H. Rept. 115-794 - CYBER SENSE ACT OF 2018115th Congress (2017-2018)
Committee Report
Hide OverviewReport Type: | House Report |
---|---|
Accompanies: | H.R.5239 |
Committees: |
|
Report text available as:
- TXT
- PDF (PDF provides a complete and accurate display of this text.) Tip ?
115th Congress } { Report HOUSE OF REPRESENTATIVES 2d Session } { 115-794 ====================================================================== CYBER SENSE ACT OF 2018 _______ June 28, 2018.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. Walden, from the Committee on Energy and Commerce, submitted the following R E P O R T [To accompany H.R. 5239] [Including cost estimate of the Congressional Budget Office] The Committee on Energy and Commerce, to whom was referred the bill (H.R. 5239) to require the Secretary of Energy to establish a voluntary Cyber Sense program to identify and promote cyber-secure products intended for use in the bulk- power system, and for other purposes, having considered the same, report favorably thereon with amendments and recommend that the bill as amended do pass. CONTENTS Page Purpose and Summary.............................................. 2 Background and Need for Legislation.............................. 3 Committee Action................................................. 6 Committee Votes.................................................. 6 Oversight Findings and Recommendations........................... 7 New Budget Authority, Entitlement Authority, and Tax Expenditures 7 Congressional Budget Office Estimate............................. 7 Federal Mandates Statement....................................... 8 Statement of General Performance Goals and Objectives............ 9 Duplication of Federal Programs.................................. 9 Committee Cost Estimate.......................................... 9 Earmark, Limited Tax Benefits, and Limited Tariff Benefits....... 9 Disclosure of Directed Rule Makings.............................. 9 Advisory Committee Statement..................................... 9 Applicability to Legislative Branch.............................. 9 Section-by-Section Analysis of the Legislation................... 9 Changes in Existing Law Made by the Bill, as Reported............ 10 The amendments are as follows: Strike all after the enacting clause and insert the following: SECTION 1. SHORT TITLE. This Act may be cited as the ``Cyber Sense Act of 2018''. SEC. 2. CYBER SENSE. (a) In General.--The Secretary of Energy shall establish a voluntary Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system, as defined in section 215(a) of the Federal Power Act (16 U.S.C. 824o(a)). (b) Program Requirements.--In carrying out subsection (a), the Secretary of Energy shall-- (1) establish a testing process under the Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system, including products relating to industrial control systems and operational technologies, such as supervisory control and data acquisition systems; (2) for products and technologies tested under the Cyber Sense program, establish and maintain cybersecurity vulnerability reporting processes and a related database; (3) provide technical assistance to electric utilities, product manufacturers, and other electricity sector stakeholders to develop solutions to mitigate identified cybersecurity vulnerabilities in products and technologies tested under the Cyber Sense program; (4) biennially review products and technologies tested under the Cyber Sense program for cybersecurity vulnerabilities and provide analysis with respect to how such products and technologies respond to and mitigate cyber threats; (5) develop guidance, that is informed by analysis and testing results under the Cyber Sense program, for electric utilities for procurement of products and technologies; (6) provide reasonable notice to the public, and solicit comments from the public, prior to establishing or revising the testing process under the Cyber Sense program; (7) oversee testing of products and technologies under the Cyber Sense program; and (8) consider incentives to encourage the use of analysis and results of testing under the Cyber Sense program in the design of products and technologies for use in the bulk-power system. (c) Disclosure of Information.--Any cybersecurity vulnerability reported pursuant to a process established under subsection (b)(2), the disclosure of which the Secretary of Energy reasonably foresees would cause harm to critical electric infrastructure (as defined in section 215A of the Federal Power Act), shall be deemed to be critical electric infrastructure information for purposes of section 215A(d) of the Federal Power Act. (d) Federal Government Liability.--Nothing in this section shall be construed to authorize the commencement of an action against the United States Government with respect to the testing of a product or technology under the Cyber Sense program. Amend the title so as to read: A bill to require the Secretary of Energy to establish a voluntary Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system, and for other purposes. PURPOSE AND SUMMARY H.R. 5239, Cyber Sense Act of 2018, was introduced by Rep. Robert Latta (R-OH) and Rep. Jerry McNerney (D-CA) on March 9, 2018. H.R. 5239 would establish a voluntary Department of Energy (DOE) program that tests the cybersecurity of products and technologies intended for use in the bulk-power system, including products related to industrial control systems. The legislation instructs DOE to provide technical assistance to electric utilities, product manufacturers, and other electricity sector stakeholders to help mitigate cybersecurity vulnerabilities. In addition, the bill requires the Secretary of Energy to establish cybersecurity vulnerability reporting processes and maintain a related database. H.R. 5239 requires the Secretary to review biennially products and technologies tested under the Cyber Sense program for cybersecurity vulnerabilities and provide analysis on how such products and technologies respond to and mitigate cyber threats. The legislation instructs the Secretary to develop guidance for electric utilities regarding procurement of products and technologies. The Secretary will utilize analysis and testing results under the Cyber Sense program in developing this guidance. H.R. 5239 directs the Secretary to provide reasonable notice and solicit comments from the public prior to establishing or revising the Cyber Sense testing process. The legislation provides that any cybersecurity vulnerability reported pursuant to this program, the disclosure of which the Secretary of Energy reasonably foresees would cause harm to critical electric infrastructure, shall be deemed ``critical electric infrastructure information'' as defined by section 215A(d) of the Federal Power Act. The legislation also includes Federal government liability protections by noting that nothing shall be construed to authorize the commencement of an action against the United States government with respect to the testing of a product or technology under the Cyber Sense program. BACKGROUND AND NEED FOR LEGISLATION The United States' energy infrastructure is comprised of a vast network of energy and electricity systems that deliver uninterrupted electricity from producers to consumers. These intricate and highly interdependent systems enable every aspect of our daily lives. Our nation's economy, security, and the health and safety of its citizens depend upon the reliable and uninterrupted supply of fuels and electricity. Since the inception of the Department of Energy in 1977, the manner in which energy and power is generated, transmitted, and delivered continues to rapidly change and evolve. As advances in digital and information technologies continue to layer onto existing practices and energy infrastructures, new risks emerge, and vulnerabilities are exposed. Recent high-profile attempts by foreign actors to infiltrate our nation's energy systems and infrastructure further highlight the need for legislation aimed at mitigating these significant and growing threats to the reliable supply of energy in the United States. The Department of Energy's Authorities for Cybersecurity, Energy Security, and Emergency Response When the Department of Energy was organized in 1977, energy security concerns revolved around oil supply shortages. As a result, energy security emergency functions in the Department of Energy Organization Act focused on distributing and allocating fuels in an emergency. Over time, while DOE's organic statute remained largely unchanged, its responsibilities and authorities have evolved substantially beyond what was envisioned forty years ago. Energy delivery systems have become increasingly interconnected and digitized, while society has become more dependent on energy in all its forms--expanding the opportunities for cybersecurity threats and other hazards that may require emergency response. Today, DOE's mission to advance the national, economic, and energy security of the United States requires it to act as the lead agency for the protection of electric power, oil, and natural gas infrastructure. DOE has authority and responsibilities for the physical and cybersecurity of energy delivery systems from laws that Congress has passed and Presidential directives. Congress has provided DOE with a wide range of emergency response and cybersecurity authorities affecting multiple segments of the energy sector, beginning with the Department of Energy Organization Act, and most recently with the Fixing America's Surface Transportation Act (FAST Act). The FAST Act, which was signed into law in 2015, designated DOE as the Sector-Specific Agency (SSA) for the energy sector and provided the Department with several new energy security authorities to respond to physical and cyberattacks to energy systems. Section 61003 of the FAST Act amended section 215 of the Federal Power Act (FPA) and created a new section 215A entitled ``Critical Electric Infrastructure Security.'' This new section 215A of the FPA provided definitions for the terms ``bulk power system,'' ``critical electric infrastructure,'' ``critical electric infrastructure information,'' and ``grid security emergency,''\1\ among other terms. Section 215 of the FPA states that when the President issues or provides to the Secretary of Energy a written directive or determination identifying a grid security emergency, the Secretary may, with or without notice, hearing, or report, issue orders for emergency measures to protect or restore the reliability of critical electric infrastructure or of defense critical electric infrastructure during an emergency.\2\ Section 215A also includes protections for the sharing of critical electric information. --------------------------------------------------------------------------- \1\See Section 215A of the Federal Power Act, the term ``Grid Security Emergency'' means the occurrence or imminent danger of (A)(i) a malicious act using electronic communication or an electromagnetic pulse, or a geomagnetic storm event, that could disrupt the operation of those electronic devices or communications networks, including hardware, software, and data, that are essential to the reliability of critical electric infrastructure or of defense critical electric infrastructure; and (ii) disruption of the operation of such devices or networks, with significant adverse effects on the reliability of critical electric infrastructure or of defense critical electric infrastructure, as a result of such act or event; or (B)(i) a direct physical attack on critical electric infrastructure or on defense critical electric infrastructure; and (ii) significant adverse effects on the reliability of critical electric infrastructure or of defense critical electric infrastructure as a result of such physical attack. \2\Federal Power Act Sec. 215A, 16 U.S.C. Sec. Sec. 824o-1. --------------------------------------------------------------------------- DOE's cybersecurity roles and responsibilities are also guided by the Federal government's operational framework, as provided by the Presidential Policy Directive 41 (PPD-41) issued in 2016 addressing ``United States Cyber Incident Coordination.'' A primary purpose of PPD-41 is to improve coordination across the Federal government by clarifying roles and responsibilities. Under the PPD-41 framework, DOE serves as the lead agency for the energy sector, coordinating closely with other agencies and the private sector to facilitate the response, recovery, and restoration of damaged energy infrastructure. On February 14, 2018, the Energy Secretary established a new Office of Cybersecurity, Energy Security, and Emergency Response (CESER) at DOE. The CESER office will be led by an Assistant Secretary that will focus on energy infrastructure security, support the expanded national security responsibilities assigned to DOE, and report to the Under Secretary of Energy.\3\ --------------------------------------------------------------------------- \3\See Press Release, U.S. Department of Energy, ``Secretary of Energy Rick Perry Forms New Office of Cybersecurity, Energy Security, and Emergency Response.'' (Feb. 14, 2018), https://www.energy.gov/ articles/secretary-energy-rick-perry-forms-new-office-cybersecurity- energy-security-and-emergency. --------------------------------------------------------------------------- Physical Security and Cybersecurity of the Electric Grid With respect to its responsibilities for security of the electric power system, DOE works closely with electric sector owners and operators to detect and mitigate risks to critical electric infrastructure. DOE collaborates with the electric sector to develop technologies, tools, exercises, and other resources to assist the energy sector in evaluating and improving their security preparedness.\4\ --------------------------------------------------------------------------- \4\Department of Energy. Energy Sector Cybersecurity Preparedness. --------------------------------------------------------------------------- Along with DOE, the Federal Energy Regulatory Commission (FERC) has authority over the reliability of the electric grid. Congress, through the Energy Policy Act of 2005,\5\ provided FERC with the authority to approve mandatory cybersecurity standards proposed by the Electric Reliability Organization (ERO). The North American Electric Reliability Corporation (NERC) currently serves as the ERO. NERC proposes reliability standards for planning and operating the North American bulk power system. These critical infrastructure protection (CIP) reliability standards\6\ address physical security and cybersecurity of critical electric infrastructure. --------------------------------------------------------------------------- \5\P.L. 109-58. \6\See North American Electric Reliability Corporation for further information. --------------------------------------------------------------------------- Cooperation between the Federal government and electricity sector extends beyond mandatory and enforceable standards. The Electricity Subsector Coordinating Council (ESCC)\7\ serves as the principal liaison between the Federal government and the electric power sector in coordinating efforts to prepare for national-level incidents or threats to critical infrastructure. The Cybersecurity Risk Information Sharing Program (CRISP) is a public-private partnership, funded by DOE and industry. CRISP is managed by the Electricity Information Sharing and Analysis Center (E-ISAC)\8\ and facilitates the timely bi-directional sharing of unclassified and classified threat information with energy sector partners.\9\ --------------------------------------------------------------------------- \7\See Electric Subsector Coordinating Council for further information. \8\See Electricity Information Sharing and Analysis Center for further information. \9\Department of Energy. Cybersecurity for Critical Energy Infrastructure. --------------------------------------------------------------------------- Need for Legislation to Mitigate against Supply Chain Vulnerabilities The Committee finds that H.R. 5239 would help mitigate against vulnerabilities to supply chains by testing the cybersecurity of products and technologies intended for use in the bulk-power system, as noted in the Committee's legislative record. According to the testimony of Undersecretary Mark Menezes, ``[s]ecuring the electric sector supply chain is critical to the security and resilience of the electric grid. Products must be tested for known vulnerabilities in order to assess risk and develop mitigations.''\10\ --------------------------------------------------------------------------- \10\See Written Testimony of Under Secretary Mark Menezes, U.S. Department of Energy, Before the Subcommittee on Energy, Committee on Energy and Commerce, March 14, 2018. --------------------------------------------------------------------------- The testimony of Kyle Pistor, Vice President of Government Relations for the National Electrical Manufacturers Association (NEMA) was supportive of the bill and discussed the need and importance of securing energy supply chains to better protect the nation's electric grid. Mr. Pistor noted, ``[s]upply chain disruption and compromise are major concerns for the electric utility industry, and both electric utilities and manufacturers.''\11\ Mr. Pistor also stated, ``[m]ember manufacturers support voluntary cybersecurity evaluation of products used in the transmission, distribution, storage, and end-use of electricity. Not doing so could permit unsecure equipment to be installed, potentially compromising the electric system.''\12\ Mr. Pistor provided several recommendations regarding the collaboration and participation of manufacturers involved with the Cyber Sense program. --------------------------------------------------------------------------- \11\See Written Testimony of Mr. Kyle Pistor, Vice President, Government Relations for the National Electrical Manufacturers Association, Before the Subcommittee on Energy, Committee on Energy and Commerce, March 14, 2018. \12\See Written Testimony of Mr. Kyle Pistor, Vice President, Government Relations for the National Electrical Manufacturers Association, Before the Subcommittee on Energy, Committee on Energy and Commerce, March 14, 2018. --------------------------------------------------------------------------- The Committee finds that the DOE Cyber Sense program established through H.R. 5239 would allow electric utilities and industry stakeholders to have greater awareness of the cybersecurity of products and technologies they utilize in the bulk-power system. Electric utilities and industry stakeholders can help mitigate against vulnerabilities to energy supply chains by making more informed decisions when choosing products and technologies. COMMITTEE ACTION On March 14, 2018, the Subcommittee on Energy held a legislative hearing on H.R. 5239 entitled ``DOE Modernization: Legislation Addressing Cybersecurity and Emergency Response.'' The Subcommittee received testimony from: Mark Menezes, Under Secretary of Energy, U.S. Department of Energy; Scott Aaronson, Vice President, Security and Preparedness, Edison Electric Institute; Mark Engels, Senior Enterprise Security Advisor, Dominion Energy; Tristan Vance, Director, Office of Energy Development, State of Indiana; Zachary Tudor, Associate Laboratory Director for National and Homeland Security, Idaho National Laboratory; and, Kyle Pistor, Vice President of Government Relations, National Electrical Manufactures Association. On April 18, 2018, the Subcommittee on Energy met in open markup session and forwarded H.R. 5239, as amended, to the full Committee by a voice vote. On May 9, 2018, the full Committee on Energy and Commerce met in open markup session and ordered H.R. 5239, as amended, favorably reported to the House by a voice vote. COMMITTEE VOTES Clause 3(b) of rule XIII requires the Committee to list the recorded votes on the motion to report legislation and amendments thereto. There were no recorded votes taken in connection with ordering H.R. 5239 reported. OVERSIGHT FINDINGS AND RECOMMENDATIONS Pursuant to clause 2(b)(1) of rule X and clause 3(c)(1) of rule XIII, the Committee has held a hearing and made findings that are reflected in this report. NEW BUDGET AUTHORITY, ENTITLEMENT AUTHORITY, AND TAX EXPENDITURES Pursuant to clause 3(c)(2) of rule XIII, the Committee finds that H.R. 5239 would result in no new or increased budget authority, entitlement authority, or tax expenditures or revenues. CONGRESSIONAL BUDGET OFFICE ESTIMATE Pursuant to clause 3(c)(3) of rule XIII, the following is the cost estimate provided by the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974: U.S. Congress, Congressional Budget Office, Washington, DC, May 18, 2018. Hon. Greg Walden, Chairman, Committee on Energy and Commerce, House of Representatives, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for H.R. 5239, the Cyber Sense Act of 2018. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Megan Carroll. Sincerely. Mark P. Hadley (For Keith Hall, Director). Enclosure. H.R. 5239--Cyber Sense Act of 2018 Summary: H.R. 5239 would direct the Department of Energy (DOE) to establish a program to identify and promote products and technologies to mitigate the threat of cyber-related disruptions to the bulk power system. (The bulk power system comprises facilities and control systems necessary for operating an interconnected network for transmitting electric energy and facilities that generate electricity necessary to maintain the reliability of that network.) CBO estimates that implementing H.R. 5239 would cost $56 million over the 2019-2023 period, assuming appropriation of the necessary amounts. Enacting the bill would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply. CBO estimates that enacting H.R. 5239 would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2029. H.R. 5239 would impose an intergovernmental mandate, as defined in the Unfunded Mandates Reform Act (UMRA), on state, local, and tribal governments, but CBO estimates that it would impose no duty on those governments that would result in additional spending or a loss of revenues. H.R. 5239 contains no private-sector mandates as defined in UMRA. Estimated cost to the Federal Government: The estimated budgetary effect of H.R. 5239 is shown in the following table. The costs of the legislation fall primarily within budget function 270 (energy). ---------------------------------------------------------------------------------------------------------------- By fiscal year, in millions of dollars-- ---------------------------------------------------------- 2018 2019 2020 2021 2022 2023 2019-2023 ---------------------------------------------------------------------------------------------------------------- INCREASES IN SPENDING SUBJECT TO APPROPRIATION Estimated Authorization Level........................ 0 15 15 16 16 16 78 Estimated Outlays.................................... 0 3 9 12 16 16 56 ---------------------------------------------------------------------------------------------------------------- Basis of estimate: H.R. 5239 would direct DOE to establish a voluntary program for testing the cybersecurity of products and technologies intended for use in the bulk power system. The bill would specify requirements for that program and direct the agency to provide guidance and technical assistance, using information and analysis from the proposed testing program, to stakeholders of the electricity sector to help mitigate cybersecurity vulnerabilities. Using information from DOE, CBO estimates that implementing H.R. 5239 would cost $56 million over the 2019-2023 period. That estimate is based on the Administration's cost estimates for activities that DOE has proposed to carry out that are similar to those in the bill, and it reflects historical spending patterns for activities administered by DOE's Office of Electricity. Pay-As-You-Go considerations: None. Increase in long-term direct spending and deficits: CBO estimates that enacting H.R. 5239 would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2029. Mandates: H.R. 5239 would impose an intergovernmental mandate, as defined in UMRA, on state, local, and tribal governments. The bill would preempt state and local laws that could otherwise cause governmental agencies participating in the proposed program to disclose information about their activities, such as the sharing of cybersecurity information. Although the preemption would limit the application of state and local laws, CBO estimates that it would impose no duty on state or local governments that would result in additional spending or a loss of revenue. H.R. 5239 contains no private-sector mandates as defined in UMRA. Estimate prepared by: Federal costs: Megan Carroll; Mandates: Jon Sperl. Estimate reviewed by: Kim P. Cawley, Chief, Natural and Physical Resources Cost Estimates Units; Susan Willie, Chief, Mandates Unit; H. Samuel Papenfuss, Deputy Assistant Director for Budget Analysis. FEDERAL MANDATES STATEMENT The Committee adopts as its own the estimate of Federal mandates prepared by the Director of the Congressional Budget Office pursuant to section 423 of the Unfunded Mandates Reform Act. STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES Pursuant to clause 3(c)(4) of rule XIII, the general performance goal or objective of this legislation is to require the Secretary of Energy to establish a voluntary Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system. DUPLICATION OF FEDERAL PROGRAMS Pursuant to clause 3(c)(5) of rule XIII, no provision of H.R. 5239 is known to be duplicative of another Federal program, including any program that was included in a report to Congress pursuant to section 21 of Public Law 111-139 or the most recent Catalog of Federal Domestic Assistance. COMMITTEE COST ESTIMATE Pursuant to clause 3(d)(1) of rule XIII, the Committee adopts as its own the cost estimate prepared by the Director of the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974. EARMARK, LIMITED TAX BENEFITS, AND LIMITED TARIFF BENEFITS Pursuant to clause 9(e), 9(f), and 9(g) of rule XXI, the Committee finds that H.R. 5239 contains no earmarks, limited tax benefits, or limited tariff benefits. DISCLOSURE OF DIRECTED RULE MAKINGS Pursuant to section 3(i) of H. Res. 5, the Committee finds that H.R. 5239 contains no directed rule makings. ADVISORY COMMITTEE STATEMENT No advisory committees within the meaning of section 5(b) of the Federal Advisory Committee Act were created by this legislation. APPLICABILITY TO LEGISLATIVE BRANCH The Committee finds that the legislation does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(b)(3) of the Congressional Accountability Act. SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION Section 1. Short title This section provides the short title of ``Cyber Sense Act of 2018.'' Section 2. Cyber Sense Section 2(a) states that the Secretary shall establish a voluntary Department of Energy (DOE) program to test the cybersecurity of products and technologies intended for use in the bulk-power system, as defined by section 215(a) of the Federal Power Act (16 U.S.C. 824o(a)). Section 2(b) states that the Secretary of Energy, in carrying out subsection (a), shall (1) establish a testing process under the Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system, including products relating to industrial control systems and operational technologies, such as supervisory control and data acquisition systems; (2) for products and technologies tested under the Cyber Sense program, establish and maintain cybersecurity vulnerability reporting processes and a related database; (3) provide technical assistance to electric utilities, product manufacturers, and other electricity sector stakeholders to mitigate identified cybersecurity vulnerabilities. Under section 2(b)(4), the Secretary shall biennially review products and technologies under the Cyber Sense program for cybersecurity vulnerabilities and provide analysis with respect to how such products and technologies respond to and mitigate cyber threats. Pursuant to paragraph (5), the Secretary shall develop guidance for electric utilities for procurement of products and technologies. The guidance shall be informed by analysis and testing results under the Cyber Sense program. For paragraph (6), the Secretary shall provide reasonable notice to the public, prior to establishing or revising the testing process under the Cyber Sense program. For section 2(b)(7), the Secretary shall oversee the testing of products and technologies under the Cyber Sense program; and (8) consider incentives to encourage the use of analysis and results of testing under the Cyber Sense program in the design of products and technologies for use in the bulk- power system. Under section 2(c), any cybersecurity vulnerability reported pursuant to a process established under subsection (b)(2), the disclosure of which the Secretary of Energy reasonably foresees would cause harm to critical electric infrastructure (as defined in section 215A) of the Federal Power Act, shall be deemed to be critical electric infrastructure information for purposes of section 215A(d) of the Federal Power Act. Section 2(d) states nothing in section 2 shall be construed to authorize the commencement of an action against the United States government with respect to the testing of a product or technology under the Cyber Sense program. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED This legislation does not amend any existing Federal statute. [all]