) document—
(A) any deviation from open standards; and
(B) the utilization of proprietary standards where the recipient determines that such deviation necessary.
(d) Coordination
(e) Protection of informationInformation provided to, or collected by, the Federal Government pursuant to this section the disclosure of which the Secretary reasonably foresees could be detrimental to the physical security or cybersecurity of any electric utility or the bulk-power system—
(1) shall be exempt from disclosure under section 552(b)(3) of title 5; and
(2) shall not be made available by any Federal agency, State, political subdivision of a State, or Tribal authority pursuant to any Federal, State, political subdivision of a State, or Tribal law, respectively, requiring public disclosure of information or records.
(Pub. L. 117–58, div. D, title I, § 40126, Nov. 15, 2021, 135 Stat. 956.)
§ 18726. Savings provision

Nothing in this part affects the authority, existing on the day before November 15, 2021, of any other Federal department or agency, including the authority provided to the Secretary of Homeland Security and the Director of the Cybersecurity and Infrastructure Security Agency in title XXII of the Homeland Security Act of 2002 (6 U.S.C. 651 et seq.).

(Pub. L. 117–58, div. D, title I, § 40127, Nov. 15, 2021, 135 Stat. 957.)