I
118th CONGRESS
1st Session
H. R. 1148
IN THE HOUSE OF REPRESENTATIVES
February 21, 2023
Mr. Walberg introduced the following bill; which was referred to the Committee on Energy and Commerce
A BILL
To direct the Secretary of Energy to promulgate regulations to facilitate the timely submission of notifications regarding cybersecurity incidents and potential cybersecurity incidents with respect to critical electric infrastructure, and for other purposes.
Short title
This Act may be cited as the Critical Electric Infrastructure Cybersecurity Incident Reporting Act
.
Cybersecurity incident reporting for critical electric infrastructure
Section 215A of the Federal Power Act (16 U.S.C. 824o–1) is amended—
in subsection (a)—
by amending paragraph (1) to read as follows:
Bulk-power system; cybersecurity incident; electric reliability organization; regional entity
The terms bulk-power system, cybersecurity incident, Electric Reliability Organization, and regional entity have the meanings given such terms in paragraphs (1), (8), (2), and (7) of section 215(a), respectively.
; and
in paragraph (7)(A)(i), by inserting , including a cybersecurity incident,
after a malicious act
;
by redesignating subsections (e) and (f) as subsections (f) and (g), respectively; and
by inserting after subsection (d) the following:
Cybersecurity incident reporting
Designation
The Department of Energy shall be a designated agency within the Federal Government to receive notifications regarding cybersecurity incidents and potential cybersecurity incidents with respect to critical electric infrastructure from other Federal agencies and owners, operators, and users of critical electric infrastructure.
Regulations
In general
Not later than 240 days after the date of enactment of the Critical Electric Infrastructure Cybersecurity Incident Reporting Act, the Secretary shall promulgate regulations to facilitate the submission of timely, secure, and confidential notifications regarding cybersecurity incidents and potential cybersecurity incidents with respect to critical electric infrastructure from Federal agencies and owners, operators, and users of critical electric infrastructure.
Inclusions
The regulations promulgated under subparagraph (A) shall—
detail what constitutes a potential cybersecurity incident for purposes of this subsection; and
require a Federal agency or an owner, operator, or user of critical electric infrastructure that discovers a cybersecurity incident or a potential cybersecurity incident with respect to critical electric infrastructure to submit to the Secretary, not later than 24 hours after discovery of such cybersecurity incident or potential cybersecurity incident, notification regarding such cybersecurity incident or potential cybersecurity incident.
Annual reports
Not later than one year after the date of enactment of the Critical Electric Infrastructure Cybersecurity Incident Reporting Act, and annually thereafter, the Secretary shall submit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Energy and Natural Resources of the Senate a report, in classified form if necessary, on the number of notifications received pursuant to this subsection, and a description of the actions taken by the Department of Energy regarding such notifications, during the 1-year period preceding the report.
.
