HR 5240 Introduced – DOE Cybersecurity Programs

Earlier this month Rep McNerney (D,CA) introduced HR 5240, the Enhancing Grid Security through Public-Private Partnerships Act. The bill would require the Department of Energy (DOE) to establish a voluntary security program for electric utilities and provide a report to Congress on cybersecurity of electricity distribution systems.

Voluntary Security Program

Section 2 of the bill would require DOE to establish a program that would {§2(a)}:

• Develop, and provide for voluntary implementation of, maturity models, self-assessments, and auditing methods for assessing the physical security and cybersecurity of electric utilities;

• Provide training to electric utilities to address and mitigate cybersecurity supply chain management risks;

• Increase opportunities for sharing best practices and data collection within the electric sector;

• Assist with cybersecurity training for electric utilities;

• Advance the cybersecurity of third-party vendors that work in partnerships with electric utilities; and

• Provide technical assistance for electric utilities subject to the program.

Distribution System Cybersecurity Report

Section 3 of the bill would require DOE to prepare a report to Congress that would assess {§3(a)}:

• Priorities, policies, procedures, and actions for enhancing the physical security and cybersecurity of electricity distribution systems to address threats to, and vulnerabilities of, such electricity distribution systems; and

• Implementation of such priorities, policies, procedures, and actions, including an estimate of potential costs and benefits of such implementation, including any public-private cost-sharing opportunities.

Moving Forward

Both McNerney and his sole co-sponsor, Rep Lata (R,OH) are senior members of the House Energy and Commerce to which this bill was assigned for consideration. They would certainly seem to have the influence necessary to see this bill considered in Committee.

There is nothing in the bill that would draw specific opposition and it would appear that there would be broad bipartisan support for the bill both within Committee and on the floor of the House should it reach that body.

Commentary

This is another motherhood and apple pie bill that is a perfect example of form over function. No monies are authorized for the programs, there is no deadline for the report to Congress, and there is not even a snazzy name for the voluntary program. This is simply a congressional look at us, we are doing something bill.

Normally, I would suspect that bills of this sort would have been crafted by Committee staff, given that there is bipartisan sponsorship by two different Committee members. I do not think that this is the case with this bill. Both §2 and §3 contain language providing protection from disclosure information provided to DOE by utilities in developing the voluntary program and the report to Congress. While this is certainly necessary when considering any security programs, the wording is incomplete. I would have expected to see Committee Staff, who should be experts in DOE programs, to have referred to the Critical Energy Infrastructure Information (CEII) program used by FERC, to provide more comprehensive information protection and to limit that protection to only security related matters.