[House Report 117-92]
[From the U.S. Government Publishing Office]


117th Congress    }                                   {        Report
                        HOUSE OF REPRESENTATIVES
 1st Session      }                                   {        117-92

======================================================================



 
                        CYBER SENSE ACT OF 2021

                                _______
                                

 July 19, 2021.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

 Mr. Pallone, from the Committee on Energy and Commerce, submitted the 
                               following

                              R E P O R T

                        [To accompany H.R. 2928]

    The Committee on Energy and Commerce, to whom was referred 
the bill (H.R. 2928) to require the Secretary of Energy to 
establish a voluntary Cyber Sense program to test the 
cybersecurity of products and technologies intended for use in 
the bulk-power system, and for other purposes, having 
considered the same, reports favorably thereon without 
amendment and recommends that the bill do pass.

                                CONTENTS

                                                                   Page
  I. Purpose and Summary..............................................1
 II. Background and Need for the Legislation..........................2
III. Committee Hearings...............................................5
 IV. Committee Consideration..........................................5
  V. Committee Votes..................................................5
 VI. Oversight Findings...............................................5
VII. New Budget Authority, Entitlement Authority, and Tax Expenditures5
VIII.Federal Mandates Statement.......................................6

 IX. Statement of General Performance Goals and Objectives............6
  X. Duplication of Federal Programs..................................6
 XI. Committee Cost Estimate..........................................6
XII. Earmarks, Limited Tax Benefits, and Limited Tariff Benefits......6
XIII.Advisory Committee Statement.....................................6

XIV. Applicability to Legislative Branch..............................6
 XV. Section-by-Section Analysis of the Legislation...................6
XVI. Changes in Existing Law Made by the Bill, as Reported............7

                         I. PURPOSE AND SUMMARY

    H.R. 2928, the ``Cyber Sense Act of 2019'', would direct 
the Secretary of Energy (the Secretary), in coordination with 
relevant Federal agencies (such as the Department of Homeland 
Security), to establish a voluntary Department of Energy (DOE) 
program that tests the cybersecurity of products and 
technologies intended for use in the bulk-power system, 
including products related to industrial control systems. The 
legislation instructs DOE to provide technical assistance to 
electric utilities, product manufacturers, and other 
electricity sector stakeholders to help mitigate cybersecurity 
vulnerabilities. In addition, the bill requires the Secretary 
to establish cybersecurity vulnerability reporting processes 
and maintain a related database.
    H.R. 2928 requires the Secretary to biennially review 
products and technologies tested under the Cyber Sense program 
for cybersecurity vulnerabilities and provide analysis on how 
such products and technologies respond to and mitigate cyber 
threats. It also requires that the Secretary develop guidance 
for electric utilities regarding procurement of products and 
technologies. The Secretary will utilize analysis and testing 
results under the Cyber Sense program in developing this 
guidance.
    In addition, H.R. 2928 directs the Secretary to provide 
reasonable notice and solicit comments from the public, prior 
to establishing or revising the Cyber Sense testing process. 
The legislation provides that any cybersecurity vulnerability 
reported pursuant to this program, the disclosure of which the 
Secretary reasonably foresees would cause harm to critical 
electric infrastructure, shall be deemed ``critical electric 
infrastructure information'' as defined by section 215A(d) of 
the Federal Power Act. The legislation also includes Federal 
government liability protections by noting that nothing shall 
be construed to authorize the commencement of an action against 
the United States government with respect to the testing of a 
product or technology under the Cyber Sense program.

                II. BACKGROUND AND NEED FOR LEGISLATION

    The United States energy infrastructure is comprised of a 
vast network of energy and electricity systems that deliver 
uninterrupted electricity from producers to consumers. These 
intricate and highly interdependent systems enable every aspect 
of our daily lives. Our nation's economy, security, and the 
health and safety of its citizens depend upon the reliable and 
uninterrupted supply of fuels and electricity. Since the 
inception of DOE in 1977, the manner in which energy and power 
is generated, transmitted, and delivered continues to rapidly 
change and evolve. As advances in digital and information 
technologies continue to layer onto existing practices and 
energy infrastructures, new risks emerge, and vulnerabilities 
are exposed. Recent high-profile attempts by foreign actors to 
infiltrate our nation's energy systems and infrastructure 
further highlight the need for legislation aimed at mitigating 
these significant and growing threats to the reliable supply of 
energy in the United States.

DOE's Authorities for Cybersecurity, Energy Security, and Emergency 
        Response

    When DOE was organized in 1977, energy security concerns 
revolved around oil supply shortages. As a result, energy 
security emergency functions in the Department of Energy 
Organization Act focused on distributing and allocating fuels 
in an emergency. Over time, while DOE's organic statute 
remained largely unchanged, its responsibilities and 
authorities have evolved substantially beyond what was 
envisioned 40 years ago. Energy delivery systems have become 
increasingly interconnected and digitized, while society has 
become more dependent on energy in all its forms--expanding the 
opportunities for cybersecurity threats and other hazards that 
may require emergency response.
    Today, DOE's mission to advance the national, economic, and 
energy security of the United States requires it to act as the 
lead agency for the protection of electric power, oil, and 
natural gas infrastructure. DOE has authority and 
responsibilities for the physical and cybersecurity of energy 
delivery systems from laws that Congress has passed and 
Presidential directives. Congress has provided DOE with a wide 
range of emergency response and cybersecurity authorities 
affecting multiple segments of the energy sector, beginning 
with the Department of Energy Organization Act, and most 
recently with the Fixing America's Surface Transportation Act 
(FAST Act).
    The FAST Act, which was signed into law in 2015, designated 
DOE as the Sector-Specific Agency (SSA) for the energy sector 
and provided the Department with several new energy security 
authorities to respond to physical and cyberattacks to energy 
systems. Section 61003 of the FAST Act amended the Federal 
Power Act (FPA) to create a new section 215A entitled, 
``Critical Electric Infrastructure Security.'' This new section 
215A of the FPA provided definitions for the terms ``bulk power 
system'', ``critical electric infrastructure'', ``critical 
electric infrastructure information'', and ``grid security 
emergency''\1\ among other terms. Section 215A of the FPA 
states that when the President issues or provides to the 
Secretary of Energy a written directive or determination 
identifying a grid security emergency, the Secretary may, with 
or without notice, hearing, or report, issue orders for 
emergency measures to protect or restore the reliability of 
critical electric infrastructure or of defense critical 
electric infrastructure during an emergency.\2\ Section 215A 
also includes protections for the sharing of critical electric 
information.
---------------------------------------------------------------------------
    \1\See Section 215A of the Federal Power Act, the term ``Grid 
Security Emergency'' means the occurrence or imminent danger of (A)(i) 
a malicious act using electronic communication or an electromagnetic 
pulse, or a geomagnetic storm event, that could disrupt the operation 
of those electronic devices or communications networks, including 
hardware, software, and data, that are essential to the reliability of 
critical electric infrastructure or of defense critical electric 
infrastructure; and (ii) disruption of the operation of such devices or 
networks, with significant adverse effects on the reliability of 
critical electric infrastructure or of defense critical electric 
infrastructure, as a result of such act or event; or (B)(i) a direct 
physical attack on critical electric infrastructure or on defense 
critical electric infrastructure; and (ii) significant adverse effects 
on the reliability of critical electric infrastructure or of defense 
critical electric infrastructure as a result of such physical attack.
    \2\Federal Power Act Sec. 215A, 16 U.S.C. Sec. Sec. 824o-1
---------------------------------------------------------------------------
    DOE's cybersecurity roles and responsibilities are also 
guided by the Federal government's operational framework, as 
provided by the Presidential Policy Directive 41 (PPD-41) 
issued in 2016 addressing ``United States Cyber Incident 
Coordination.'' A primary purpose of PPD-41 is to improve 
coordination across the Federal government by clarifying roles 
and responsibilities. Under the PPD-41 framework, DOE serves as 
the lead agency for the energy sector, coordinating closely 
with other agencies and the private sector to facilitate the 
response, recovery, and restoration of damaged energy 
infrastructure.
    On February 14, 2018, the Secretary established a new 
Office of Cybersecurity, Energy Security, and Emergency 
Response (CESER) at DOE. The CESER office focuses on energy 
infrastructure security, supporting the expanded national 
security responsibilities assigned to DOE. Currently, CESER is 
led by Acting Principal Deputy Assistant Secretary Puesh M. 
Kumar, who reports to the Under Secretary of Energy.

Physical Security and Cybersecurity of the Electric Grid

    With respect to its responsibilities for security of the 
electric power system, DOE works closely with electric sector 
owners and operators to detect and mitigate risks to critical 
electric infrastructure. DOE collaborates with the electric 
sector to develop technologies, tools, exercises, and other 
resources to assist the energy sector in evaluating and 
improving their security preparedness.\3\
---------------------------------------------------------------------------
    \3\Department of Energy, Energy Sector Cybersecurity Preparedness 
(https://www.energy.gov/ceser/activities/cybersecurity-critical-energy-
infrastructure/energy-sector-cybersecurity).
---------------------------------------------------------------------------
    Along with DOE, the Federal Energy Regulatory Commission 
(FERC) has authority over the reliability of the electric grid. 
Congress, through the Energy Policy Act of 2005,\4\ provided 
FERC with the authority to approve mandatory cybersecurity 
standards proposed by the Electric Reliability Organization 
(ERO). The North American Electric Reliability Corporation 
(NERC) currently serves as the ERO. NERC proposes reliability 
standards for planning and operating the North American bulk 
power system. These critical infrastructure protection (CIP) 
reliability standards\5\ address physical security and 
cybersecurity of critical electric infrastructure.
---------------------------------------------------------------------------
    \4\Pub. L. No. 109-58 (2005).
    \5\See North American Electric Reliability Corporation, Standards 
(https://www.nerc.com/pa/Stand/Pages/default.aspx) for further 
information.
---------------------------------------------------------------------------
    Cooperation between the Federal government and electricity 
sector extends beyond mandatory and enforceable standards. The 
Electricity Subsector Coordinating Council (ESCC)\6\ serves as 
the principal liaison between the Federal government and the 
electric power sector in coordinating efforts to prepare for 
national-level incidents or threats to critical infrastructure. 
The Cybersecurity Risk Information Sharing Program (CRISP) is a 
public-private partnership, funded by DOE and industry. CRISP 
is managed by the Electricity Information Sharing and Analysis 
Center (E ISAC)\7\ and facilitates the timely bi-directional 
sharing of unclassified and classified threat information with 
energy sector partners.\8\
---------------------------------------------------------------------------
    \6\See Electric Subsector Coordinating Council, Home Page (https://
www.nerc.com/pa/Stand/Pages/default.aspx) for further information.
    \7\SeeElectricityInformation Sharingand Analysis Center,Home 
Page(https://www.eisac.com/)
for further information.
    \8\Department of Energy Office of Cybersecurity, Energy Security, 
and Emergency Response, Cybersecurity (https://www.energy.gov/ceser/
cybersecurity).
---------------------------------------------------------------------------

Need for Legislation to Mitigate against Supply Chain Vulnerabilities

    H.R. 2928 would help mitigate against vulnerabilities to 
supply chains by testing the cybersecurity of products and 
technologies intended for use in the bulk-power system, as 
noted in the Committee's legislative record.
    In addition, the DOE Cyber Sense program established 
through H.R. 2928 would allow electric utilities and industry 
stakeholders to have greater awareness of the cybersecurity of 
products and technologies they utilize in the bulk-power 
system. Electric utilities and industry stakeholders can help 
mitigate against vulnerabilities to energy supply chains by 
making more informed decisions when choosing products and 
technologies.

                        III. COMMITTEE HEARINGS

    For the purposes of section 3(c) of rule XIII of the Rules 
of the House of Representatives, the following hearing was used 
to develop or consider H.R. 2928: The Subcommittee on Energy 
held a hearing on May 19, 2021, entitled ``The Fiscal Year 2022 
DOE Budget.'' The Subcommittee received testimony from the 
following witness:
           The Honorable Jennifer M. Granholm, 
        Secretary, Department of Energy

                      IV. COMMITTEE CONSIDERATION

    H.R. 2928, the ``Cyber Sense Act of 2021'', was introduced 
on April 30, 2021, by Representative Latta (R-OH) and one other 
original cosponsor and was referred to the Committee on Energy 
and Commerce. It was then referred to the Subcommittee on 
Energy on May 3, 2021. H.R. 2928 was discharged from the 
Subcommittee on Energy on June 9, 2021.
    The full Committee met in virtual open markup session, 
pursuant to notice, to consider H.R. 2928 and five other bills 
on June 10, 2021. No amendments were offered during 
consideration of H.R. 2928. Representative Pallone, Chairman of 
the committee, offered a motion to order H.R. 2928 reported 
favorably to the House, without amendment. The motion on final 
passage was agreed to by a voice vote, a quorum being present.

                           V. COMMITTEE VOTES

    Clause 3(b) of rule XIII requires the Committee to list the 
recorded votes on the motion to report legislation and 
amendments thereto. There were no recorded votes taken in 
connection with ordering H.R. 2928 reported.

                         VI. OVERSIGHT FINDINGS

    Pursuant to clause 3(c)(1) of rule XIII and clause 2(b)(1) 
of rule X of the Rules of the House of Representatives, the 
oversight findings and recommendations of the Committee are 
reflected in the descriptive portion of the report.

 VII. NEW BUDGET AUTHORITY, ENTITLEMENT AUTHORITY, AND TAX EXPENDITURES

    Pursuant to 3(c)(2) of rule XIII of the Rules of the House 
of Representatives, the Committee adopts as its own the 
estimate of new budget authority, entitlement authority, or tax 
expenditures or revenues contained in the cost estimate 
prepared by the Director of the Congressional Budget Office 
pursuant to section 402 of the Congressional Budget Act of 
1974.
    The Committee has requested but not received from the 
Director of the Congressional Budget Office a statement as to 
whether this bill contains any new budget authority, spending 
authority, credit authority, or an increase or decrease in 
revenues or tax expenditures.

                    VIII. FEDERAL MANDATES STATEMENT

    The Committee adopts as its own the estimate of Federal 
mandates prepared by the Director of the Congressional Budget 
Office pursuant to section 423 of the Unfunded Mandates Reform 
Act.

       IX. STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES

    Pursuant to clause 3(c)(4) of rule XIII, the general 
performance goal or objective of this legislation is to require 
the Secretary of Energy to establish a voluntary Cyber Sense 
program to test the cybersecurity of products and technologies 
intended for use in the bulk-power system.

                   X. DUPLICATION OF FEDERAL PROGRAMS

    Pursuant to clause 3(c)(5) of rule XIII, no provision of 
H.R. 360 is known to be duplicative of another Federal program, 
including any program that was included in a report to Congress 
pursuant to section 21 of Public Law 111-139 or the most recent 
Catalog of Federal Domestic Assistance.

                      XI. COMMITTEE COST ESTIMATE

    Pursuant to clause 3(d)(1) of rule XIII, the Committee 
adopts as its own the cost estimate prepared by the Director of 
the Congressional Budget Office pursuant to section 402 of the 
Congressional Budget Act of 1974.

    XII. EARMARKS, LIMITED TAX BENEFITS, AND LIMITED TARIFF BENEFITS

    Pursuant to clause 9(e), 9(f), and 9(g) of rule XXI, the 
Committee finds that H.R. 2928 contains no earmarks, limited 
tax benefits, or limited tariff benefits.

                   XIII. ADVISORY COMMITTEE STATEMENT

    No advisory committees within the meaning of section 5(b) 
of the Federal Advisory Committee Act were created by this 
legislation.

                XIV. APPLICABILITY TO LEGISLATIVE BRANCH

    The Committee finds that the legislation does not relate to 
the terms and conditions of employment or access to public 
services or accommodations within the meaning of section 
102(b)(3) of the Congressional Accountability Act.

           XV. SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION

Section 1. Short title

    This section provides that the Act may be cited as the 
``Cyber Sense Act of 2021''.

Sec. 2. Cyber Sense

            (a) In General
    Section 2(a) states that the Secretary, in coordination 
with relevant Federal agencies, shall establish a voluntary 
Department of Energy program to test the cybersecurity of 
products and technologies intended for use in the bulk-power 
system, as defined by section 215(a) of the Federal Power Act 
(16 U.S.C. 824o(a)).
            (b) Program Requirements
    Section 2(b) states that the Secretary, in carrying out 
subsection (a) shall: (1) establish a testing process under the 
Cyber Sense program to test the cybersecurity of products and 
technologies intended for use in the bulk-power system, 
including products relating to industrial control systems and 
operational technologies, such as supervisory control and data 
acquisition systems; (2) for products and technologies tested 
under the Cyber Sense program, establish and maintain 
cybersecurity vulnerability reporting processes and a related 
database; (3) provide technical assistance to electric 
utilities, product manufacturers, and other electricity sector 
stakeholders to mitigate identified cybersecurity 
vulnerabilities.
    Under section 2(b)(4) the Secretary shall biennially review 
products and technologies under the Cyber Sense program for 
cybersecurity vulnerabilities and provide analysis with respect 
to how such products and technologies respond to and mitigate 
cyber threats. Pursuant to section 2(b)(5) the Secretary shall 
develop guidance, that is informed by analysis and testing 
results under the Cyber Sense program, for electric utilities 
for procurement of products and technologies. For section 
2(b)(6) the Secretary shall provide reasonable notice to the 
public, prior to establishing or revising the testing process 
under the Cyber Sense program.
    For section 2(b)(7) the Secretary shall oversee the testing 
of products and technologies under the Cyber Sense program; and 
2(b)(8) consider incentives to encourage the use of analysis 
and results of testing under the Cyber Sense program in the 
design of products and technologies for use in the bulk-power 
system.
            (c) Disclosure of Information
    Under section 2(c) any cybersecurity vulnerability reported 
pursuant to a process established under subsection (b)(2), the 
disclosure of which the Secretary of Energy reasonably foresees 
would cause harm to critical electric infrastructure (as 
defined in section 215A) of the Federal Power Act, shall be 
deemed to be critical electric infrastructure information for 
purposes of section 215A(d) of the Federal Power Act.
            (d) Federal Government Liability
    Section 2(d) states nothing in section 2 shall be construed 
to authorize the commencement of an action against the United 
States government with respect to the testing of a product or 
technology under the Cyber Sense program.

       XVI. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED

    This legislation does not amend any existing Federal 
statute.

                                  
                                  
                                  [all]