Cybersecurity Infrastructure Investment and Jobs Act

Part 5 of the Keller and Heckman Infrastructure Act blog series

This is the fifth in Keller and Heckman’s series of articles regarding the new Infrastructure Investment and Employment Act (HR 3684) (“the IIJA” or “the Act”), which has was signed into law on November 15, 2021. Our first articles looked at the $42.45 billion Broadband Equity Access and Deployment Program, the $1 billion per mile subsidy program intermediary, the law’s support for broadband partnerships and the affordable connectivity program. This article summarizes some key provisions of the law that aim to strengthen the cybersecurity of utilities, the energy sector, and state and local governments. The programs and amounts of government funding available to eligible entities are important, especially for entities that lack cybersecurity resources due to their size or region.

State and local government information systems

The IIJA is allocating $1 billion to improve the cybersecurity of state and local government information systems, as follows: $200 million in federal grants for fiscal year (“FY”) 2022; $400 million for fiscal year 2023; $300 million for fiscal year 2024; and $100 million for fiscal year 2025.

Electric Utility Cybersecurity

To promote the physical security and cybersecurity of electric utilities (as defined in the Federal Electricity Act), the IIJA requires the Secretary of Energy to implement a cybersecurity program, in coordination with the Secretary of Homeland Security and in consultation with the heads of other federal agencies, state regulators, industry stakeholders and the Electric Reliability Organization. The program will include development of physical and cybersecurity assessment models and methods, assistance with threat assessments and cybersecurity training and technical assistance to power utilities, training to address and mitigate supply chain management risks, advance third-party vendor cybersecurity, promote information sharing within the power industry, and support for power utilities that own defense-critical electrical infrastructure with technical reviews. Priority will be given to electric utilities with fewer resources due to their size or region.

Advanced Cybersecurity Grants and Technical Assistance Program for Rural and Municipal Utilities

Significantly, the IIJA appropriates $250 million for fiscal years 2022 to 2026 for the establishment of a grant program and technical assistance for advanced cybersecurity of rural and municipal utilities for rural electric cooperatives, utilities, certain investor-owned electric utilities and d other eligible entities to protect against, detect, respond to, and recover from cybersecurity threats. The goals are to deploy “advanced cybersecurity technologies” for electricity distribution systems and increase participation in information sharing on cybersecurity threats. Priority for grants and technical assistance will be given to eligible entities that have limited cybersecurity resources, their own assets critical to mass power system reliability, or their own defense-critical electrical infrastructure (as defined in the Federal Electricity Act).

Improved network security

The IIJA also takes ownership $250 million for fiscal years 2022 to 2026 for the implementation of a cybersecurity research, development and demonstration program for the energy sector to develop “advanced cybersecurity applications and technologies”.

Other notable credits include $50 million for fiscal years 2022 to 2026 for an operational support program to the energy sector for cyber-resilience, and $50 million for fiscal years 2022 to 2026 for an advanced energy security program aimed at securing energy networks, including exploration, transmission and distribution networks for electricity, natural gas and oil.

Cyber ​​Sense Energy Program

The Secretary of Energy, in coordination with the Secretary of Homeland Security and in consultation with the heads of other federal agencies, is responsible for establishing a voluntary Energy Cyber ​​Sense program to test the cybersecurity of products and technologies intended to the energy sector, including the mass power system, provide technical assistance and supervise testing.

Investment in advanced cybersecurity technologies by utilities

The IIJA amends Part II of the Federal Power Act by adding incentives for cybersecurity investments. Within 180 days, the Federal Energy Regulatory Commission (“FERC”) will conduct a study that will identify incentive rate treatments for the transmission and sale of electricity to encourage investment in “advanced cybersecurity technology” (such as as defined in the Federal Power Act) and the sharing of information by utilities. Within one year of the conclusion of the study, FERC will establish by rule incentive rate treatments for the transmission and sale of electricity by utilities to encourage investment in advanced cybersecurity and expand participation in cybersecurity threat information sharing programs.

Cyber ​​Response and Recovery Act 2021

The IIJA takes ownership $20 million for fiscal year 2022 and each subsequent year through 2028 to a Cyber ​​Response and Recovery Fund. These provisions incorporate the Cyber ​​Response and Recovery Act of 2021, which authorizes the Secretary of the Department of Homeland Security, in consultation with the National Director of Cybersecurity, to declare that a “significant incident” has occurred or is likely imminent, and establishes the power to react and recover from such an incident. The Cyber ​​Response and Recovery Act also includes instructions to several agency heads to implement new programs to build cybersecurity capacity at the national, state and local levels.

Leave a Comment

Your email address will not be published. Required fields are marked *