Last month Rep McMorris-Rogers (R,WA) introduce HR 9234, the Critical Electric Infrastructure Cybersecurity Incident Reporting Act. The bill amends 16 USC 824o-1, Critical electric infrastructure security, adding a requirement for DOE to establish cybersecurity incident reporting regulations for Critical Electric Infrastructure (CEI). No funding is authorized by this legislation.

Moving Forward

Both McMorris-Rodgers and her sole cosponsor {Rep Upton (R,MI)}, are members of the House Energy and Commerce Subcommittee to which this bill was assigned for consideration. This means that there could be sufficient influence to see the bill considered in Committee. The sole problem that this bill faces is that there is already-passed legislation {the Cyber Incident Reporting for Critical Infrastructure Act of 2022, Division Y of the Consolidated Appropriations Act, 2022 (PL 117-103)} making CISA the recipient of cybersecurity incident reports with a 48 hour time limit and the regulation development is already progressing on that statute. A great deal of effort went into making that legislation pass and Congress is unlikely to upset that legislative cart before the regulation is crafted.

And of course, there is too little time left in the session for such a controversial bill to make its way through the legislative process in any case.

Commentary

The crafters of the CISA CIRCIA rule foresaw potential conflicts in agency reporting requirements and established processes codified under 6 USC 681g to avoid problems under conflicting reporting requirements. This bill should have taken notice of those requirements by mandating DOE coordination of reporting requirements under that section. For instance the authors of this bill could have added a paragraph (4) to the new subsection (e):

“(4) Within 180 days of the passage of the Critical Electric Infrastructure Cybersecurity Incident Reporting Act, the Secretary will coordinate with the Director of the Cybersecurity and Infrastructure Security Agency to establish policies, processes, procedures, and mechanisms to ensure reports are shared with the Agency pursuant to 6 USC 681g(1).”

 

For more details about the provisions of this legislation, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-9234-introduced - subscription required -