117th CONGRESS 1st Session |
To require the Secretary of Energy to establish a voluntary Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system, and for other purposes.
June 23, 2021
Ms. Rosen (for herself, Mr. Hoeven, Mr. King, Mr. Risch, and Mr. Tillis) introduced the following bill; which was read twice and referred to the Committee on Energy and Natural Resources
To require the Secretary of Energy to establish a voluntary Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
This Act may be cited as the “Cyber Sense Act of 2020”.
(a) Definitions.—In this section:
(1) BULK-POWER SYSTEM.—The term “bulk-power system” has the meaning given the term in section 215(a) of the Federal Power Act (16 U.S.C. 824o(a)).
(2) CRITICAL ELECTRIC INFRASTRUCTURE.—The term “critical electric infrastructure” has the meaning given the term in section 215A(a) of the Federal Power Act (16 U.S.C. 824o–1(a)).
(3) PROGRAM.—The term “program” means the voluntary Cyber Sense program established under subsection (b).
(4) SECRETARY.—The term “Secretary” means the Secretary of Energy.
(b) Establishment.—The Secretary, in coordination with the heads of other relevant Federal agencies, shall establish a voluntary Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system.
(c) Program requirements.—In carrying out subsection (b), the Secretary shall—
(1) establish a testing process under the program to test the cybersecurity of products and technologies intended for use in the bulk-power system, including products relating to industrial control systems and operational technologies, such as supervisory control and data acquisition systems;
(2) for products and technologies tested under the program, establish and maintain cybersecurity vulnerability reporting processes and a related database;
(3) provide technical assistance to electric utilities, product manufacturers, and other electricity sector stakeholders to develop solutions to mitigate identified cybersecurity vulnerabilities in products and technologies tested under the program;
(4) biennially review products and technologies tested under the program for cybersecurity vulnerabilities and provide analysis with respect to how those products and technologies respond to and mitigate cyber threats;
(5) develop guidance that is informed by analysis and testing results under the program for electric utilities for the procurement of products and technologies;
(6) provide reasonable notice to, and solicit comments from, the public prior to establishing or revising the testing process under the program;
(7) oversee the testing of products and technologies under the program; and
(8) consider incentives to encourage the use of analysis and results of testing under the program in the design of products and technologies for use in the bulk-power system.
(d) Disclosure of information.—Any cybersecurity vulnerability reported pursuant to a process established under subsection (c)(2), the disclosure of which the Secretary reasonably foresees would cause harm to critical electric infrastructure, shall be considered to be critical electric infrastructure information for purposes of section 215A(d) of the Federal Power Act (16 U.S.C. 824o–1(d)).
(e) Federal government liability.—Nothing in this section authorizes the commencement of an action against the United States with respect to the testing of a product or technology under the program.