References in Text
This chapter, referred to in subsec. (c), was in the original “this Act”, meaning [Pub. L. 107–296], Nov. 25, 2002, [116 Stat. 2135], known as the Homeland Security Act of 2002, which is classified principally to this chapter. For complete classification of this Act to the Code, see Short Title note set out under section 101 of this title and Tables.
Codification
In subsec. (b)(6), “section 3303(a)(1)(C) of title 41” substituted for “section 303(b)(1)(C) of the Federal Property and Administrative Services Act of 1949 (41 U.S.C. 253(b)(1)(C))” on authority of [Pub. L. 111–350, § 6(c)], Jan. 4, 2011, [124 Stat. 3854], which Act enacted Title 41, Public Contracts.
Securing Energy Infrastructure
[Pub. L. 116–92, div. E, title LVII, § 5726], Dec. 20, 2019, [133 Stat. 2179], provided that:“(a)
Definitions.—
In this section:
“(1)
Appropriate congressional committees.—
The term ‘appropriate congressional committees’ means—
“(A)
the congressional intelligence committees [Select Committee on Intelligence of the Senate and Permanent Select Committee on Intelligence of the House of Representatives];
“(B)
the Committee on Homeland Security and Governmental Affairs and the Committee on Energy and Natural Resources of the Senate; and
“(C)
the Committee on Homeland Security and the Committee on Energy and Commerce of the House of Representatives.
“(2)
Covered entity.—
The term ‘covered entity’ means an entity identified pursuant to section 9(a) of Executive Order No. 13636 of
February 12, 2013 (78 Fed. Reg. 11742) [
6 U.S.C. 121 note], relating to identification of critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.
“(3)
Exploit.—
The term ‘exploit’ means a software tool designed to take advantage of a security vulnerability.
“(4)
Industrial control system.—
The term ‘industrial control system’ means an operational technology used to measure, control, or manage industrial functions, and includes supervisory control and data acquisition systems, distributed control systems, and programmable logic or embedded controllers.
“(5)
National laboratory.—
The term ‘National Laboratory’ has the meaning given the term in section 2 of the Energy Policy Act of 2005 (
42 U.S.C. 15801).
“(6)
Program.—
The term ‘Program’ means the pilot program established under subsection (b).
“(7)
Secretary.—
Except as otherwise specifically provided, the term ‘Secretary’ means the Secretary of Energy.
“(8)
Security vulnerability.—
The term ‘security vulnerability’ means any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control.
“(b)
Pilot Program for Securing Energy Infrastructure.—
Not later than 180 days after the date of the enactment of this Act [Dec. 20, 2019], the Secretary shall establish a 2-year control systems implementation pilot program within the National Laboratories for the purposes of—
“(1)
partnering with covered entities in the energy sector (including critical component manufacturers in the supply chain) that voluntarily participate in the Program to identify new classes of security vulnerabilities of the covered entities; and
“(2)
evaluating technology and standards, in partnership with covered entities, to isolate and defend industrial control systems of covered entities from security vulnerabilities and exploits in the most critical systems of the covered entities, including—
“(A)
analog and nondigital control systems;
“(B)
purpose-built control systems; and
“(c)
Working Group To Evaluate Program Standards and Develop Strategy.—
“(1)
Establishment.—
The Secretary shall establish a working group—
“(A)
to evaluate the technology and standards used in the Program under subsection (b)(2); and
“(B)
to develop a national cyber-informed engineering strategy to isolate and defend covered entities from security vulnerabilities and exploits in the most critical systems of the covered entities.
“(2)
Membership.—
The working group established under paragraph (1) shall be composed of not fewer than 10 members, to be appointed by the Secretary, at least 1 member of which shall represent each of the following:
“(A)
The Department of Energy.
“(B)
The energy industry, including electric utilities and manufacturers recommended by the Energy Sector coordinating councils.
“(C)
(i)
The Department of Homeland Security; or
“(ii)
the Industrial Control Systems Cyber Emergency Response Team.
“(D)
The North American Electric Reliability Corporation.
“(E)
The Nuclear Regulatory Commission.
“(F)
(i)
The Office of the Director of National Intelligence; or
“(ii)
the intelligence community (as defined in section 3 of the National Security Act of 1947 (
50 U.S.C. 3003)).
“(G)
(i)
The Department of Defense; or
“(ii)
the Assistant Secretary of Defense for Homeland Security and America’s Security Affairs.
“(H)
A State or regional energy agency.
“(I)
A national research body or academic institution.
“(J)
The National Laboratories.
“(d)
Reports on the Program.—
“(1)
Interim report.—
Not later than 180 days after the date on which funds are first disbursed under the Program, the Secretary shall submit to the appropriate congressional committees an interim report that—
“(A)
describes the results of the Program;
“(B)
includes an analysis of the feasibility of each method studied under the Program; and
“(C)
describes the results of the evaluations conducted by the working group established under subsection (c)(1).
“(2)
Final report.—
Not later than 2 years after the date on which funds are first disbursed under the Program, the Secretary shall submit to the appropriate congressional committees a final report that—
“(A)
describes the results of the Program;
“(B)
includes an analysis of the feasibility of each method studied under the Program; and
“(C)
describes the results of the evaluations conducted by the working group established under subsection (c)(1).
“(e)
Exemption From Disclosure.—
Information shared by or with the Federal Government or a State, Tribal, or local government under this section—
“(1)
shall be deemed to be voluntarily shared information;
“(2)
shall be exempt from disclosure under
section 552 of title 5, United States Code, or any provision of any State, Tribal, or local freedom of information law, open government law, open meetings law, open records law, sunshine law, or similar law requiring the disclosure of information or records; and
“(3)
shall be withheld from the public, without discretion, under
section 552(b)(3) of title 5, United States Code, and any provision of any State, Tribal, or local law requiring the disclosure of information or records.
“(f)
Protection From Liability.—
“(1)
In general.—
A cause of action against a covered entity for engaging in the voluntary activities authorized under subsection (b)—
“(A)
shall not lie or be maintained in any court; and
“(B)
shall be promptly dismissed by the applicable court.
“(2)
Voluntary activities.—
Nothing in this section subjects any covered entity to liability for not engaging in the voluntary activities authorized under subsection (b).
“(g)
No New Regulatory Authority for Federal Agencies.—
Nothing in this section authorizes the Secretary or the head of any other department or agency of the Federal Government to issue new regulations.
“(h)
Authorization of Appropriations.—
“(1)
Pilot program.—
There is authorized to be appropriated $10,000,000 to carry out subsection (b).
“(2)
Working group and report.—
There is authorized to be appropriated $1,500,000 to carry out subsections (c) and (d).
“(3)
Availability.—
Amounts made available under paragraphs (1) and (2) shall remain available until expended.”