The Infrastructure Investment and Jobs Act, H. R. 3684, includes a slew of cybersecurity provisions. Following a number of high-profile ransomware attacks on U.S. companies, legislators have been pushing for more action to shore up the U.S.’s cybersecurity abilities.
Some of the key provisions included in the package are:
- $21 million for the newly formed Office of the National Cyber Director.
- $20 million for FY22 and each fiscal year till 2028 ($100 million total) for CISA’s Cyber Response and Recovery Fund.
- $35 million for FY22 for CISA Sector Risk Management.
- $1 billion over four years for state, local, tribal and territorial governments to create a new grant program aimed at improving the cybersecurity posture.
- Direct FERC to issue rules establishing incentive-based rate treatments for public utilities that invest in advanced cybersecurity technology and participate in threat information-sharing programs.
Created in the FY21 The National Defense Authorization Act (NDAA), the National Cyber Director is responsible for coordinating policies to increase the security of federal information systems and serve as a point of contact between the White House and Congress on cybersecurity matters. In July, Chris Inglis was sworn in to be the first National Cyber Director, but at that time Congress had not yet provided funding for the office. The infrastructure bill would provide $21 million for FY22, a $6 million increase from President Biden’s budget request in May.
The infrastructure package also authorizes the National Cyber Director, in consultation with the Homeland Security Secretary, to declare a significant cybersecurity incident. The legislation defines a significant cyber incident as one that results in harm to national security interests, foreign relations, or the U.S. economy; or the public confidence, civil liberties or the public health and safety of the U.S.
The package includes several measures to shore up energy grid cyber protections. These measures come after The Government Accountability Office (GAO), reported this year that United States electric grids are increasingly vulnerable to cyberattacks. The package includes provisions such as:
- $250 million for the period of FY22-26 to fund cybersecurity grant programs, as well as to develop advanced cybersecurity application and technologies for the energy sector.
- $50 million for the period of FY22-26 for the Energy Sector Operational Support for Cyber-resilience Program, which aims to enhance and test the emergency response capabilities of DOE.
- $50 million for the period of FY22-26 for Modeling and Assessing Energy Infrastructure Risk, to increase the functional preservation of electrical grid operations or natural gas and oil operations in the face of threats and hazards.
- $250 million for a Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program.
State, local and tribal governments, who have been pushing for funding to address cybersecurity, were clearly heard. The legislation incorporates Rep. Yvette Clarke’s (D-NY), House passed, State and Local Cybersecurity Improvement Act, H.R.3138, which only called for $500 million in funding for the grant program. The grant program, to be run by the Department of Homeland Security (DHS), would receive $200 million in FY22, $400 million in FY23, $300 million in FY24, and $100 million in FY25. State, local, tribal, and territorial governments will have to present a comprehensive cybersecurity plan to be able to access and use any grant money from the program.
Yesterday, Senators continued debate and votes on amendments to the infrastructure package today, mainly taking up noncontroversial amendments. Senate Minority Leader Mitch McConnell (R-KY) has stated that Senate Republicans will take their time with amendments and that he wants every chance they can get to propose changes to the bill. Sen. Mike Lee (R-UT), wants the final vote delayed until after the Senate’s August recess.
The package hit a speed bump yesterday when it was announced that Sen. Lindsey Graham (R-SC) tested positive for the delta variant, causing him to go into quarantine. Unlike the House, the Senate does not allow for proxy voting, which means that Sen. Graham will miss all votes on the package while in quarantine. MBS will provide updates as more details about the package are released.