Yesterday the Senate began consideration of S 2012,
the Energy Policy Modernization Act of 2015. Somehow I missed this bill
when it was introduced back in September, but it is very similar to HR
8 that was passed
by the House last month. The bill does contain cybersecurity related provisions,
but certainly not all of those included in the House bill.
Critical Electric
Infrastructure Information
Like the House bill, §2001
amends the Federal Power Act to include specific authority to designate
Critical Electric Infrastructure Information (CEII). As I explained in an
earlier post, while a CEII program does currently exist it is not specifically
authorized by statute. This will become important when the National Archives
and Records Administration finally
publishes its final rule on Controlled
Unclassified Information (CUI). Being authorized by statute would allow the
DOE Secretary more latitude on the way CUI is controlled.
There are several provisions of the HR 8 CUI section that
are not included in S 2012. They include provisions associated with:
• Submission of information to
congress;
• Disclosure of protected
information;
• Duration of designation;
• Removal of designation; and
• Judicial review of designations
The lack of coverage of these items in the bill simply means
that the NARA regulations would govern these areas, not the DOE regulations.
Enhanced Grid
Security
Section 2002 of the bill establishes a number of cybersecurity
programs, some of which already exist in fact, if not in law. Each of the
programs include authorized funding. They include:
• Cybersecurity sector specific
agency designation;
• Cybersecurity for the energy
sector research, development, and demonstration program;
• Energy sector component testing for
cyberresilience program;
• Energy sector operational support
for cyberresilience program;
• Modeling and assessing energy
infrastructure risk;
• Study on expanding industry
membership and participation in ES–ISAC
The component testing program is somewhat similar to the Cyber
Sense program include in §1106
of HR 8. The Senate version is not nearly as comprehensive or detailed. The
Senate program does include $15 Million in annual funding where the Cyber Sense
program included no funding, relying entirely on 3rd party testing
and certification.
Moving Forward
Consideration of the bill continues today and there is not
currently a schedule for a final vote. Sen. Murkowski (R,AK) is working hard to
keep the amendment process limited to energy matters so that the bill does not
get saddled with any of the controversial riders that have earned HR 8 a
Presidential veto threat.
It is very likely that this bill will pass in the Senate.
The House will then have to decide whether or not to accept the Senate bill or
insist on the language of HR 8. If the latter occurs there would probably be a
conference committee formed to work out the differences in the two bills.
Posts
No comments:
Post a Comment