Key Cybersecurity Provisions in the Infrastructure Investment and Jobs Act
Part 5 of the Keller and Heckman Infrastructure Act Blog Series
This is the fifth in Keller and Heckman’s series of posts pertaining to the new Infrastructure Investment and Jobs Act (H.R. 3684) (“the IIJA” or “the Act”), which was signed into law on November 15, 2021. Our first few posts examined the $42.45 billion Broadband Equity Access and Deployment Program, the $1 Billion Middle Mile Grant Program, the Act’s support for broadband partnerships, and the Affordable Connectivity Program. This post summarizes some key provisions in the Act that are intended to enhance the cybersecurity of utilities, the energy sector, and state and local governments. The programs and amounts of government funding available to eligible entities are significant, especially for those entities that lack cybersecurity resources due to size or region.
State and Local Government Information Systems
The IIJA appropriates $1 billion to enhance the cybersecurity of state and local government information systems, as follows: $200 million in federal grants for fiscal year (“FY”) 2022; $400 million for FY 2023; $300 million for FY 2024; and $100 million for FY 2025.
Cybersecurity of Electric Utilities
To promote the physical security and cybersecurity of electric utilities (as defined in the Federal Power Act), the IIJA requires the Secretary of Energy to implement a cybersecurity program, in coordination with the Secretary of Homeland Security, and in consultation with the heads of other Federal agencies, state regulatory authorities, industry stakeholders, and the Electric Reliability Organization. The program will include the development of models and methods for assessing physical security and cybersecurity, assistance with threat assessment and cybersecurity training and technical assistance for electric utilities, training to address and mitigate supply chain management risks, advancing the cybersecurity of third party vendors, promoting information sharing within the electric sector, and assisting electric utilities that own defense critical electric infrastructure with engineering reviews. Priority will be given to electric utilities with fewer resources due to size or region.
Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program
Significantly, the IIJA appropriates $250 million for FYs 2022 through 2026 for the establishment of a Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program for rural electric cooperatives, public utilities, certain investor-owned electric utilities, and other eligible entities to protect against, detect, respond to, and recover from cybersecurity threats. The objectives are to deploy “advanced cybersecurity technologies” for electric utility systems and increase participation in cybersecurity threat information sharing. Priority for grants and technical assistance will be given to eligible entities that have limited cybersecurity resources, own assets critical to the reliability of the bulk-power system, or own defense critical electric infrastructure (as defined in the Federal Power Act).
Enhanced Grid Security
The IIJA also appropriates $250 million for FYs 2022 through 2026 for implementation of a cybersecurity research, development, and demonstration program for the energy sector to develop “advanced cybersecurity applications and technologies.”
Other notable appropriations include $50 million for FYs 2022 through 2026 for an energy sector Operational Support for Cyber-Resilience Program, and $50 million for FYs 2022 through 2026 for an advanced energy security program to secure energy networks, including electric, natural gas, and oil exploration, transmission and deliver networks.
Energy Cyber Sense Program
The Secretary of Energy, in coordination with the Secretary of Homeland Security and in consultation with the heads of other Federal agencies, is directed to establish a voluntary Energy Cyber Sense program to test the cybersecurity of products and technologies intended for the energy sector, including the bulk-power system, provide technical assistance, and oversee testing.
Advanced Cybersecurity Technology Investment by Public Utilities
The IIJA amends Part II of the Federal Power Act by adding incentives for cybersecurity investments. Within 180 days, the Federal Energy Regulatory Commission (“FERC”) will conduct a study that identifies incentive-based rate treatments for the transmission and sale of electricity to encourage investment in “advanced cybersecurity technology” (as defined in the Federal Power Act) and information sharing by public utilities. Within one year from the conclusion of the study, FERC will establish by rule incentive-based rate treatments for the transmission and sale of electricity by public utilities to encourage investments in advanced cybersecurity technology and expand participation in cybersecurity threat information sharing programs.
Cyber Response and Recovery Act of 2021
The IIJA appropriates $20 million for FY 2022 and each subsequent year until 2028 to a Cyber Response and Recovery Fund. These provisions incorporate the Cyber Response and Recovery Act of 2021, which authorizes the Secretary of the Department of Homeland Security, in consultation with the National Cyber Director, to declare that a “significant incident” has occurred or is likely imminent, and establishes authority to respond to and recover from such an incident. The Cyber Response and Recovery Act also includes directions to several agency heads to implement new programs to bolster cybersecurity capacity at the national, state, and local levels.