118 HR 1148 IH: Critical Electric Infrastructure Cybersecurity Incident Reporting Act U.S. House of Representatives 2023-02-21 text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.

I118th CONGRESS1st SessionH. R. 1148IN THE HOUSE OF REPRESENTATIVESFebruary 21, 2023Mr. Walberg introduced the following bill; which was referred to the Committee on Energy and CommerceA BILLTo direct the Secretary of Energy to promulgate regulations to facilitate the timely submission of notifications regarding cybersecurity incidents and potential cybersecurity incidents with respect to critical electric infrastructure, and for other purposes.

1.

Short title

This Act may be cited as the Critical Electric Infrastructure Cybersecurity Incident Reporting Act.

2.

Cybersecurity incident reporting for critical electric infrastructure

Section 215A of the Federal Power Act (16 U.S.C. 824o–1) is amended— (1)in subsection (a)— (A)by amending paragraph (1) to read as follows: (1)

Bulk-power system; cybersecurity incident; electric reliability organization; regional entity

The terms bulk-power system, cybersecurity incident, Electric Reliability Organization, and regional entity have the meanings given such terms in paragraphs (1), (8), (2), and (7) of section 215(a), respectively.; and (B)in paragraph (7)(A)(i), by inserting , including a cybersecurity incident, after a malicious act; (2)by redesignating subsections (e) and (f) as subsections (f) and (g), respectively; and (3)by inserting after subsection (d) the following: (e)

Cybersecurity incident reporting

(1)

Designation

The Department of Energy shall be a designated agency within the Federal Government to receive notifications regarding cybersecurity incidents and potential cybersecurity incidents with respect to critical electric infrastructure from other Federal agencies and owners, operators, and users of critical electric infrastructure. (2)

Regulations

(A)

In general

Not later than 240 days after the date of enactment of the Critical Electric Infrastructure Cybersecurity Incident Reporting Act, the Secretary shall promulgate regulations to facilitate the submission of timely, secure, and confidential notifications regarding cybersecurity incidents and potential cybersecurity incidents with respect to critical electric infrastructure from Federal agencies and owners, operators, and users of critical electric infrastructure. (B)

Inclusions

The regulations promulgated under subparagraph (A) shall— (i)detail what constitutes a potential cybersecurity incident for purposes of this subsection; and (ii)require a Federal agency or an owner, operator, or user of critical electric infrastructure that discovers a cybersecurity incident or a potential cybersecurity incident with respect to critical electric infrastructure to submit to the Secretary, not later than 24 hours after discovery of such cybersecurity incident or potential cybersecurity incident, notification regarding such cybersecurity incident or potential cybersecurity incident. (3)

Annual reports

Not later than one year after the date of enactment of the Critical Electric Infrastructure Cybersecurity Incident Reporting Act, and annually thereafter, the Secretary shall submit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Energy and Natural Resources of the Senate a report, in classified form if necessary, on the number of notifications received pursuant to this subsection, and a description of the actions taken by the Department of Energy regarding such notifications, during the 1-year period preceding the report. .