[House Report 111-493]
[From the U.S. Government Publishing Office]
111th Congress Report
HOUSE OF REPRESENTATIVES
2d Session 111-493
======================================================================
GRID RELIABILITY AND INFRASTRUCTURE DEFENSE ACT
_______
May 25, 2010.--Committed to the Committee of the Whole House on the
State of the Union and ordered to be printed
_______
Mr. Waxman, from the Committee on Energy and Commerce, submitted the
following
R E P O R T
[To accompany H.R. 5026]
[Including cost estimate of the Congressional Budget Office]
The Committee on Energy and Commerce, to whom was referred
the bill (H.R. 5026) to amend the Federal Power Act to protect
the bulk-power system and electric infrastructure critical to
the defense of the United States from cybersecurity and other
threats and vulnerabilities, having considered the same, report
favorably thereon with amendments and recommend that the bill
as amended do pass.
CONTENTS
Page
Amendment........................................................ 2
Purpose and Summary.............................................. 6
Background and Need for Legislation.............................. 7
Legislative History.............................................. 11
Committee Consideration.......................................... 11
Committee Votes.................................................. 11
Committee Oversight Findings and Recommendations................. 14
New Budget Authority, Entitlement Authority, and Tax Expenditures 14
Statement of General Performance Goals and Objectives............ 14
Constitutional Authority Statement............................... 14
Earmarks and Tax and Tariff Benefits............................. 14
Advisory Committee Statement..................................... 14
Applicability of Law to Legislative Branch....................... 14
Federal Mandates Statement....................................... 14
Committee Cost Estimate.......................................... 14
Congressional Budget Office Estimate............................. 15
Section-by-Section Analysis of the Legislation................... 20
Changes in Existing Law Made by the Bill, as Reported............ 23
Amendment
The amendments are as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Grid Reliability and Infrastructure
Defense Act'' or the ``GRID Act''.
SEC. 2. AMENDMENT TO THE FEDERAL POWER ACT.
(a) Critical Electric Infrastructure Security.--Part II of the
Federal Power Act (16 U.S.C. 824 et seq.) is amended by adding after
section 215 the following new section:
``SEC. 215A. CRITICAL ELECTRIC INFRASTRUCTURE SECURITY.
``(a) Definitions.--For purposes of this section:
``(1) Bulk-power system; electric reliability organization;
regional entity.--The terms `bulk-power system', `Electric
Reliability Organization', and `regional entity' have the
meanings given such terms in paragraphs (1), (2), and (7) of
section 215(a), respectively.
``(2) Defense critical electric infrastructure.--The term
`defense critical electric infrastructure' means any
infrastructure located in the United States (including the
territories) used for the generation, transmission, or
distribution of electric energy that--
``(A) is not part of the bulk-power system; and
``(B) serves a facility designated by the President
pursuant to subsection (d)(1), but is not owned or
operated by the owner or operator of such facility.
``(3) Defense critical electric infrastructure
vulnerability.--The term `defense critical electric
infrastructure vulnerability' means a weakness in defense
critical electric infrastructure that, in the event of a
malicious act using electronic communication or an
electromagnetic pulse, would pose a substantial risk of
disruption of those electronic devices or communications
networks, including hardware, software, and data, that are
essential to the reliability of defense critical electric
infrastructure.
``(4) Electromagnetic pulse.--The term `electromagnetic
pulse' means 1 or more pulses of electromagnetic energy emitted
by a device capable of disabling, disrupting, or destroying
electronic equipment by means of such a pulse.
``(5) Geomagnetic storm.--The term `geomagnetic storm' means
a temporary disturbance of the Earth's magnetic field resulting
from solar activity.
``(6) Grid security threat.--The term `grid security threat'
means a substantial likelihood of--
``(A)(i) a malicious act using electronic
communication or an electromagnetic pulse, or a
geomagnetic storm event, that could disrupt the
operation of those electronic devices or communications
networks, including hardware, software, and data, that
are essential to the reliability of the bulk-power
system or of defense critical electric infrastructure;
and
``(ii) disruption of the operation of such devices or
networks, with significant adverse effects on the
reliability of the bulk-power system or of defense
critical electric infrastructure, as a result of such
act or event; or
``(B)(i) a direct physical attack on the bulk-power
system or on defense critical electric infrastructure;
and
``(ii) significant adverse effects on the reliability
of the bulk-power system or of defense critical
electric infrastructure as a result of such physical
attack.
``(7) Grid security vulnerability.--The term `grid security
vulnerability' means a weakness that, in the event of a
malicious act using electronic communication or an
electromagnetic pulse, would pose a substantial risk of
disruption to the operation of those electronic devices or
communications networks, including hardware, software, and
data, that are essential to the reliability of the bulk-power
system.
``(8) Large transformer.--The term `large transformer' means
an electric transformer that is part of the bulk-power system.
``(9) Protected information.--The term `protected
information' means information, other than classified national
security information, designated as protected information by
the Commission under subsection (e)(2)--
``(A) that was developed or submitted in connection
with the implementation of this section;
``(B) that specifically discusses grid security
threats, grid security vulnerabilities, defense
critical electric infrastructure vulnerabilities, or
plans, procedures, or measures to address such threats
or vulnerabilities; and
``(C) the unauthorized disclosure of which could be
used in a malicious manner to impair the reliability of
the bulk-power system or of defense critical electric
infrastructure.
``(10) Secretary.--The term `Secretary' means the Secretary
of Energy.
``(11) Security.--The definition of `security' in section
3(16) shall not apply to the provisions in this section.
``(b) Emergency Response Measures.--
``(1) Authority to address grid security threats.--Whenever
the President issues and provides to the Commission (either
directly or through the Secretary) a written directive or
determination identifying an imminent grid security threat, the
Commission may, with or without notice, hearing, or report,
issue such orders for emergency measures as are necessary in
its judgment to protect the reliability of the bulk-power
system or of defense critical electric infrastructure against
such threat. As soon as practicable but not later than 180 days
after the date of enactment of this section, the Commission
shall, after notice and opportunity for comment, establish
rules of procedure that ensure that such authority can be
exercised expeditiously.
``(2) Notification of congress.--Whenever the President
issues and provides to the Commission (either directly or
through the Secretary) a written directive or determination
under paragraph (1), the President (or the Secretary, as the
case may be) shall promptly notify congressional committees of
relevant jurisdiction, including the Committee on Energy and
Commerce of the House of Representatives and the Committee on
Energy and Natural Resources of the Senate, of the contents of,
and justification for, such directive or determination.
``(3) Consultation.--Before issuing an order for emergency
measures under paragraph (1), the Commission shall, to the
extent practicable in light of the nature of the grid security
threat and the urgency of the need for such emergency measures,
consult with appropriate governmental authorities in Canada and
Mexico, entities described in paragraph (4), the Secretary, and
other appropriate Federal agencies regarding implementation of
such emergency measures.
``(4) Application.--An order for emergency measures under
this subsection may apply to--
``(A) the Electric Reliability Organization;
``(B) a regional entity; or
``(C) any owner, user, or operator of the bulk-power
system or of defense critical electric infrastructure
within the United States.
``(5) Discontinuance.--The Commission shall issue an order
discontinuing any emergency measures ordered under this
subsection, effective not later than 30 days after the earliest
of the following:
``(A) The date upon which the President issues and
provides to the Commission (either directly or through
the Secretary) a written directive or determination
that the grid security threat identified under
paragraph (1) no longer exists.
``(B) The date upon which the Commission issues a
written determination that the emergency measures are
no longer needed to address the grid security threat
identified under paragraph (1), including by means of
Commission approval of a reliability standard under
section 215 that the Commission determines adequately
addresses such threat.
``(C) The date that is 1 year after the issuance of
an order under paragraph (1).
``(6) Cost recovery.--If the Commission determines that
owners, operators, or users of the bulk-power system or of
defense critical electric infrastructure have incurred
substantial costs to comply with an order under this subsection
and that such costs were prudently incurred and cannot
reasonably be recovered through regulated rates or market
prices for the electric energy or services sold by such owners,
operators, or users, the Commission shall, after notice and an
opportunity for comment, establish a mechanism that permits
such owners, operators, or users to recover such costs.
``(c) Measures to Address Grid Security Vulnerabilities.--
``(1) Commission authority.--If the Commission, in
consultation with appropriate Federal agencies, identifies a
grid security vulnerability that the Commission determines has
not adequately been addressed through a reliability standard
developed and approved under section 215, the Commission shall,
after notice and opportunity for comment and after consultation
with the Secretary, other appropriate Federal agencies, and
appropriate governmental authorities in Canada and Mexico,
promulgate a rule or issue an order requiring implementation,
by any owner, operator, or user of the bulk-power system in the
United States, of measures to protect the bulk-power system
against such vulnerability. Before promulgating a rule or
issuing an order under this paragraph, the Commission shall, to
the extent practicable in light of the urgency of the need for
action to address the grid security vulnerability, request and
consider recommendations from the Electric Reliability
Organization regarding such rule or order. The Commission may
establish an appropriate deadline for the submission of such
recommendations.
``(2) Certain existing cybersecurity vulnerabilities.--Not
later than 180 days after the date of enactment of this
section, the Commission shall, after notice and opportunity for
comment and after consultation with the Secretary, other
appropriate Federal agencies, and appropriate governmental
authorities in Canada and Mexico, promulgate a rule or issue an
order requiring the implementation, by any owner, user, or
operator of the bulk-power system in the United States, of such
measures as are necessary to protect the bulk-power system
against the vulnerabilities identified in the June 21, 2007,
communication to certain `Electricity Sector Owners and
Operators' from the North American Electric Reliability
Corporation, acting in its capacity as the Electricity Sector
Information and Analysis Center.
``(3) Rescission.--The Commission shall approve a reliability
standard developed under section 215 that addresses a grid
security vulnerability that is the subject of a rule or order
under paragraph (1) or (2), unless the Commission determines
that such reliability standard does not adequately protect
against such vulnerability or otherwise does not satisfy the
requirements of section 215. Upon such approval, the Commission
shall rescind the rule promulgated or order issued under
paragraph (1) or (2) addressing such vulnerability, effective
upon the effective date of the newly approved reliability
standard.
``(4) Geomagnetic storms.--Not later than 1 year after the
date of enactment of this section, the Commission shall, after
notice and an opportunity for comment and after consultation
with the Secretary and other appropriate Federal agencies,
issue an order directing the Electric Reliability Organization
to submit to the Commission for approval under section 215, not
later than 1 year after the issuance of such order, reliability
standards adequate to protect the bulk-power system from any
reasonably foreseeable geomagnetic storm event. The
Commission's order shall specify the nature and magnitude of
the reasonably foreseeable events against which such standards
must protect. Such standards shall appropriately balance the
risks to the bulk-power system associated with such events,
including any regional variation in such risks, and the costs
of mitigating such risks.
``(5) Large transformer availability.--Not later than 1 year
after the date of enactment of this section, the Commission
shall, after notice and an opportunity for comment and after
consultation with the Secretary and other appropriate Federal
agencies, issue an order directing the Electric Reliability
Organization to submit to the Commission for approval under
section 215, not later than 1 year after the issuance of such
order, reliability standards addressing availability of large
transformers. Such standards shall require entities that own or
operate large transformers to ensure, individually or jointly,
adequate availability of large transformers to promptly restore
the reliable operation of the bulk-power system in the event
that any such transformer is destroyed or disabled as a result
of a reasonably foreseeable physical or other attack or
geomagnetic storm event. The Commission's order shall specify
the nature and magnitude of the reasonably foreseeable attacks
or events that shall provide the basis for such standards. Such
standards shall--
``(A) provide entities subject to the standards with
the option of meeting such standards individually or
jointly; and
``(B) appropriately balance the risks associated with
a reasonably foreseeable attack or event, including any
regional variation in such risks, and the costs of
ensuring adequate availability of spare transformers.
``(d) Critical Defense Facilities.--
``(1) Designation.--Not later than 180 days after the date of
enactment of this section, the President shall designate, in a
written directive or determination provided to the Commission,
facilities located in the United States (including the
territories) that are--
``(A) critical to the defense of the United States;
and
``(B) vulnerable to a disruption of the supply of
electric energy provided to such facility by an
external provider.
The number of facilities designated by such directive or
determination shall not exceed 100. The President may
periodically revise the list of designated facilities through a
subsequent written directive or determination provided to the
Commission, provided that the total number of designated
facilities at any time shall not exceed 100.
``(2) Commission authority.--If the Commission identifies a
defense critical electric infrastructure vulnerability that the
Commission, in consultation with owners and operators of any
facility or facilities designated by the President pursuant to
paragraph (1), determines has not adequately been addressed
through measures undertaken by owners or operators of defense
critical electric infrastructure, the Commission shall, after
notice and an opportunity for comment and after consultation
with the Secretary and other appropriate Federal agencies,
promulgate a rule or issue an order requiring implementation,
by any owner or operator of defense critical electric
infrastructure, of measures to protect the defense critical
electric infrastructure against such vulnerability. The
Commission shall exempt from any such rule or order any
specific defense critical electric infrastructure that the
Commission determines already has been adequately protected
against the identified vulnerability. The Commission shall make
any such determination in consultation with the owner or
operator of the facility designated by the President pursuant
to paragraph (1) that relies upon such defense critical
electric infrastructure.
``(3) Cost recovery.--An owner or operator of defense
critical electric infrastructure shall be required to take
measures under paragraph (2) only to the extent that the owners
or operators of a facility or facilities designated by the
President pursuant to paragraph (1) that rely upon such
infrastructure agree to bear the full incremental costs of
compliance with a rule promulgated or order issued under
paragraph (2).
``(e) Protection of Information.--
``(1) Prohibition of public disclosure of protected
information.--Protected information--
``(A) shall be exempt from disclosure under section
552(b)(3) of title 5, United States Code; and
``(B) shall not be made available pursuant to any
State, local, or tribal law requiring disclosure of
information or records.
``(2) Information sharing.--
``(A) In general.--Consistent with the Controlled
Unclassified Information framework established by the
President, the Commission shall promulgate such
regulations and issue such orders as necessary to
designate protected information and to prohibit the
unauthorized disclosure of such protected information.
``(B) Sharing of protected information.--The
regulations promulgated and orders issued pursuant to
subparagraph (A) shall provide standards for and
facilitate the appropriate sharing of protected
information with, between, and by Federal, State,
local, and tribal authorities, the Electric Reliability
Organization, regional entities, and owners, operators,
and users of the bulk-power system in the United States
and of defense critical electric infrastructure. In
promulgating such regulations and issuing such orders,
the Commission shall take account of the role of State
commissions in reviewing the prudence and cost of
investments within their respective jurisdictions. The
Commission shall consult with appropriate Canadian and
Mexican authorities to develop protocols for the
sharing of protected information with, between, and by
appropriate Canadian and Mexican authorities and
owners, operators, and users of the bulk-power system
outside the United States.
``(3) Submission of information to congress.--Nothing in this
section shall permit or authorize the withholding of
information from Congress, any committee or subcommittee
thereof, or the Comptroller General.
``(4) Disclosure of non-protected information.--In
implementing this section, the Commission shall protect from
disclosure only the minimum amount of information necessary to
protect the reliability of the bulk-power system and of defense
critical electric infrastructure. The Commission shall
segregate protected information within documents and electronic
communications, wherever feasible, to facilitate disclosure of
information that is not designated as protected information.
``(5) Duration of designation.--Information may not be
designated as protected information for longer than 5 years,
unless specifically redesignated by the Commission.
``(6) Removal of designation.--The Commission may remove the
designation of protected information, in whole or in part, from
a document or electronic communication if the unauthorized
disclosure of such information could no longer be used to
impair the reliability of the bulk-power system or of defense
critical electric infrastructure.
``(7) Judicial review of designations.--Notwithstanding
subsection (f) of this section or section 313, a person or
entity may seek judicial review of a determination by the
Commission concerning the designation of protected information
under this subsection exclusively in the district court of the
United States in the district in which the complainant resides,
or has his principal place of business, or in the District of
Columbia. In such a case the court shall determine the matter
de novo, and may examine the contents of documents or
electronic communications designated as protected information
in camera to determine whether such documents or any part
thereof were improperly designated as protected information.
The burden is on the Commission to sustain its designation.
``(f) Judicial Review.--The Commission shall act expeditiously to
resolve all applications for rehearing of orders issued pursuant to
this section that are filed under section 313(a). Any party seeking
judicial review pursuant to section 313 of an order issued under this
section may obtain such review only in the United States Court of
Appeals for the District of Columbia Circuit.
``(g) Provision of Assistance to Industry in Meeting Grid Security
Protection Needs.--
``(1) Expertise and resources.--The Secretary shall establish
a program, in consultation with other appropriate Federal
agencies, to develop technical expertise in the protection of
systems for the generation, transmission, and distribution of
electric energy against geomagnetic storms or malicious acts
using electronic communications or electromagnetic pulse that
would pose a substantial risk of disruption to the operation of
those electronic devices or communications networks, including
hardware, software, and data, that are essential to the
reliability of such systems. Such program shall include the
identification and development of appropriate technical and
electronic resources, including hardware, software, and system
equipment.
``(2) Sharing expertise.--As appropriate, the Secretary shall
offer to share technical expertise developed under the program
under paragraph (1), through consultation and assistance, with
owners, operators, or users of systems for the generation,
transmission, or distribution of electric energy located in the
United States and with State commissions. In offering such
support, the Secretary shall assign higher priority to systems
serving facilities designated by the President pursuant to
subsection (d)(1) and other critical-infrastructure facilities,
which the Secretary shall identify in consultation with the
Commission and other appropriate Federal agencies.
``(3) Security clearances and communication.--The Secretary
shall facilitate and, to the extent practicable, expedite the
acquisition of adequate security clearances by key personnel of
any entity subject to the requirements of this section to
enable optimum communication with Federal agencies regarding
grid security threats, grid security vulnerabilities, and
defense critical electric infrastructure vulnerabilities. The
Secretary, the Commission, and other appropriate Federal
agencies shall, to the extent practicable and consistent with
their obligations to protect classified and protected
information, share timely actionable information regarding grid
security threats, grid security vulnerabilities, and defense
critical electric infrastructure vulnerabilities with
appropriate key personnel of owners, operators, and users of
the bulk-power system and of defense critical electric
infrastructure.''.
(b) Conforming Amendments.--
(1) Jurisdiction.--Section 201(b)(2) of the Federal Power Act
(16 U.S.C. 824(b)(2)) is amended by inserting ``215A,'' after
``215,'' each place it appears.
(2) Public utility.--Section 201(e) of the Federal Power Act
(16 U.S.C. 824(e)) is amended by inserting ``215A,'' after
``215,''.
Amend the title so as to read:
A bill to amend the Federal Power Act to protect the bulk-
power system and electric infrastructure critical to the
defense of the United States against cybersecurity and other
threats and vulnerabilities.
Purpose and Summary
H.R. 5026, the Grid Reliability and Infrastructure Defense
Act, or ``GRID Act'', was introduced by Reps. Edward J. Markey
(D-MA) and Fred Upton (R-MI) on April 14, 2010. The purpose of
H.R. 5026 is to provide the Federal Energy Regulatory
Commission with new authorities under the Federal Power Act to
protect the electric grid against cybersecurity and other
threats and vulnerabilities.
Background and Need for Legislation
The U.S. electric grid consists of interconnected
transmission lines, local distribution systems to deliver
electricity to end-users, generation facilities, and related
communications systems. The bulk-power system in the United
States and Canada has more than 200,000 miles of transmission
lines, has more than 800,000 megawatts of generating capacity,
is valued at over $1 trillion, and serves more than 300 million
people.\1\ The components of the grid are highly
interdependent, such that a line outage or system condition
problems in one area can lead to reliability concerns in other
areas. In addition, the operations controls over the
transmission grid and generators are increasingly managed by
computer systems (notably Supervisory Control and Data
Acquisition, or SCADA, systems) linked to the Internet or other
communications systems and to each other. The grid's increasing
reliance on automation and two-way communications increases its
vulnerability to remote cyber attacks.
---------------------------------------------------------------------------
\1\U.S. Government Accountability Office, Critical Infrastructure
Protection: Multiple Efforts to Secure Control Systems Are Under Way,
but Challenges Remain, at 22 (Oct. 2007) (GAO-07-1036).
---------------------------------------------------------------------------
Public reports relating to cyber vulnerabilities of and
threats to the electric grid have increased in recent years and
have been the subject of several hearings in the 110th and
111th Congresses. Especially noteworthy are reports on what is
known as the ``Aurora'' vulnerability. In 2006, the Department
of Homeland Security's Control Systems Security Program
conducted an analysis--performed by the Department of Energy's
Idaho National Laboratory--that came to be known as Aurora.
This analysis demonstrated that an attacker could hack into the
control system of an electric generator or other rotating
equipment connected to the grid and throw the equipment out of
phase, causing severe physical damage to the equipment.
In addition, it has been reported that actors based in
China, Russia, and other nations have conducted cyber
``probes'' of U.S. grid systems, and that cyber attacks have
been conducted against critical infrastructure in other
countries. Cyber attacks may create instant effects at very low
cost, and are very difficult to positively attribute back to
the attacker. These features could make such attacks attractive
not only for criminal purposes, but also as a possible element
of future national hostilities.\2\ Utilization of cyber attacks
on civilian critical infrastructure has reportedly become an
important element of Chinese military strategy.\3\
---------------------------------------------------------------------------
\2\U.S. Government Accountability Office, Cybersecurity: Continued
Efforts Are Needed to Protect Information Systems from Evolving
Threats, at 4, Table 1 (Nov. 17, 2009) (GAO-10-230T).
\3\Bryan Krekel et al., Capability of the People's Republic of
China to Conduct Cyber Warfare and Computer Network Exploitation,
prepared by Northrop Grumman Corporation for The US-China Economic and
Security Review Commission, at 22-26 (Oct. 9, 2009).
---------------------------------------------------------------------------
There also has been growing attention to physical
vulnerabilities of the grid. For example, large transformers
essential to the reliable operation of the grid are
manufactured outside of the United States and replacement may
require two years or longer. A limited number of spare, large
transformers are available within the United States, and
industry has developed a voluntary program (the spare
transformer equipment program, or ``STEP'') providing for
sharing of such assets in the event of a terrorist attack.
A special subset of physical vulnerabilities and threats is
associated with electromagnetic pulse (EMP), of which there are
three general categories: (1) geomagnetic storms resulting from
solar activity; (2) intentional electromagnetic interference
from portable equipment that uses high-power radio frequency or
microwave or other electromagnetic pulses to destroy or
temporarily disable electronic equipment; and (3) EMP caused by
a high-altitude detonation of a nuclear weapon.
Solar coronal mass ejections emit electromagnetic particles
that can disrupt the Earth's magnetic field. Such geomagnetic
storms in turn can induce voltages in transmission lines,
particularly in the northern-latitudes, which can damage
electric transformers and other infrastructure. There are
several historical examples of electric transformers being
damaged or destroyed by geomagnetic storms, including the
storms of 1859, 1921, and 1989. A recent National Academy of
Sciences report estimated the effects of a geomagnetic storm of
the magnitude of the 1921 storm on the current electrical grid,
concluding that such a storm could cause permanent damage to
more than 350 transformers, leaving as many as 130 million
people without power. Impacts from a large geomagnetic storm
could last for several years and cost in the range of several
trillion dollars per year.\4\
---------------------------------------------------------------------------
\4\National Research Council, Severe Space Weather Events--
Understanding Societal and Economic Impacts, Workshop Report, Committee
on the Societal and Economic Impacts of Severe Space Weather Events: A
Workshop, at 77-79 (2008).
---------------------------------------------------------------------------
Portable electromagnetic weapons can be used to disrupt or
disable the control systems that operate the electric grid.
Such weapons can vary in size from a hand-held device to a
large vehicle-borne device, can be used at a distance from a
target, and can penetrate walls or other obstacles--making
detection and attribution of an attack to a specific source
difficult. More than a dozen countries have conducted research
on such weapons, and the Department of Defense (DOD) has
demonstrated that such weapons can be developed with modest
financial resources and technical capability. Such weapons have
been used to defeat security systems, commit robberies, disable
police communications, induce fires, and disrupt banking
computers.\5\
---------------------------------------------------------------------------
\5\Technical Support Working Group and Directed Energy Technology
Office, The Threat of Radio Frequency Weapons to Critical
Infrastructure Facilities, at p. 1, 6-7 (Aug. 2005).
---------------------------------------------------------------------------
In 2001, Congress established a commission to assess the
threat of electromagnetic pulse from a high-altitude nuclear
detonation, vulnerabilities of military and civilian
infrastructure to such an attack, and the feasibility and cost
of protecting such infrastructure. The commission issued a
first report in 2004 and a second report in 2008. The 2004
report concluded that the risks from high-altitude EMP to the
U.S. electric grid are substantial and recommended that
measures be taken to protect high-value transmission assets
that would require a long lead time to replace, key electric
generation capability, and critical communication channels.\6\
---------------------------------------------------------------------------
\6\Commission to Assess the Threat to the United States from
Electromagnetic Pulse (EMP) Attack, Report of the Commission to Assess
the Threat to the United States from Electromagnetic Pulse (EMP)
Attack: Volume 1: Executive Report, at pp. 17-23 (2004).
---------------------------------------------------------------------------
The vulnerabilities of the electric grid present
substantial risks to U.S. defense assets. A 2008 report by the
Defense Science Board's Task Force on DOD Energy Strategy
concluded that:
critical missions . . . are almost entirely dependent
on the national transmission grid. About 85% of the
energy infrastructure upon which DoD depends is
commercially owned, and 99% of the electric energy DoD
installations consume originates outside the fence. . .
. In most cases, neither the grid nor on-base backup
power provides sufficient reliability to ensure
continuity of critical national priority functions and
oversight of strategic missions in the face of a long
term (several months) outage.\7\
---------------------------------------------------------------------------
\7\Department of Defense, Report of the Defense Science Board Task
Force on DoD Energy Strategy, More Fight--Less Fuel, at 18 (Feb. 2008).
An October 2009 report by the Government Accountability Office
concluded that of the Department of Defense's 34 most critical
global assets, 31 of which rely on commercially operated
electricity grids for their primary source of electricity.\8\
---------------------------------------------------------------------------
\8\U.S. Government Accountability Office, Defense Critical
Infrastructure: Actions Needed to Improve the Identification and
Management of Electrical Power Risks and Vulnerabilities to DOD
Critical Assets (Oct. 2009) (GAO-10-147).
---------------------------------------------------------------------------
All of the threats to and vulnerabilities of the U.S.
electric grid described above have been addressed in multiple
hearings in the 110th and 111th Congresses, both in the
Subcommittee on Energy and Environment of the Committee on
Energy and Commerce, as well as in other committees. In
addition, these threats and vulnerabilities were the subject of
classified briefings on grid security, provided jointly by
multiple federal agencies to the members of the Committee on
Energy and Commerce, during both the 110th Congress and the
111th Congress.
Section 215 of the Federal Power Act, enacted as part of
the Energy Policy Act of 2005, provides for the establishment
of mandatory reliability standards for the bulk-power system,
including standards addressing cybersecurity threats. Under
section 215, the Federal Energy Regulatory Commission (FERC)
has designated the North American Electric Reliability
Corporation (NERC) as the electric reliability organization.
NERC is responsible for proposing, for FERC review and
approval, reliability standards to protect and enhance the
reliability of the bulk-power system, including cybersecurity
standards. NERC is a not-for-profit corporation, the principal
members of which are owners, operators, and users of the bulk-
power system. More than 1,800 different entities own or operate
components of the bulk-power system that is subject to the NERC
standard-setting process. NERC develops standards on an open
basis through its standards committee, which is composed of
member representatives. Approval of a reliability standard
requires a quorum of 75% of the stakeholder ballot pool and
support from a supermajority of at least two-thirds of the
votes. The process of developing reliability standards is
lengthy; for example, the critical infrastructure protection
(CIP) standards approved by FERC in January 2008 took three
years for NERC to develop. NERC procedures approved in February
2010 allow for an accelerated process for developing standards
in case of a ``national security emergency situation,'' but
these procedures have not yet been used.\9\
---------------------------------------------------------------------------
\9\North American Electric Reliability Corporation, Reliability
Standards Development Procedure, Version 7 (Feb. 5, 2010).
---------------------------------------------------------------------------
The Canadian and Mexican electric grids are directly linked
to the U.S. bulk-power system, and Canadian (and to a lesser
extent Mexican) utilities participate in NERC and have agreed
to be subject to NERC-adopted standards. They are not, however,
subject to FERC jurisdiction.
Reliability standards developed by NERC and approved by
FERC under section 215 apply to the users, owners, and
operators of the bulk-power system and are mandatory and
subject to enforcement by FERC with respect to U.S. entities.
FERC cannot prescribe standards under section 215, but it has
authority to direct NERC to develop standards or to modify
existing standards. Importantly, the scope of these standards
is limited by section 215's definition of the ``bulk-power
system,'' which specifically excludes ``facilities used in the
local distribution of electric energy.'' Accordingly, these
standards do not apply to lower-voltage distribution facilities
that normally serve critical defense facilities and other end-
users of electricity. In addition, the provisions of section
215 do not apply to Alaska or Hawaii, where a number of
important defense facilities are located.
To date, FERC has approved nine CIP reliability standards
developed by NERC. With regard to cybersecurity, the CIP
standards address critical cyber asset identification, security
management controls, personnel and training, electronic
security perimeters, physical security of critical cyber
assets, systems security management, incident reporting and
response planning, and recovery plans for critical cyber
assets. In approving these standards, FERC directed that NERC
develop revised standards--including a first phase of high-
priority modifications and a second phase. On September 30,
2009, FERC approved phase I of the modifications to the
standards. The second phase is currently under development.
With regard to malicious physical attacks on the bulk-power
system, the sole NERC standard is one that requires reporting
within industry and to government of disturbances or unusual
occurrences, suspected or determined to be caused by sabotage.
NERC's record with regard to grid security vulnerabilities
and threats has raised concerns. For example, three years after
the identification of the Aurora vulnerability discussed above,
NERC still has not proposed any reliability standard directly
addressing that vulnerability. In addition, NERC's current CIP
standards apply only to ``critical assets and associated
critical cyber assets,'' as self-identified by owners and
operators of such assets. In a December 2008 NERC survey of
self-certification of critical assets and critical cyber
assets, only 31% of respondents to the survey, and only 29% of
owners and operators of electric generation, identified even a
single critical asset. Only 63% of transmission owners
identified even a single critical asset. Consequently, a
substantial proportion of bulk-power system assets are not
actually covered by any CIP standard. NERC expressed its
concern with these results in a letter to industry stakeholders
dated April 7, 2009, but an April 2010 survey does not indicate
any improvement in coverage. Finally, in testimony before the
Committee, FERC raised concerns about whether NERC's open
stakeholder process is capable of addressing rapidly emerging
grid security vulnerabilities with sufficient speed and
protection of sensitive information.
Legislative History
H.R. 2165, the Bulk Power System Protection Act of 2009,
was introduced by Rep. John Barrow (with Reps. Henry A. Waxman
and Edward J. Markey as co-sponsors) on April 29, 2009. On
October 27, 2009, the Subcommittee on Energy and Environment
held a legislative hearing on this bill and related
legislation. In preparation for that hearing, the Subcommittee
convened a classified briefing on grid security vulnerabilities
and threats for members of the full Committee on Energy and
Commerce and staff with appropriate clearances.
After the hearing, the majority and minority staffs of the
Subcommittee and full Committee joined in a bipartisan effort
to develop grid security legislation. The results of this
effort were embodied in a Committee print, considered in markup
by the Subcommittee on Energy and Environment on March 24,
2010. The Subcommittee approved by voice vote the Committee
print for consideration by the full Committee with the
recommendation that the legislation pass. The text of H.R.
5026, which was introduced by Reps. Edward J. Markey and Fred
Upton on April 14, 2010, is identical in substance to the text
of the Committee print forwarded by the Subcommittee. On April
15, 2010, the Committee on Energy and Commerce held a markup to
consider H.R. 5026 and, after approving a manager's amendment
in the nature of a substitute by voice vote, unanimously agreed
to a motion for final passage of the bill.
Committee Consideration
The Subcommittee on Energy and Environment met in open
markup session on March 24, 2010, to consider a Committee Print
dated March 22, 2010, on H.R. ___, to amend the Federal Power
Act to protect the bulk-power system and electric
infrastructure critical to the defense of the United States
from cybersecurity and other threats and vulnerabilities.
Subsequently, the Subcommittee approved the text of the
Committee Print to be forwarded to the full Committee without
amendments by a voice vote. H.R. 5026 was introduced on April
14, 2010, with the identical language of the Committee Print as
approved by the Subcommittee, and was referred to the Committee
on Energy and Commerce.
The full Committee met in open markup session on April 15,
2010, to consider H.R. 5026. A manager's amendment by Mr.
Waxman was adopted by a voice vote. Subsequently, the Committee
ordered H.R. 5026 favorably reported to the House, amended, by
a roll call vote of 47 yeas and 0 nays.
Committee Votes
Clause 3(b) of rule XIII of the Rules of the House of
Representatives requires the Committee to list the record votes
on the motion to report legislation and amendments thereto. The
Committee agreed to a motion by Mr. Waxman to order H.R. 5026
favorably reported to the House, amended, by a record vote of
47 yeas and 0 nays. The following is the recorded vote taken
during Committee consideration, including the names of those
Members voting for and against:
Committee Oversight Findings and Recommendations
In compliance with clause 3(c)(1) of rule XIII of the Rules
of the House of Representatives, the findings and
recommendations of the Committee are reflected in the
descriptive portions of this report.
New Budget Authority, Entitlement Authority, and Tax Expenditures
Regarding compliance with clause 3(c)(2) of rule XIII of
the Rules of the House of Representatives, the Committee adopts
as its own the estimate of budget authority and revenues
regarding H.R. 5026 prepared by the Director of the
Congressional Budget Office pursuant to section 402 of the
Congressional Budget Act of 1974. The Committee finds that H.R.
5026 would result in no new or increased entitlement authority
or tax expenditures.
Statement of General Performance Goals and Objectives
In accordance with clause 3(c)(4) of rule XIII of the Rules
of the House of Representatives, the Committee's performance
goals and objectives are reflected in the descriptive portions
of this report.
Constitutional Authority Statement
Pursuant to clause 3(d)(1) of rule XIII of the Rules of the
House of Representatives, the Committee finds that the
constitutional authority for H.R. 5026 is provided in Article
I, section 8, clauses 3 and 18.
Earmarks and Tax and Tariff Benefits
H.R. 5026 does not contain any congressional earmarks,
limited tax benefits, or limited tariff benefits as defined in
clause 9 of rule XXI of the Rules of the House of
Representatives.
Advisory Committee Statement
No advisory committees were created by H.R. 5026 within the
meaning of section 5 U.S.C. App., 5(b) of the Federal Advisory
Committee Act.
Applicability of Law to the Legislative Branch
The Committee finds that H.R. 5026 does not relate to the
terms and conditions of employment or access to public services
or accommodations within the meaning of section 102(b)(3) of
the Congressional Accountability Act of 1985.
Federal Mandates Statement
The Committee adopts as its own the estimates of federal
mandates prepared by the Director of the Congressional Budget
Office pursuant to section 423 of the Unfunded Mandate Reform
Act.
Committee Cost Estimate
Pursuant to clause 3(d) of rule XIII of the Rules of the
House of Representatives, the Committee adopts as its own the
cost estimate on H.R. 5026 prepared by the Director of the
Congressional Budget Office pursuant to section 402 of the
Congressional Budget Act.
Congressional Budget Office Estimate
Pursuant to clause 3(c)(3) of rule XIII of the Rules of the
House of Representatives, the following is the cost estimate on
H.R. 5026 provided by the Congressional Budget Office pursuant
to section 402 of the Congressional Budget Act of 1974:
May 19, 2010.
Hon. Henry A. Waxman,
Chairman, Committee on Energy and Commerce,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 5026, the Grid
Reliability and Infrastructure Defense Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Kathleen
Gramp,
Sincerely,
Douglas W. Elmendorf.
Enclosure.
H.R. 5026--Grid Reliability and Infrastructure Defense Act
Summary: H.R. 5026 would amend existing law regarding the
regulation of electric power transmission facilities. Under
current law, most of the standards governing the reliability of
the bulk-power system are issued by the Electric Reliability
Organization (ERO), subject to approval and enforcement by the
Federal Energy Regulatory Commission (FERC). This bill would
set deadlines for FERC to issue standards regarding the
security of computer networks used in electric power
transmission (known as cybersecurity) and other risks to the
electric power transmission grid, subject to certain
conditions. In addition, both FERC and ERO would be directed to
ensure that utilities maintain adequate supplies of large
electrical transformers and implement measures to protect their
systems against geomagnetic storms (incidents involving solar
radiation). Other provisions would authorize a new technical
assistance program related to grid security and establish terms
and procedures for responding to emergencies, protecting
information, and identifying strategically important electric
facilities.
CBO estimates that implementing this bill would increase
net direct spending by about $5 million over the 2011-2015
period and $40 million over the 2011-2020 period.\1\
Implementing the bill would increase discretionary spending by
$219 million over the 2011-2015 period. CBO estimates that
enacting this bill would not affect revenues.
---------------------------------------------------------------------------
\1\Enacting H.R. 5026 would not increase direct spending over the
2010-2014 period and would increase direct spending by $33 million over
the 2010-2019 period.
---------------------------------------------------------------------------
Pay-as-you-go procedures apply because enacting the
legislation would affect direct spending.
H.R. 5026 would impose intergovernmental and private-sector
mandates, as defined in the Unfunded Mandates Reform Act
(UMRA), on owners and operators of electric infrastructure and
a private-sector mandate on ERO. Because of uncertainty about
the number of entities affected, the scope of future
regulations, and the implementation timeline, CBO cannot
determine whether the aggregate cost of the mandates in the
bill would exceed the annual thresholds established in UMRA for
intergovernmental or private-sector mandates ($70 million and
$141 million in 2010, respectively, adjusted annually for
inflation).
CBO has not reviewed a provision that would provide FERC
with emergency authority to protect the electric transmission
grid from security threats for intergovernmental or private-
sector mandates. Section 4 of UMRA excludes from the
application of that act any legislative provisions that are
necessary for national security. CBO has determined that the
provision falls within that exclusion.
Estimated cost to the Federal Government: The estimated
budgetary impact of H.R. 5026 is shown in the following table.
The costs of this legislation fall within budget function 270
(energy).
----------------------------------------------------------------------------------------------------------------
By fiscal year, in millions of dollars--
-----------------------------------------------------------
2011-
2011 2012 2013 2014 2015 2015
----------------------------------------------------------------------------------------------------------------
CHANGES IN DIRECT SPENDING\1\
Estimated Budget Authority.......................... 0 0 0 0 5 5
Estimated Outlays................................... 0 0 0 0 5 5
CHANGES IN SPENDING SUBJECT TO APPROPRIATION
Federal Power Agencies:
Estimated Authorization Level................... 0 0 0 4 10 14
Estimated Outlays............................... 0 0 0 4 10 14
Department of Energy:
Estimated Authorization Level................... 50 51 51 52 52 256
Estimated Outlays............................... 19 39 45 50 52 205
Total Changes:
Estimated Authorization Level............... 50 51 51 56 62 270
Estimated Outlays........................... 19 39 45 54 62 219
----------------------------------------------------------------------------------------------------------------
\1\CBO estimates that enacting the bill would increase direct spending by $40 million over the 2011-2020 period.
Basis of estimate: For this estimate, CBO assumes that the
legislation will be enacted near the end of fiscal year 2010,
that the necessary funds will be appropriated each year, and
that spending patterns will be consistent with historical
trends for similar activities.
Background
Taken together, four federal agencies own and operate about
15 percent of the nation's electric power grid, providing much
of the transmission service in certain regions of the country.
Capital expenditures for the federally owned transmission grid
totaled about $645 million in 2009. Most of those costs were
incurred by the Tennessee Valley Authority (TVA) and Bonneville
Power Administration (BPA). Spending by TVA and BPA affects
direct spending because those agencies are authorized to
collect and spend proceeds from the sale of electricity and to
borrow funds to finance capital projects. In contrast, the
Western Area Power Administration (WAPA) and Southwestern Power
Administration (SWPA) rely on annual appropriations for capital
investments in transmission reliability measures. Regardless of
the method of financing, the federal power agencies are
required by law to set electricity prices high enough to recoup
capital investments over the useful life of the assets.
CBO estimates that H.R. 5026 would increase both direct
spending and spending subject to appropriation for additional
capital investments by federal power agencies. CBO estimates
that other provisions of the bill would further increase
spending subject to appropriation.
Additional capital spending by federal power agencies (Direct spending
and spending subject to appropriation)
The budgetary impacts of this legislation on the federal
power agencies would depend on the scope and substance of
future regulations that are developed to implement it. FERC and
ERO would be directed to require utilities to address various
threats, taking into consideration the likelihood of those
events and the cost-effectiveness of any mitigation measures.
Given the lead times involved in changing standards for
electric utilities, CBO expects that most of the budgetary
impacts resulting from those rules would occur after 2014 and
would involve only modest changes in performance standards
through 2020.
Assuming appropriation of the necessary amounts, CBO
estimates that implementing H.R. 5026 would increase
discretionary spending by WAPA and SWPA by $14 million over the
2011-2015 period, and additional amounts thereafter. In
addition, we estimate that additional capital spending by TVA
and BPA would increase direct spending by about $40 million,
net of recoveries from ratepayers, over the 2011-2020 period.
Acquiring Additional Transformer Capacity. CBO expects that
the regulations developed under this bill for large
transformers would initially mirror the requirements of the
industry's existing voluntary program for sharing spare
transformers in the event of a terrorist attack. CBO estimates
that complying with those benchmarks would have a negligible
effect on spending by TVA, BPA, and SWPA because those agencies
have sufficient spare transformers to meet the voluntary
guidelines. In contrast, we estimate that WAPA would spend
about $12 million over the 2011-2015 period to acquire
additional transformers, assuming appropriation of the
necessary amounts. Additional costs would occur after 2015 for
WAPA. Costs for all of the agencies could be higher if the new
rules require utilities to increase the number of spare
transformers, which cost between $1 million and $15 million
each.
Mitigating Other Risks to Transmission Systems. Currently,
there are no standards that address risks posed by natural or
malicious disruptions to the grid, such as geomagnetic storms
and electromagnetic pulses from weapons. As a result, CBO
expects that directives addressing those threats would increase
capital spending by the federal power agencies. Government
reports have identified various actions that could be taken to
mitigate those risks, with costs for the entire industry
estimated to range from a few hundred million dollars (for
example, for equipment that protects generators or
transformers) to over a billion dollars (for example, for
comprehensive strategies for the utility industry). For this
estimate, CBO assumes that near-term measures would primarily
involve small upgrades to equipment and facilities and would
increase capital spending on bulk power facilities by less than
1 percent annually. On that basis, CBO estimates that those
investments would increase net direct spending by TVA and BPA
by about $40 million over the 2011-2020 period, and
discretionary spending for WAPA and SWPA by about $2 million
over the 2011-2015 period.
Finally, CBO estimates that other provisions in the bill
concerning the security of computer networks used by the
federal power agencies would have a negligible budgetary impact
because the new standards would be similar to those followed by
federal agencies as a result of other statutory directives.
Other impacts on spending subject to appropriation
H.R. 5026 would direct the Secretary of Energy to establish
a new technical assistance program related to grid security.
According to the Department of Energy (DOE), the proposed
program would build on existing efforts related to
cybersecurity (currently funded at around $40 million annually)
and would focus in particular on developing technologies to
mitigate risks associated with geomagnetic storms or certain
malicious acts. The bill would direct DOE to establish an
outreach program to share expertise developed through those
activities. Finally, H.R. 5026 would establish new requirements
related to security clearances and sharing sensitive
information on grid security among federal agencies.
Based on information from DOE, CBO estimates that those
activities would cost about $200 million over the 2011-2015
period, with additional spending occurring in later years. That
estimate is based on the cost of similar programs and reflects
historical spending patterns for activities related to
research, development, and technical assistance.
In addition, CBO expects that implementing H.R. 5026 would
expand FERC's workload and increase the agency's administrative
costs, which are controlled through annual appropriation acts.
Because FERC recovers 100 percent of its costs through user
fees, any such increases in its costs would be offset by an
equal change in fees that the commission charges, resulting in
no net budgetary impact.
Pay-As-You-Go considerations: The Statutory Pay-As-You-Go
Act of 2010 establishes budget reporting and enforcement
procedures for legislation affecting direct spending or
revenues. The net changes in outlays that are subject to those
pay-as-you-go procedures are shown in the following table.
CBO ESTIMATE OF PAY-AS-YOU-GO EFFECTS FOR H.R. 5026 AS ORDERED REPORTED BY THE HOUSE COMMITTEE ON ENERGY AND COMMERCE ON APRIL 15, 2010
--------------------------------------------------------------------------------------------------------------------------------------------------------
By fiscal year, in millions of dollars--
-------------------------------------------------------------------------------------------------------------
2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2010-2015 2010-2020
--------------------------------------------------------------------------------------------------------------------------------------------------------
NET INCREASE OR DECREASE (-) IN THE DEFICIT
Statutory Pay-As-You-Go Impact............ 0 0 0 0 0 5 7 7 7 7 7 5 40
--------------------------------------------------------------------------------------------------------------------------------------------------------
Intergovernmental and private-sector impact: H.R. 5026
would impose intergovernmental and private-sector mandates, as
defined in UMRA, on owners and operators of electric
infrastructure and a private-sector mandate on the Electric
Reliability Organization. Because of uncertainty about the
number of entities affected, the scope of future regulations,
and the implementation timeline, CBO cannot determine whether
the aggregate cost of the mandates in the bill would exceed the
annual thresholds established in UMRA for intergovernmental and
private-sector mandates ($70 million and $141 million in 2010,
respectively, adjusted annually for inflation).
CBO has not reviewed a provision that would provide FERC
with emergency authority to protect the electric transmission
grid from security threats for intergovernmental or private-
sector mandates. Section 4 of UMRA excludes from the
application of that act any legislative provisions that are
necessary for national security. CBO has interpreted that
exclusion to encompass provisions dealing with activities that
are immediately necessary to protect vital national security
interests. CBO has determined that the provision dealing with
emergency authority falls within the exclusion for national
security.
Mandates that apply to both public and private entities
By requiring ERO and FERC to issue new standards to address
vulnerabilities in the nation's energy grid, the bill would
impose mandates on public and private owners and operators of
electric infrastructure. The standards would address
vulnerabilities related to cybersecurity, disruptions related
to geomagnetic or electromagnetic events and unexpected losses
of large transformers. Based on information from FERC and
industry sources, the cost of complying with each of the
mandates could equal tens of millions of dollars annually,
depending on the scope and implementation timeline of future
regulations. Because of those uncertainties, however, CBO
cannot estimate the total costs of the mandates.
Cybersecurity. The bill would require owners and operators
of electric infrastructure to implement measures to mitigate
the risk to the power grid from cybersecurity vulnerabilities.
FERC would establish the standards for cybersecurity and
implementation timelines after an assessment of current
standards.
Geomagnetic Storms and Electromagnetic Pulse Events. The
bill would require owners and operators of electric
infrastructure to protect against risks posed by natural or
malicious disruptions to the grid resulting from geomagnetic
storms or electromagnetic pulse events. Based on information
from government reports, potential mitigation measures could
involve significant capital investments in equipment and
facilities.
Large Transformers. The bill would require owners and
operators of large transformers to maintain an adequate supply
of spare transformers in order to restore the reliability of
the power grid if any transformer is disabled. The number of
spare transformers required by the bill would depend on future
regulations.
Mandate that applies to public entities only
The bill would preempt state, local, and tribal laws
relating to the disclosure of information or records. Those
preemptions would be intergovernmental mandates as defined in
UMRA, but CBO estimates that they would impose no duty on
states that would result in additional spending.
Mandate that applies to private entities only
Under current law, FERC has the authority to require the
ERO to develop reliability standards. The bill would impose a
private-sector mandate by requiring ERO to develop standards
earlier than it would have under current law. Based on
information from ERO, CBO estimates that the cost to develop
the standards would be small in relation to the annual
threshold for private-sector mandates.
Estimate prepared by: Federal Costs: Kathleen Gramp
(federal power agencies), Megan Carroll (FERC, DOE); Impact on
state, local, and tribal governments: Ryan Miller; Impact on
the private sector: Amy Petz.
Estimate approved by: Theresa Gullo, Deputy Assistant
Director for Budget Analysis.
Section-by-Section Analysis of the Legislation
Section 1. Short title
This section provides that the short title of the bill is
the ``Grid Reliability and Infrastructure Defense Act'' or the
``GRID Act''.
Section 2. Amendment to the Federal Power Act
Subsection (a) of this section would amend the Federal
Power Act to add a new section 215A, providing FERC new
authorities to protect the electric grid against cyber and
other threats and vulnerabilities, as well as from geomagnetic
storms created by coronal mass ejections and other solar
activity.
Subsection (a) of the new section 215A provides a number of
definitions. The definition of ``bulk-power system'' is the
same as in the existing section 215 of the Federal Power Act.
As a result, except with regard to electric infrastructure
serving critical defense facilities, the new authorities
established by the bill would extend to matters affecting the
reliability of the ``bulk-power system''--providing the same
coverage as the existing section 215 of the Federal Power Act,
enacted as part of the Energy Policy Act of 2005, which
provides authority to establish mandatory reliability standards
for the bulk-power system. As the agency charged with
administering section 215A, FERC has the authority to interpret
this and the other definitions included in subsection (a).
Subsection (b) of the new section 215A gives FERC authority
to issue emergency orders to protect against a ``grid security
threat,'' with or without notice, if the President notifies the
Commission (either directly or through the Secretary of Energy)
that an imminent ``grid security threat'' exists. The term
``imminent'' in this context means that the grid security
threat is urgent, impending, or near at hand, but does not
necessarily require that it be immediate in time. A grid
security threat is defined under subsection (a) as a
substantial likelihood of one of the following acts or events,
provided there is a substantial likelihood the act or event
would have a significant adverse effect on the reliability of
the bulk-power system or of defense critical electric
infrastructure:
a malicious act using electronic
communication (i.e., a cyber attack) or an
electromagnetic pulse (i.e., one or more pulses of
electromagnetic energy, such as radio frequency or
microwave, emitted by a device capable of disabling,
disrupting, or destroying electronic equipment by means
of such a pulse);
a geomagnetic storm (i.e., a solar storm);
or
a direct physical attack on the bulk power
infrastructure or on defense critical electric
infrastructure.
A malicious act ``using electronic communication'' is
intended to refer to an act using the electronic communication
as an actual vector for the attack (i.e., a cyber attack), as
opposed to an act in which electronic communications are used
only incidentally, such as the use of electronic communication
to plan or execute a physical attack.
Subsection (b) requires the President or Secretary of
Energy to promptly notify the relevant congressional committees
whenever the President provides a written directive or
determination of a grid security threat to FERC under the
subsection. Subsection (b) provides for the discontinuance of
an order issued under this subsection whenever any of the
following first occurs: the President determines the grid
security threat no longer exists, FERC determines the emergency
measures are no longer needed to protect against the threat, or
one year elapses from the date the order was issued.
Subsection (b) also provides FERC with authority to
establish a mechanism for owners, operators, or users of the
bulk-power system to recover prudently incurred costs of
complying with an order under subsection (b) if FERC determines
that such entities cannot otherwise recover such costs through
market prices or rates. Nothing in this provision is intended
to prevent or affect use of other existing mechanisms for the
recovery of costs incurred in compliance with this subsection
or the remainder of the new section 215A under existing
procedures or mechanisms, whether under the Federal Power Act
or state law.
Subsection (c)(1) of the new section 215A provides FERC
authority to promulgate a rule or issue an order, after notice
and comment, requiring implementation of measures to protect
against any ``grid security vulnerability'' that FERC
determines has not been adequately addressed by a NERC
reliability standard developed and approved under section 215.
Subsection (a) defines a grid security vulnerability as a
weakness that, in the event of a malicious act using electronic
communication (i.e., a cyber attack) or an electromagnetic
pulse, would pose a substantial risk of disruption to the
operation of those electronic devices or communication networks
that are essential to the reliability of the bulk-power system.
Before promulgating a rule or issuing an order to address a
grid security vulnerability under subsection (c)(1), FERC, to
the extent practicable in light of the urgency of the need for
action, is required to request and consider recommendations
from NERC regarding such a rule or order. FERC may establish an
appropriate deadline for NERC's submission of such
recommendations.
Subsection (c)(2) specifically requires FERC, within 180
days of enactment, to promulgate a rule or issue an order
requiring measures to address the ``Aurora vulnerability'' to
cyber attack that was identified three years ago.
Subsection (c)(3) directs FERC to approve a proposed NERC
reliability standard (under section 215) that addresses a grid
security vulnerability identified under subsection (c)(1) or
(c)(2) unless FERC determines that the NERC standard does not
adequately protect against the vulnerability. If FERC approves
a proposed NERC standard, the corresponding FERC rule or order
must be rescinded.
Subsection (c)(4) requires FERC to direct NERC to submit
for approval a reliability standard under section 215 to
protect the bulk-power system against geomagnetic storms. FERC
is directed to identify the nature and magnitude of the
reasonably foreseeable geomagnetic storm events against which
the standards should protect, similar to the identification of
a ``design basis threat.'' The standards must balance risks
against the cost of protecting against those risks.
Subsection (c)(5) requires FERC to direct NERC to submit
for approval a reliability standard under section 215 to
require adequate availability of large transformers to ensure
the reliability of the bulk-power system in the event of a
reasonably foreseeable physical or other attack or a
geomagnetic storm. FERC is directed to identify the nature and
magnitude of the attack or event against which the standard
must protect, similar to the identification of a ``design basis
threat.'' The standard must allow entities required to comply
with the standard the option of complying either individually
or jointly (e.g., through a spare transformer sharing program),
and must balance risks against the cost of protecting against
those risks.
Subsection (d) of the new section 215A directs the
President to designate not more than 100 facilities located in
the United States that are critical to the defense of the
United States and vulnerable to interruption of an external
supply of electricity to the facility. The bill classifies
electric infrastructure that is not part of the bulk-power
system, that serves such a facility, and that is not owned or
operated by the owner or operator of the designated facility,
as ``defense critical electric infrastructure.'' If FERC, in
consultation with the owner or operator of a designated
critical facility, identifies a vulnerability in such
infrastructure to a cyber attack or attack using an
electromagnetic pulse that has not adequately been addressed,
FERC has authority to promulgate a rule or issue an order,
after notice and opportunity for comment, to require measures
to protect such infrastructure. Infrastructure can be exempted
from such rules or orders, on a case-by-case basis, if FERC, in
consultation with the owner or operator of the designated
critical facility, determines that such infrastructure is
adequately protected. An owner or operator of defense critical
electric infrastructure shall be required to take such required
measures only to the extent that the owners or operators of a
facility designated by the President that rely on such
infrastructure agree to bear the full incremental costs of
compliance with such a rule or order.
Subsection (e) of the new section 215A addresses the
treatment of ``protected information,'' defined as information
designated as such by FERC that is not classified national
security information; that was developed or submitted in
connection with the implementation of this section; that
specifically discusses grid security threats, grid security
vulnerabilities, or defense critical electric infrastructure
vulnerabilities, or plans, procedures or measures to address
such threats or vulnerabilities; and the unauthorized
disclosure of which could be used in a malicious manner to
impair the reliability of the bulk power system. The bill
exempts such information from disclosure under the Freedom of
Information Act or under state, local, or tribal disclosure
laws. The bill also requires FERC to promulgate regulations and
issue orders necessary to designate protected information,
prohibit unauthorized disclosure of such information, and
facilitate appropriate sharing of such information with,
between, and by governmental authorities, NERC, the regional
reliability councils, and owners, operators, and users of the
bulk-power system.
Subsection (f) of the new section 215A provides that any
party seeking judicial review of an order issued under this
section pursuant to section 313 of the Federal Power Act may
obtain such review exclusively in the U.S. Court of Appeals for
the District of Columbia Circuit.
Subsection (g) of the new section 215A directs the
Secretary of Energy to develop technical expertise in the
protection of the grid against attacks using electronic
communication or electromagnetic pulse, and against geomagnetic
storms, and to provide technical assistance in this area to
owners, operators, and users of systems for the generation,
transmission and distribution of electric energy--with priority
given to systems serving critical defense and other critical-
infrastructure facilities. The Secretary is directed to
facilitate and, to the extent practicable, expedite acquisition
of security clearances by key industry personnel to facilitate
communication regarding grid security threats and
vulnerabilities. In addition, the Secretary, FERC, and other
federal authorities are directed, to the extent practicable, to
share timely and actionable information regarding grid security
threats and vulnerabilities and defense critical electric
infrastructure vulnerabilities with appropriate key personnel
of owners, operators, and users of the bulk-power system and
defense critical electric infrastructure.
Section 2(b) of the GRID Act makes conforming amendments to
section 201 of the Federal Power Act.
Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3(e) of rule XIII of the Rules of
the House of Representatives, changes in existing law made by
the bill, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
matter is printed in italic, existing law in which no change is
proposed is shown in roman):
FEDERAL POWER ACT
* * * * * * *
PART II--REGULATION OF ELECTRIC UTILITY COMPANIES ENGAGED IN INTERSTATE
COMMERCE
DECLARATION OF POLICY; APPLICATION OF PART; DEFINITIONS
Section 201. (a) * * *
(b)(1) * * *
(2) Notwithstanding section 201(f), the provisions of
sections 203(a)(2), 206(e), 210, 211, 211A, 212, 215, 215A,
216, 217, 218, 219, 220, 221, and 222 shall apply to the
entities described in such provisions, and such entities shall
be subject to the jurisdiction of the Commission for purposes
of carrying out such provisions and for purposes of applying
the enforcement authorities of this Act with respect to such
provisions. Compliance with any order of the Commission under
the provisions of section 203(a)(2), 206(e), 210, 211, 211A,
212, 215, 215A, 216, 217, 218, 219, 220, 221, or 222, shall not
make an electric utility or other entity subject to the
jurisdiction of the Commission for any purposes other than the
purposes specified in the preceding sentence.
* * * * * * *
(e) The term ``public utility'' when used in this Part or in
the Part next following means any person who owns or operates
facilities subject to the jurisdiction of the Commission under
this Part (other than facilities subject to such jurisdiction
solely by reason of section 206(e), 206(f), 210, 211, 211A,
212, 215, 215A, 216, 217, 218, 219, 220, 221, or 222).
* * * * * * *
SEC. 215A. CRITICAL ELECTRIC INFRASTRUCTURE SECURITY.
(a) Definitions.--For purposes of this section:
(1) Bulk-power system; electric reliability
organization; regional entity.--The terms ``bulk-power
system'', ``Electric Reliability Organization'', and
``regional entity'' have the meanings given such terms
in paragraphs (1), (2), and (7) of section 215(a),
respectively.
(2) Defense critical electric infrastructure.--The
term ``defense critical electric infrastructure'' means
any infrastructure located in the United States
(including the territories) used for the generation,
transmission, or distribution of electric energy that--
(A) is not part of the bulk-power system; and
(B) serves a facility designated by the
President pursuant to subsection (d)(1), but is
not owned or operated by the owner or operator
of such facility.
(3) Defense critical electric infrastructure
vulnerability.--The term ``defense critical electric
infrastructure vulnerability'' means a weakness in
defense critical electric infrastructure that, in the
event of a malicious act using electronic communication
or an electromagnetic pulse, would pose a substantial
risk of disruption of those electronic devices or
communications networks, including hardware, software,
and data, that are essential to the reliability of
defense critical electric infrastructure.
(4) Electromagnetic pulse.--The term
``electromagnetic pulse'' means 1 or more pulses of
electromagnetic energy emitted by a device capable of
disabling, disrupting, or destroying electronic
equipment by means of such a pulse.
(5) Geomagnetic storm.--The term ``geomagnetic
storm'' means a temporary disturbance of the Earth's
magnetic field resulting from solar activity.
(6) Grid security threat.--The term ``grid security
threat'' means a substantial likelihood of--
(A)(i) a malicious act using electronic
communication or an electromagnetic pulse, or a
geomagnetic storm event, that could disrupt the
operation of those electronic devices or
communications networks, including hardware,
software, and data, that are essential to the
reliability of the bulk-power system or of
defense critical electric infrastructure; and
(ii) disruption of the operation of such
devices or networks, with significant adverse
effects on the reliability of the bulk-power
system or of defense critical electric
infrastructure, as a result of such act or
event; or
(B)(i) a direct physical attack on the bulk-
power system or on defense critical electric
infrastructure; and
(ii) significant adverse effects on the
reliability of the bulk-power system or of
defense critical electric infrastructure as a
result of such physical attack.
(7) Grid security vulnerability.--The term ``grid
security vulnerability'' means a weakness that, in the
event of a malicious act using electronic communication
or an electromagnetic pulse, would pose a substantial
risk of disruption to the operation of those electronic
devices or communications networks, including hardware,
software, and data, that are essential to the
reliability of the bulk-power system.
(8) Large transformer.--The term ``large
transformer'' means an electric transformer that is
part of the bulk-power system.
(9) Protected information.--The term ``protected
information'' means information, other than classified
national security information, designated as protected
information by the Commission under subsection (e)(2)--
(A) that was developed or submitted in
connection with the implementation of this
section;
(B) that specifically discusses grid security
threats, grid security vulnerabilities, defense
critical electric infrastructure
vulnerabilities, or plans, procedures, or
measures to address such threats or
vulnerabilities; and
(C) the unauthorized disclosure of which
could be used in a malicious manner to impair
the reliability of the bulk-power system or of
defense critical electric infrastructure.
(10) Secretary.--The term ``Secretary'' means the
Secretary of Energy.
(11) Security.--The definition of ``security'' in
section 3(16) shall not apply to the provisions in this
section.
(b) Emergency Response Measures.--
(1) Authority to address grid security threats.--
Whenever the President issues and provides to the
Commission (either directly or through the Secretary) a
written directive or determination identifying an
imminent grid security threat, the Commission may, with
or without notice, hearing, or report, issue such
orders for emergency measures as are necessary in its
judgment to protect the reliability of the bulk-power
system or of defense critical electric infrastructure
against such threat. As soon as practicable but not
later than 180 days after the date of enactment of this
section, the Commission shall, after notice and
opportunity for comment, establish rules of procedure
that ensure that such authority can be exercised
expeditiously.
(2) Notification of congress.--Whenever the President
issues and provides to the Commission (either directly
or through the Secretary) a written directive or
determination under paragraph (1), the President (or
the Secretary, as the case may be) shall promptly
notify congressional committees of relevant
jurisdiction, including the Committee on Energy and
Commerce of the House of Representatives and the
Committee on Energy and Natural Resources of the
Senate, of the contents of, and justification for, such
directive or determination.
(3) Consultation.--Before issuing an order for
emergency measures under paragraph (1), the Commission
shall, to the extent practicable in light of the nature
of the grid security threat and the urgency of the need
for such emergency measures, consult with appropriate
governmental authorities in Canada and Mexico, entities
described in paragraph (4), the Secretary, and other
appropriate Federal agencies regarding implementation
of such emergency measures.
(4) Application.--An order for emergency measures
under this subsection may apply to--
(A) the Electric Reliability Organization;
(B) a regional entity; or
(C) any owner, user, or operator of the bulk-
power system or of defense critical electric
infrastructure within the United States.
(5) Discontinuance.--The Commission shall issue an
order discontinuing any emergency measures ordered
under this subsection, effective not later than 30 days
after the earliest of the following:
(A) The date upon which the President issues
and provides to the Commission (either directly
or through the Secretary) a written directive
or determination that the grid security threat
identified under paragraph (1) no longer
exists.
(B) The date upon which the Commission issues
a written determination that the emergency
measures are no longer needed to address the
grid security threat identified under paragraph
(1), including by means of Commission approval
of a reliability standard under section 215
that the Commission determines adequately
addresses such threat.
(C) The date that is 1 year after the
issuance of an order under paragraph (1).
(6) Cost recovery.--If the Commission determines that
owners, operators, or users of the bulk-power system or
of defense critical electric infrastructure have
incurred substantial costs to comply with an order
under this subsection and that such costs were
prudently incurred and cannot reasonably be recovered
through regulated rates or market prices for the
electric energy or services sold by such owners,
operators, or users, the Commission shall, after notice
and an opportunity for comment, establish a mechanism
that permits such owners, operators, or users to
recover such costs.
(c) Measures to Address Grid Security Vulnerabilities.--
(1) Commission authority.--If the Commission, in
consultation with appropriate Federal agencies,
identifies a grid security vulnerability that the
Commission determines has not adequately been addressed
through a reliability standard developed and approved
under section 215, the Commission shall, after notice
and opportunity for comment and after consultation with
the Secretary, other appropriate Federal agencies, and
appropriate governmental authorities in Canada and
Mexico, promulgate a rule or issue an order requiring
implementation, by any owner, operator, or user of the
bulk-power system in the United States, of measures to
protect the bulk-power system against such
vulnerability. Before promulgating a rule or issuing an
order under this paragraph, the Commission shall, to
the extent practicable in light of the urgency of the
need for action to address the grid security
vulnerability, request and consider recommendations
from the Electric Reliability Organization regarding
such rule or order. The Commission may establish an
appropriate deadline for the submission of such
recommendations.
(2) Certain existing cybersecurity vulnerabilities.--
Not later than 180 days after the date of enactment of
this section, the Commission shall, after notice and
opportunity for comment and after consultation with the
Secretary, other appropriate Federal agencies, and
appropriate governmental authorities in Canada and
Mexico, promulgate a rule or issue an order requiring
the implementation, by any owner, user, or operator of
the bulk-power system in the United States, of such
measures as are necessary to protect the bulk-power
system against the vulnerabilities identified in the
June 21, 2007, communication to certain 'Electricity
Sector Owners and Operators' from the North American
Electric Reliability Corporation, acting in its
capacity as the Electricity Sector Information and
Analysis Center.
(3) Rescission.--The Commission shall approve a
reliability standard developed under section 215 that
addresses a grid security vulnerability that is the
subject of a rule or order under paragraph (1) or (2),
unless the Commission determines that such reliability
standard does not adequately protect against such
vulnerability or otherwise does not satisfy the
requirements of section 215. Upon such approval, the
Commission shall rescind the rule promulgated or order
issued under paragraph (1) or (2) addressing such
vulnerability, effective upon the effective date of the
newly approved reliability standard.
(4) Geomagnetic storms.--Not later than 1 year after
the date of enactment of this section, the Commission
shall, after notice and an opportunity for comment and
after consultation with the Secretary and other
appropriate Federal agencies, issue an order directing
the Electric Reliability Organization to submit to the
Commission for approval under section 215, not later
than 1 year after the issuance of such order,
reliability standards adequate to protect the bulk-
power system from any reasonably foreseeable
geomagnetic storm event. The Commission's order shall
specify the nature and magnitude of the reasonably
foreseeable events against which such standards must
protect. Such standards shall appropriately balance the
risks to the bulk-power system associated with such
events, including any regional variation in such risks,
and the costs of mitigating such risks.
(5) Large transformer availability.--Not later than 1
year after the date of enactment of this section, the
Commission shall, after notice and an opportunity for
comment and after consultation with the Secretary and
other appropriate Federal agencies, issue an order
directing the Electric Reliability Organization to
submit to the Commission for approval under section
215, not later than 1 year after the issuance of such
order, reliability standards addressing availability of
large transformers. Such standards shall require
entities that own or operate large transformers to
ensure, individually or jointly, adequate availability
of large transformers to promptly restore the reliable
operation of the bulk-power system in the event that
any such transformer is destroyed or disabled as a
result of a reasonably foreseeable physical or other
attack or geomagnetic storm event. The Commission's
order shall specify the nature and magnitude of the
reasonably foreseeable attacks or events that shall
provide the basis for such standards. Such standards
shall--
(A) provide entities subject to the standards
with the option of meeting such standards
individually or jointly; and
(B) appropriately balance the risks
associated with a reasonably foreseeable attack
or event, including any regional variation in
such risks, and the costs of ensuring adequate
availability of spare transformers.
(d) Critical Defense Facilities.--
(1) Designation.--Not later than 180 days after the
date of enactment of this section, the President shall
designate, in a written directive or determination
provided to the Commission, facilities located in the
United States (including the territories) that are--
(A) critical to the defense of the United
States; and
(B) vulnerable to a disruption of the supply
of electric energy provided to such facility by
an external provider.
The number of facilities designated by such directive
or determination shall not exceed 100. The President
may periodically revise the list of designated
facilities through a subsequent written directive or
determination provided to the Commission, provided that
the total number of designated facilities at any time
shall not exceed 100.
(2) Commission authority.--If the Commission
identifies a defense critical electric infrastructure
vulnerability that the Commission, in consultation with
owners and operators of any facility or facilities
designated by the President pursuant to paragraph (1),
determines has not adequately been addressed through
measures undertaken by owners or operators of defense
critical electric infrastructure, the Commission shall,
after notice and an opportunity for comment and after
consultation with the Secretary and other appropriate
Federal agencies, promulgate a rule or issue an order
requiring implementation, by any owner or operator of
defense critical electric infrastructure, of measures
to protect the defense critical electric infrastructure
against such vulnerability. The Commission shall exempt
from any such rule or order any specific defense
critical electric infrastructure that the Commission
determines already has been adequately protected
against the identified vulnerability. The Commission
shall make any such determination in consultation with
the owner or operator of the facility designated by the
President pursuant to paragraph (1) that relies upon
such defense critical electric infrastructure.
(3) Cost recovery.--An owner or operator of defense
critical electric infrastructure shall be required to
take measures under paragraph (2) only to the extent
that the owners or operators of a facility or
facilities designated by the President pursuant to
paragraph (1) that rely upon such infrastructure agree
to bear the full incremental costs of compliance with a
rule promulgated or order issued under paragraph (2).
(e) Protection of Information.--
(1) Prohibition of public disclosure of protected
information.--Protected information--
(A) shall be exempt from disclosure under
section 552(b)(3) of title 5, United States
Code; and
(B) shall not be made available pursuant to
any State, local, or tribal law requiring
disclosure of information or records.
(2) Information sharing.--
(A) In general.--Consistent with the
Controlled Unclassified Information framework
established by the President, the Commission
shall promulgate such regulations and issue
such orders as necessary to designate protected
information and to prohibit the unauthorized
disclosure of such protected information.
(B) Sharing of protected information.--The
regulations promulgated and orders issued
pursuant to subparagraph (A) shall provide
standards for and facilitate the appropriate
sharing of protected information with, between,
and by Federal, State, local, and tribal
authorities, the Electric Reliability
Organization, regional entities, and owners,
operators, and users of the bulk-power system
in the United States and of defense critical
electric infrastructure. In promulgating such
regulations and issuing such orders, the
Commission shall take account of the role of
State commissions in reviewing the prudence and
cost of investments within their respective
jurisdictions. The Commission shall consult
with appropriate Canadian and Mexican
authorities to develop protocols for the
sharing of protected information with, between,
and by appropriate Canadian and Mexican
authorities and owners, operators, and users of
the bulk-power system outside the United
States.
(3) Submission of information to congress.--Nothing
in this section shall permit or authorize the
withholding of information from Congress, any committee
or subcommittee thereof, or the Comptroller General.
(4) Disclosure of non-protected information.--In
implementing this section, the Commission shall protect
from disclosure only the minimum amount of information
necessary to protect the reliability of the bulk-power
system and of defense critical electric infrastructure.
The Commission shall segregate protected information
within documents and electronic communications,
wherever feasible, to facilitate disclosure of
information that is not designated as protected
information.
(5) Duration of designation.--Information may not be
designated as protected information for longer than 5
years, unless specifically redesignated by the
Commission.
(6) Removal of designation.--The Commission may
remove the designation of protected information, in
whole or in part, from a document or electronic
communication if the unauthorized disclosure of such
information could no longer be used to impair the
reliability of the bulk-power system or of defense
critical electric infrastructure.
(7) Judicial review of designations.--Notwithstanding
subsection (f) of this section or section 313, a person
or entity may seek judicial review of a determination
by the Commission concerning the designation of
protected information under this subsection exclusively
in the district court of the United States in the
district in which the complainant resides, or has his
principal place of business, or in the District of
Columbia. In such a case the court shall determine the
matter de novo, and may examine the contents of
documents or electronic communications designated as
protected information in camera to determine whether
such documents or any part thereof were improperly
designated as protected information. The burden is on
the Commission to sustain its designation.
(f) Judicial Review.--The Commission shall act expeditiously
to resolve all applications for rehearing of orders issued
pursuant to this section that are filed under section 313(a).
Any party seeking judicial review pursuant to section 313 of an
order issued under this section may obtain such review only in
the United States Court of Appeals for the District of Columbia
Circuit.
(g) Provision of Assistance to Industry in Meeting Grid
Security Protection Needs.--
(1) Expertise and resources.--The Secretary shall
establish a program, in consultation with other
appropriate Federal agencies, to develop technical
expertise in the protection of systems for the
generation, transmission, and distribution of electric
energy against geomagnetic storms or malicious acts
using electronic communications or electromagnetic
pulse that would pose a substantial risk of disruption
to the operation of those electronic devices or
communications networks, including hardware, software,
and data, that are essential to the reliability of such
systems. Such program shall include the identification
and development of appropriate technical and electronic
resources, including hardware, software, and system
equipment.
(2) Sharing expertise.--As appropriate, the Secretary
shall offer to share technical expertise developed
under the program under paragraph (1), through
consultation and assistance, with owners, operators, or
users of systems for the generation, transmission, or
distribution of electric energy located in the United
States and with State commissions. In offering such
support, the Secretary shall assign higher priority to
systems serving facilities designated by the President
pursuant to subsection (d)(1) and other critical-
infrastructure facilities, which the Secretary shall
identify in consultation with the Commission and other
appropriate Federal agencies.
(3) Security clearances and communication.--The
Secretary shall facilitate and, to the extent
practicable, expedite the acquisition of adequate
security clearances by key personnel of any entity
subject to the requirements of this section to enable
optimum communication with Federal agencies regarding
grid security threats, grid security vulnerabilities,
and defense critical electric infrastructure
vulnerabilities. The Secretary, the Commission, and
other appropriate Federal agencies shall, to the extent
practicable and consistent with their obligations to
protect classified and protected information, share
timely actionable information regarding grid security
threats, grid security vulnerabilities, and defense
critical electric infrastructure vulnerabilities with
appropriate key personnel of owners, operators, and
users of the bulk-power system and of defense critical
electric infrastructure.
* * * * * * *
�