Yesterday the Senate began consideration of S 2012, the Energy Policy Modernization Act of 2015. Somehow I missed this bill when it was introduced back in September, but it is very similar to HR 8 that was passed by the House last month. The bill does contain cybersecurity related provisions, but certainly not all of those included in the House bill.
Critical Electric Infrastructure Information
Like the House bill, §2001 amends the Federal Power Act to include specific authority to designate Critical Electric Infrastructure Information (CEII). As I explained in an earlier post, while a CEII program does currently exist it is not specifically authorized by statute. This will become important when the National Archives and Records Administration finally publishes its final rule on Controlled Unclassified Information (CUI). Being authorized by statute would allow the DOE Secretary more latitude on the way CUI is controlled.
There are several provisions of the HR 8 CUI section that are not included in S 2012. They include provisions associated with:
• Submission of information to congress;
• Disclosure of protected information;
• Duration of designation;
• Removal of designation; and
• Judicial review of designations
The lack of coverage of these items in the bill simply means that the NARA regulations would govern these areas, not the DOE regulations.
Enhanced Grid Security
Section 2002 of the bill establishes a number of cybersecurity programs, some of which already exist in fact, if not in law. Each of the programs include authorized funding. They include:
• Cybersecurity sector specific agency designation;
• Cybersecurity for the energy sector research, development, and demonstration program;
• Energy sector component testing for cyberresilience program;
• Energy sector operational support for cyberresilience program;
• Modeling and assessing energy infrastructure risk;
• Study on expanding industry membership and participation in ES–ISAC
The component testing program is somewhat similar to the Cyber Sense program include in §1106 of HR 8. The Senate version is not nearly as comprehensive or detailed. The Senate program does include $15 Million in annual funding where the Cyber Sense program included no funding, relying entirely on 3rd party testing and certification.
Consideration of the bill continues today and there is not currently a schedule for a final vote. Sen. Murkowski (R,AK) is working hard to keep the amendment process limited to energy matters so that the bill does not get saddled with any of the controversial riders that have earned HR 8 a Presidential veto threat.
It is very likely that this bill will pass in the Senate. The House will then have to decide whether or not to accept the Senate bill or insist on the language of HR 8. If the latter occurs there would probably be a conference committee formed to work out the differences in the two bills.