117 S2199 IS: Cyber Sense Act of 2020 U.S. Senate 2021-06-23 text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.

II117th CONGRESS1st SessionS. 2199IN THE SENATE OF THE UNITED STATESJune 23, 2021Ms. Rosen (for herself, Mr. Hoeven, Mr. King, Mr. Risch, and Mr. Tillis) introduced the following bill; which was read twice and referred to the Committee on Energy and Natural ResourcesA BILLTo require the Secretary of Energy to establish a voluntary Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system, and for other purposes.

1.

Short title

This Act may be cited as the Cyber Sense Act of 2020.

2.

Cyber Sense program

(a)

Definitions

In this section:(1)

Bulk-power system

The term bulk-power system has the meaning given the term in section 215(a) of the Federal Power Act (16 U.S.C. 824o(a)).(2)

Critical electric infrastructure

The term critical electric infrastructure has the meaning given the term in section 215A(a) of the Federal Power Act (16 U.S.C. 824o–1(a)).(3)

Program

The term program means the voluntary Cyber Sense program established under subsection (b).(4)

Secretary

The term Secretary means the Secretary of Energy.(b)

Establishment

The Secretary, in coordination with the heads of other relevant Federal agencies, shall establish a voluntary Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system.(c)

Program requirements

In carrying out subsection (b), the Secretary shall—(1)establish a testing process under the program to test the cybersecurity of products and technologies intended for use in the bulk-power system, including products relating to industrial control systems and operational technologies, such as supervisory control and data acquisition systems;(2)for products and technologies tested under the program, establish and maintain cybersecurity vulnerability reporting processes and a related database;(3)provide technical assistance to electric utilities, product manufacturers, and other electricity sector stakeholders to develop solutions to mitigate identified cybersecurity vulnerabilities in products and technologies tested under the program;(4)biennially review products and technologies tested under the program for cybersecurity vulnerabilities and provide analysis with respect to how those products and technologies respond to and mitigate cyber threats;(5)develop guidance that is informed by analysis and testing results under the program for electric utilities for the procurement of products and technologies;(6)provide reasonable notice to, and solicit comments from, the public prior to establishing or revising the testing process under the program;(7)oversee the testing of products and technologies under the program; and(8)consider incentives to encourage the use of analysis and results of testing under the program in the design of products and technologies for use in the bulk-power system.(d)

Disclosure of information

Any cybersecurity vulnerability reported pursuant to a process established under subsection (c)(2), the disclosure of which the Secretary reasonably foresees would cause harm to critical electric infrastructure, shall be considered to be critical electric infrastructure information for purposes of section 215A(d) of the Federal Power Act (16 U.S.C. 824o–1(d)).(e)

Federal government liability

Nothing in this section authorizes the commencement of an action against the United States with respect to the testing of a product or technology under the program.