HR1148-118

1. Short title This Act may be cited as the Critical Electric Infrastructure Cybersecurity Incident Reporting Act.

2. Cybersecurity incident reporting for critical electric infrastructure Section 215A of the Federal Power Act (16 U.S.C. 824o–1) is amended— in subsection (a)— by amending paragraph (1) to read as follows: The terms bulk-power system, cybersecurity incident, Electric Reliability Organization, and regional entity have the meanings given such terms in paragraphs (1), (8), (2), and (7) of section 215(a), respectively. in paragraph (7)(A)(i), by inserting , including a cybersecurity incident, after a malicious act; by redesignating subsections (e) and (f) as subsections (f) and (g), respectively; and by inserting after subsection (d) the following: The Department of Energy shall be a designated agency within the Federal Government to receive notifications regarding cybersecurity incidents and potential cybersecurity incidents with respect to critical electric infrastructure from other Federal agencies and owners, operators, and users of critical electric infrastructure. Not later than 240 days after the date of enactment of the Critical Electric Infrastructure Cybersecurity Incident Reporting Act, the Secretary shall promulgate regulations to facilitate the submission of timely, secure, and confidential notifications regarding cybersecurity incidents and potential cybersecurity incidents with respect to critical electric infrastructure from Federal agencies and owners, operators, and users of critical electric infrastructure. The regulations promulgated under subparagraph (A) shall— detail what constitutes a potential cybersecurity incident for purposes of this subsection; and require a Federal agency or an owner, operator, or user of critical electric infrastructure that discovers a cybersecurity incident or a potential cybersecurity incident with respect to critical electric infrastructure to submit to the Secretary, not later than 24 hours after discovery of such cybersecurity incident or potential cybersecurity incident, notification regarding such cybersecurity incident or potential cybersecurity incident. Not later than one year after the date of enactment of the Critical Electric Infrastructure Cybersecurity Incident Reporting Act, and annually thereafter, the Secretary shall submit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Energy and Natural Resources of the Senate a report, in classified form if necessary, on the number of notifications received pursuant to this subsection, and a description of the actions taken by the Department of Energy regarding such notifications, during the 1-year period preceding the report. (1)Bulk-power system; cybersecurity incident; electric reliability organization; regional entityThe terms bulk-power system, cybersecurity incident, Electric Reliability Organization, and regional entity have the meanings given such terms in paragraphs (1), (8), (2), and (7) of section 215(a), respectively.; and (e)Cybersecurity incident reporting (1)DesignationThe Department of Energy shall be a designated agency within the Federal Government to receive notifications regarding cybersecurity incidents and potential cybersecurity incidents with respect to critical electric infrastructure from other Federal agencies and owners, operators, and users of critical electric infrastructure. (2)Regulations (A)In generalNot later than 240 days after the date of enactment of the Critical Electric Infrastructure Cybersecurity Incident Reporting Act, the Secretary shall promulgate regulations to facilitate the submission of timely, secure, and confidential notifications regarding cybersecurity incidents and potential cybersecurity incidents with respect to critical electric infrastructure from Federal agencies and owners, operators, and users of critical electric infrastructure. (B)InclusionsThe regulations promulgated under subparagraph (A) shall— (i)detail what constitutes a potential cybersecurity incident for purposes of this subsection; and (ii)require a Federal agency or an owner, operator, or user of critical electric infrastructure that discovers a cybersecurity incident or a potential cybersecurity incident with respect to critical electric infrastructure to submit to the Secretary, not later than 24 hours after discovery of such cybersecurity incident or potential cybersecurity incident, notification regarding such cybersecurity incident or potential cybersecurity incident. (3)Annual reportsNot later than one year after the date of enactment of the Critical Electric Infrastructure Cybersecurity Incident Reporting Act, and annually thereafter, the Secretary shall submit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Energy and Natural Resources of the Senate a report, in classified form if necessary, on the number of notifications received pursuant to this subsection, and a description of the actions taken by the Department of Energy regarding such notifications, during the 1-year period preceding the report. .