[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 9234 Introduced in House (IH)]

<DOC>






117th CONGRESS
  2d Session
                                H. R. 9234

    To direct the Secretary of Energy to promulgate regulations to 
      facilitate the timely submission of notifications regarding 
  cybersecurity incidents and potential cybersecurity incidents with 
  respect to critical electric infrastructure, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            October 25, 2022

 Mrs. Rodgers of Washington (for herself and Mr. Upton) introduced the 
   following bill; which was referred to the Committee on Energy and 
                                Commerce

_______________________________________________________________________

                                 A BILL


 
    To direct the Secretary of Energy to promulgate regulations to 
      facilitate the timely submission of notifications regarding 
  cybersecurity incidents and potential cybersecurity incidents with 
  respect to critical electric infrastructure, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Critical Electric Infrastructure 
Cybersecurity Incident Reporting Act''.

SEC. 2. CYBERSECURITY INCIDENT REPORTING FOR CRITICAL ELECTRIC 
              INFRASTRUCTURE.

    Section 215A of the Federal Power Act (16 U.S.C. 824o-1) is 
amended--
            (1) in subsection (a)--
                    (A) by amending paragraph (1) to read as follows:
            ``(1) Bulk-power system; cybersecurity incident; electric 
        reliability organization; regional entity.--The terms `bulk-
        power system', `cybersecurity incident', `Electric Reliability 
        Organization', and `regional entity' have the meanings given 
        such terms in paragraphs (1), (8), (2), and (7) of section 
        215(a), respectively.''; and
                    (B) in paragraph (7)(A)(i), by inserting ``, 
                including a cybersecurity incident,'' after ``a 
                malicious act'';
            (2) by redesignating subsections (e) and (f) as subsections 
        (f) and (g), respectively; and
            (3) by inserting after subsection (d) the following:
    ``(e) Cybersecurity Incident Reporting.--
            ``(1) Designation.--The Department of Energy shall be a 
        designated agency within the Federal Government to receive 
        notifications regarding cybersecurity incidents and potential 
        cybersecurity incidents with respect to critical electric 
        infrastructure from other Federal agencies and owners, 
        operators, and users of critical electric infrastructure.
            ``(2) Regulations.--
                    ``(A) In general.--Not later than 240 days after 
                the date of enactment of the Critical Electric 
                Infrastructure Cybersecurity Incident Reporting Act, 
                the Secretary shall promulgate regulations to 
                facilitate the submission of timely, secure, and 
                confidential notifications regarding cybersecurity 
                incidents and potential cybersecurity incidents with 
                respect to critical electric infrastructure from 
                Federal agencies and owners, operators, and users of 
                critical electric infrastructure.
                    ``(B) Inclusions.--The regulations promulgated 
                under subparagraph (A) shall--
                            ``(i) detail what constitutes a potential 
                        cybersecurity incident for purposes of this 
                        subsection; and
                            ``(ii) require a Federal agency or an 
                        owner, operator, or user of critical electric 
                        infrastructure that discovers a cybersecurity 
                        incident or a potential cybersecurity incident 
                        with respect to critical electric 
                        infrastructure to submit to the Secretary, not 
                        later than 24 hours after discovery of such 
                        cybersecurity incident or potential 
                        cybersecurity incident, notification regarding 
                        such cybersecurity incident or potential 
                        cybersecurity incident.
            ``(3) Annual reports.--Not later than one year after the 
        date of enactment of the Critical Electric Infrastructure 
        Cybersecurity Incident Reporting Act, and annually thereafter, 
        the Secretary shall submit to the Committee on Energy and 
        Commerce of the House of Representatives and the Committee on 
        Energy and Natural Resources of the Senate a report, in 
        classified form if necessary, on the number of notifications 
        received pursuant to this subsection, and a description of the 
        actions taken by the Department of Energy regarding such 
        notifications, during the 1-year period preceding the 
        report.''.
                                 <all>