[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 2556 Reported in Senate (RS)]

<DOC>





                                                       Calendar No. 356
116th CONGRESS
  1st Session
                                S. 2556

    To amend the Federal Power Act to provide energy cybersecurity 
 investment incentives, to establish a grant and technical assistance 
     program for cybersecurity investments, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           September 26, 2019

 Ms. Murkowski (for herself, Mr. Manchin, Mr. Risch, Ms. Cantwell, and 
   Mr. King) introduced the following bill; which was read twice and 
       referred to the Committee on Energy and Natural Resources

                           December 17, 2019

              Reported by Ms. Murkowski, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
    To amend the Federal Power Act to provide energy cybersecurity 
 investment incentives, to establish a grant and technical assistance 
     program for cybersecurity investments, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``Protecting Resources On The 
Electric grid with Cybersecurity Technology Act of 2019'' or the 
``PROTECT Act of 2019''.</DELETED>

<DELETED>SEC. 2. INCENTIVES FOR ADVANCED CYBERSECURITY TECHNOLOGY 
              INVESTMENT.</DELETED>

<DELETED>    Part II of the Federal Power Act is amended by inserting 
after section 219 (16 U.S.C. 824s) the following:</DELETED>

<DELETED>``SEC. 219A. INCENTIVES FOR CYBERSECURITY 
              INVESTMENTS.</DELETED>

<DELETED>    ``(a) Definitions.--In this section:</DELETED>
        <DELETED>    ``(1) Advanced cybersecurity technology.--The term 
        `advanced cybersecurity technology' means any technology, 
        operational capability, or service, including computer 
        hardware, software, or a related asset, that enhances the 
        security posture of public utilities through improvements in 
        the ability to protect against, detect, respond to, or recover 
        from a cybersecurity threat (as defined in section 102 of the 
        Cybersecurity Act of 2015 (6 U.S.C. 1501)).</DELETED>
        <DELETED>    ``(2) Advanced cybersecurity technology 
        information.--The term `advanced cybersecurity technology 
        information' means information relating to advanced 
        cybersecurity technology or proposed advanced cybersecurity 
        technology that is generated by or provided to the Commission 
        or another Federal agency.</DELETED>
<DELETED>    ``(b) Study.--Not later than 180 days after the date of 
enactment of this section, the Commission, in consultation with the 
Secretary of Energy, the North American Electric Reliability 
Corporation, the Electricity Subsector Coordinating Council, and the 
National Association of Regulatory Utility Commissioners, shall conduct 
a study to identify incentive-based, including performance-based, rate 
treatments for the transmission of electric energy subject to the 
jurisdiction of the Commission that could be used to encourage--
</DELETED>
        <DELETED>    ``(1) investment by public utilities in advanced 
        cybersecurity technology; and</DELETED>
        <DELETED>    ``(2) participation by public utilities in 
        cybersecurity threat information sharing programs.</DELETED>
<DELETED>    ``(c) Incentive-Based Rate Treatment.--Not later than 1 
year after the completion of the study under subsection (b), the 
Commission shall establish, by rule, incentive-based, including 
performance-based, rate treatments for the transmission of electric 
energy in interstate commerce by public utilities for the purpose of 
benefitting consumers by encouraging--</DELETED>
        <DELETED>    ``(1) investments by public utilities in advanced 
        cybersecurity technology; and</DELETED>
        <DELETED>    ``(2) participation by public utilities in 
        cybersecurity threat information sharing programs.</DELETED>
<DELETED>    ``(d) Factors for Consideration.--In issuing the rule 
pursuant to this section, the Commission may provide additional 
incentives beyond those identified in subsection (c) in any case in 
which the Commission determines that an investment in advanced 
cybersecurity technology or information sharing program costs will 
reduce cybersecurity risks to--</DELETED>
        <DELETED>    ``(1) defense critical electric infrastructure (as 
        defined in section 215A(a)) and other facilities subject to the 
        jurisdiction of the Commission that are critical to public 
        safety, national defense, or homeland security, as determined 
        by the Commission in consultation with--</DELETED>
                <DELETED>    ``(A) the Secretary of Energy; 
                and</DELETED>
                <DELETED>    ``(B) appropriate Federal agencies; 
                and</DELETED>
        <DELETED>    ``(2) facilities of small- or medium-sized public 
        utilities with limited cybersecurity resources, as determined 
        by the Commission.</DELETED>
<DELETED>    ``(e) Ratepayer Protection.--Any rate approved under the 
rule issued pursuant to this section, including any revisions to that 
rule, shall be subject to the requirements of sections 205 and 206 that 
all rates, charges, terms, and conditions--</DELETED>
        <DELETED>    ``(1) shall be just and reasonable; and</DELETED>
        <DELETED>    ``(2) shall not be unduly discriminatory or 
        preferential.</DELETED>
<DELETED>    ``(f) Single-Issue Rate Filings.--The Commission shall 
permit public utilities to apply for incentive-based rate treatment 
under the rule issued under this section on a single-issue basis by 
submitting to the Commission a tariff schedule under section 205 that 
permits recovery of costs and incentives over the depreciable life of 
the applicable assets, without regard to changes in receipts or other 
costs of the public utility.</DELETED>
<DELETED>    ``(g) Protection of Information.--Advanced cybersecurity 
technology information that is provided to, generated by, or collected 
by the Federal Government under subsection (b), (c), or (f) shall be 
considered to be critical electric infrastructure information under 
section 215A.''.</DELETED>

<DELETED>SEC. 3. RURAL AND MUNICIPAL UTILITY ADVANCED CYBERSECURITY 
              GRANT AND TECHNICAL ASSISTANCE PROGRAM.</DELETED>

<DELETED>    (a) Definitions.--In this section:</DELETED>
        <DELETED>    (1) Advanced cybersecurity technology.--The term 
        ``advanced cybersecurity technology'' means any technology, 
        operational capability, or service, including computer 
        hardware, software, or a related asset, that enhances the 
        security posture of electric utilities through improvements in 
        the ability to protect against, detect, respond to, or recover 
        from a cybersecurity threat (as defined in section 102 of the 
        Cybersecurity Act of 2015 (6 U.S.C. 1501)).</DELETED>
        <DELETED>    (2) Eligible entity.--The term ``eligible entity'' 
        means--</DELETED>
                <DELETED>    (A) a rural electric 
                cooperative;</DELETED>
                <DELETED>    (B) a utility owned by a political 
                subdivision of a State, such as a municipally owned 
                electric utility;</DELETED>
                <DELETED>    (C) a utility owned by any agency, 
                authority, corporation, or instrumentality of one or 
                more political subdivisions of a State; and</DELETED>
                <DELETED>    (D) a not-for-profit entity that is in a 
                partnership with not fewer than 6 entities described in 
                subparagraph (A), (B), or (C).</DELETED>
        <DELETED>    (3) Program.--The term ``Program'' means the Rural 
        and Municipal Utility Advanced Cybersecurity Grant and 
        Technical Assistance Program established under subsection 
        (b).</DELETED>
        <DELETED>    (4) Secretary.--The term ``Secretary'' means the 
        Secretary of Energy.</DELETED>
<DELETED>    (b) Establishment.--Not later than 180 days after the date 
of enactment of this Act, the Secretary, in consultation with the 
Federal Energy Regulatory Commission, the North American Electric 
Reliability Corporation, and the Electricity Subsector Coordinating 
Council, shall establish a program, to be known as the ``Rural and 
Municipal Utility Advanced Cybersecurity Grant and Technical Assistance 
Program'', to provide grants and technical assistance to, and enter 
into cooperative agreements with, eligible entities to protect against, 
detect, respond to, and recover from cybersecurity threats.</DELETED>
<DELETED>    (c) Objectives.--The objectives of the Program shall be--
</DELETED>
        <DELETED>    (1) to deploy advanced cybersecurity technologies 
        for electric utility systems; and</DELETED>
        <DELETED>    (2) to increase the participation of eligible 
        entities in cybersecurity threat information sharing 
        programs.</DELETED>
<DELETED>    (d) Awards.--</DELETED>
        <DELETED>    (1) In general.--The Secretary--</DELETED>
                <DELETED>    (A) shall award grants and provide 
                technical assistance under the Program to eligible 
                entities on a competitive basis;</DELETED>
                <DELETED>    (B) shall develop criteria and a formula 
                for awarding grants and providing technical assistance 
                under the Program;</DELETED>
                <DELETED>    (C) may enter into cooperative agreements 
                with eligible entities that can facilitate the 
                objectives described in subsection (c); and</DELETED>
                <DELETED>    (D) shall establish a process to ensure 
                that all eligible entities are informed about and can 
                become aware of opportunities to receive grants or 
                technical assistance under the Program.</DELETED>
        <DELETED>    (2) Priority for grants and technical 
        assistance.--In awarding grants and providing technical 
        assistance under the Program, the Secretary shall give priority 
        to an eligible entity that, as determined by the Secretary--
        </DELETED>
                <DELETED>    (A) has limited cybersecurity 
                resources;</DELETED>
                <DELETED>    (B) owns assets critical to the 
                reliability of the bulk power system; or</DELETED>
                <DELETED>    (C) owns defense critical electric 
                infrastructure (as defined in section 215A(a) of the 
                Federal Power Act (16 U.S.C. 824o-1(a))).</DELETED>
<DELETED>    (e) Protection of Information.--Information provided to, 
or collected by, the Federal Government under this section--</DELETED>
        <DELETED>    (1) shall be exempt from disclosure under section 
        552(b)(3) of title 5, United States Code; and</DELETED>
        <DELETED>    (2) shall not be made available by any Federal 
        agency, State, political subdivision of a State, or Tribal 
        authority under any applicable law requiring public disclosure 
        of information or records.</DELETED>
<DELETED>    (f) Funding.--There is authorized to be appropriated to 
carry out this section $50,000,000 for each of fiscal years 2020 
through 2024, to remain available until expended.</DELETED>

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Protecting Resources On The Electric 
grid with Cybersecurity Technology Act of 2019'' or the ``PROTECT Act 
of 2019''.

SEC. 2. INCENTIVES FOR ADVANCED CYBERSECURITY TECHNOLOGY INVESTMENT.

    Part II of the Federal Power Act is amended by inserting after 
section 219 (16 U.S.C. 824s) the following:

``SEC. 219A. INCENTIVES FOR CYBERSECURITY INVESTMENTS.

    ``(a) Definitions.--In this section:
            ``(1) Advanced cybersecurity technology.--The term 
        `advanced cybersecurity technology' means any technology, 
        operational capability, or service, including computer 
        hardware, software, or a related asset, that enhances the 
        security posture of public utilities through improvements in 
        the ability to protect against, detect, respond to, or recover 
        from a cybersecurity threat (as defined in section 102 of the 
        Cybersecurity Act of 2015 (6 U.S.C. 1501)).
            ``(2) Advanced cybersecurity technology information.--The 
        term `advanced cybersecurity technology information' means 
        information relating to advanced cybersecurity technology or 
        proposed advanced cybersecurity technology that is generated by 
        or provided to the Commission or another Federal agency.
    ``(b) Study.--Not later than 180 days after the date of enactment 
of this section, the Commission, in consultation with the Secretary of 
Energy, the North American Electric Reliability Corporation, the 
Electricity Subsector Coordinating Council, and the National 
Association of Regulatory Utility Commissioners, shall conduct a study 
to identify incentive-based, including performance-based, rate 
treatments for the transmission and sale of electric energy subject to 
the jurisdiction of the Commission that could be used to encourage--
            ``(1) investment by public utilities in advanced 
        cybersecurity technology; and
            ``(2) participation by public utilities in cybersecurity 
        threat information sharing programs.
    ``(c) Incentive-Based Rate Treatment.--Not later than 1 year after 
the completion of the study under subsection (b), the Commission shall 
establish, by rule, incentive-based, including performance-based, rate 
treatments for the transmission of electric energy in interstate 
commerce and the sale of electric energy at wholesale in interstate 
commerce by public utilities for the purpose of benefitting consumers 
by encouraging--
            ``(1) investments by public utilities in advanced 
        cybersecurity technology; and
            ``(2) participation by public utilities in cybersecurity 
        threat information sharing programs.
    ``(d) Factors for Consideration.--In issuing a rule pursuant to 
this section, the Commission may provide additional incentives beyond 
those identified in subsection (c) in any case in which the Commission 
determines that an investment in advanced cybersecurity technology or 
information sharing program costs will reduce cybersecurity risks to--
            ``(1) defense critical electric infrastructure (as defined 
        in section 215A(a)) and other facilities subject to the 
        jurisdiction of the Commission that are critical to public 
        safety, national defense, or homeland security, as determined 
        by the Commission in consultation with--
                    ``(A) the Secretary of Energy; and
                    ``(B) appropriate Federal agencies; and
            ``(2) facilities of small or medium-sized public utilities 
        with limited cybersecurity resources, as determined by the 
        Commission.
    ``(e) Ratepayer Protection.--
            ``(1) In general.--Any rate approved under a rule issued 
        pursuant to this section, including any revisions to that rule, 
        shall be subject to the requirements of sections 205 and 206 
        that all rates, charges, terms, and conditions--
                    ``(A) shall be just and reasonable; and
                    ``(B) shall not be unduly discriminatory or 
                preferential.
            ``(2) Prohibition of duplicate recovery.--Any rule issued 
        pursuant to this section shall preclude rate treatments that 
        allow unjust and unreasonable double recovery for advanced 
        cybersecurity technology.
    ``(f) Single-Issue Rate Filings.--The Commission shall permit 
public utilities to apply for incentive-based rate treatment under a 
rule issued under this section on a single-issue basis by submitting to 
the Commission a tariff schedule under section 205 that permits 
recovery of costs and incentives over the depreciable life of the 
applicable assets, without regard to changes in receipts or other costs 
of the public utility.
    ``(g) Protection of Information.--Advanced cybersecurity technology 
information that is provided to, generated by, or collected by the 
Federal Government under subsection (b), (c), or (f) shall be 
considered to be critical electric infrastructure information under 
section 215A.''.

SEC. 3. RURAL AND MUNICIPAL UTILITY ADVANCED CYBERSECURITY GRANT AND 
              TECHNICAL ASSISTANCE PROGRAM.

    (a) Definitions.--In this section:
            (1) Advanced cybersecurity technology.--The term ``advanced 
        cybersecurity technology'' means any technology, operational 
        capability, or service, including computer hardware, software, 
        or a related asset, that enhances the security posture of 
        electric utilities through improvements in the ability to 
        protect against, detect, respond to, or recover from a 
        cybersecurity threat (as defined in section 102 of the 
        Cybersecurity Act of 2015 (6 U.S.C. 1501)).
            (2) Eligible entity.--The term ``eligible entity'' means--
                    (A) a rural electric cooperative;
                    (B) a utility owned by a political subdivision of a 
                State, such as a municipally owned electric utility;
                    (C) a utility owned by any agency, authority, 
                corporation, or instrumentality of 1 or more political 
                subdivisions of a State;
                    (D) a not-for-profit entity that is in a 
                partnership with not fewer than 6 entities described in 
                subparagraph (A), (B), or (C); and
                    (E) an investor-owned electric utility that sells 
                less than 4,000,000 megawatt hours of electricity per 
                year.
            (3) Program.--The term ``Program'' means the Rural and 
        Municipal Utility Advanced Cybersecurity Grant and Technical 
        Assistance Program established under subsection (b).
            (4) Secretary.--The term ``Secretary'' means the Secretary 
        of Energy.
    (b) Establishment.--Not later than 180 days after the date of 
enactment of this Act, the Secretary, in consultation with the Federal 
Energy Regulatory Commission, the North American Electric Reliability 
Corporation, and the Electricity Subsector Coordinating Council, shall 
establish a program, to be known as the ``Rural and Municipal Utility 
Advanced Cybersecurity Grant and Technical Assistance Program'', to 
provide grants and technical assistance to, and enter into cooperative 
agreements with, eligible entities to protect against, detect, respond 
to, and recover from cybersecurity threats.
    (c) Objectives.--The objectives of the Program shall be--
            (1) to deploy advanced cybersecurity technologies for 
        electric utility systems; and
            (2) to increase the participation of eligible entities in 
        cybersecurity threat information sharing programs.
    (d) Awards.--
            (1) In general.--The Secretary--
                    (A) shall award grants and provide technical 
                assistance under the Program to eligible entities on a 
                competitive basis;
                    (B) shall develop criteria and a formula for 
                awarding grants and providing technical assistance 
                under the Program;
                    (C) may enter into cooperative agreements with 
                eligible entities that can facilitate the objectives 
                described in subsection (c); and
                    (D) shall establish a process to ensure that all 
                eligible entities are informed about and can become 
                aware of opportunities to receive grants or technical 
                assistance under the Program.
            (2) Priority for grants and technical assistance.--In 
        awarding grants and providing technical assistance under the 
        Program, the Secretary shall give priority to an eligible 
        entity that, as determined by the Secretary--
                    (A) has limited cybersecurity resources;
                    (B) owns assets critical to the reliability of the 
                bulk power system; or
                    (C) owns defense critical electric infrastructure 
                (as defined in section 215A(a) of the Federal Power Act 
                (16 U.S.C. 824o-1(a))).
    (e) Protection of Information.--Information provided to, or 
collected by, the Federal Government under this section--
            (1) shall be exempt from disclosure under section 552(b)(3) 
        of title 5, United States Code; and
            (2) shall not be made available by any Federal agency, 
        State, political subdivision of a State, or Tribal authority 
        under any applicable law requiring public disclosure of 
        information or records.
    (f) Funding.--There is authorized to be appropriated to carry out 
this section $50,000,000 for each of fiscal years 2020 through 2024, to 
remain available until expended.
                                                       Calendar No. 356

116th CONGRESS

  1st Session

                                S. 2556

_______________________________________________________________________

                                 A BILL

    To amend the Federal Power Act to provide energy cybersecurity 
 investment incentives, to establish a grant and technical assistance 
     program for cybersecurity investments, and for other purposes.

_______________________________________________________________________

                           December 17, 2019

                       Reported with an amendment