House Energy and Commerce Republican Leaders introduced new solutions this week to empower federal agencies with specialized expertise, like the Department of Energy (DOE) and the Department of Health and Human Services (HHS), to combat cyber and ransomware attacks, as well as to protect our critical infrastructure, like pipelines, electrical infrastructure, telecommunications, and hospital systems.
CLICK HERE to read more on the bills and Republicans’ agenda, as reported by POLITICO.
“Our technology, healthcare, and energy infrastructure security require the vigilance of experts across the federal government to ensure Americans are safe. Energy and Commerce Republicans are warning of the dangers of moving to a one-size-fits-all federal approach, which will weaken agencies’ ability to leverage their expertise in cybersecurity preparedness and defense in their specific, unique sectors.” — House Energy and Commerce Republican Leader Cathy McMorris Rodgers (R-WA)
“Cybersecurity is national security, and Congress must act to ensure our grid is secure. H.R. 9234, which I’m leading with Leader Rodgers, will allow companies to quickly respond to these increasing attacks and install preventative measures without getting caught up in bureaucratic red tape. This bill is another tool in the toolbox to create safer communities, schools, and commerce.” — Energy Subcommittee Republican Leader Fred Upton (R-MI)
“With patient care and privacy on the line, more federal leadership is needed to ensure health care providers can respond appropriately to sophisticated cyberattacks. That’s why I introduced the Department of Health and Human Services Cybersecurity Coordination Act. This bill would improve the Department of Health and Human Services’ collaboration on cybersecurity threats and enhance their real-time information sharing with health care providers on active cyber threats. This bill advances patient safety and privacy by requiring HHS to take action on cybersecurity recommendations made by the U.S. Government Accountability Office. I look forward to working with my colleagues on this bill and other measures to prevent these cyberattacks.” — Health Subcommittee Republican Leader Brett Guthrie (R-KY)
“The National Institutes of Health has left itself vulnerable to malicious cyber-attacks due to deficiencies in its information systems. My bill would require NIH’s director to implement necessary cybersecurity protections. Federal agencies like NIH must not leave the door open to bad actors that can disrupt important work being done on behalf of the American people.” — Oversight and Investigations Subcommittee Republican Leader Morgan Griffith (R-VA)
Bill summaries of new legislation introduced this week:
- The Critical Electric Infrastructure Cybersecurity Incident Reporting Act of 2022 (H.R. 9234), introduced by Reps. Rodgers and Upton, amends the Federal Power Act by adding a 24-hour reporting requirement to the Department of Energy’s (DOE) existing critical electric infrastructure (CEI) protection framework; directs DOE to develop a regulation to add additional clarity on the scope and scale of cybersecurity incidents that require reporting, and to develop procedures for reporting a “potential cybersecurity incident” — CISA’s Request for Information seeks input on a 72-hour incident reporting requirement. This may be appropriate for some applications, but for critical electric infrastructure a 24-hour reporting requirement is appropriate. This is consistent with Pipeline Safety 24-hour incident reporting requirements.
- Ensuring Cybersecurity at the NIH Act (H.R. 9228), introduced by Rep. Griffith, requires the NIH Director, acting through the Chief Information Officer, to implement cybersecurity protections. This includes developing a risk management strategy for cybersecurity systems, fully developing and documenting system security plans, and fully documenting and reviewing policies and procedures. Additionally, it requires identifying and providing information security protections equal to the risk and magnitude of the harm that could result from unauthorized access, use, disclosure, or destruction of the information collected by the NIH.
- The Department of Health and Human Services Cybersecurity Coordination Act (H.R. 9229), introduced by Rep. Guthrie, requires the HHS Secretary to increase monitoring, evaluation, and reporting on progress and performance of various cybersecurity working groups within HHS.
Energy and Environment
- The Cyber Sense Act of 2021 (H.R. 2928), led by Reps. Bob Latta (R-OH) and Jerry McNerney (D-CA), will bolster U.S. electric infrastructure by encouraging coordination between the Department of Energy and electric utilities. It passed out of the House on July 7, 2021, and provisions of the bill have since been enacted enacted.
- The Enhancing Grid Security through Public-Private Partnerships Act (H.R. 2931), led by Reps. Jerry McNerney (D-CA) and Bob Latta (R-OH), directs the Secretary of Energy, in consultation with States, other Federal agencies, and industry stakeholders, to create and implement a program to enhance the physical and cyber security of electric utilities. It passed out of the House on July 19, 2021, and provisions of the bill have since been enacted.
- The Energy Emergency Leadership Act (H.R. 3119), led by Reps. Bobby Rush (D-IL) and Tim Walberg (R-MI), will help elevate energy emergency and cybersecurity responsibilities as a core function for the Department of Energy. It passed out of the House July, 19, 2021.
- The PATCH “Protecting and Transforming Cyber Health Care” Act (H.R. 7084), which was introduced by Rep. Michael Burgess (R-TX), would implement critical cybersecurity requirements for manufacturers applying for premarket approval through the FDA; allow for the manufacturer to design, develop, and maintain processes and procedures to update and patch the device and related systems throughout the lifecycle of the device; establish a Software Bill of Materials for the device that will be provided to users; require the development of a plan to monitor, identify, and address post market cybersecurity vulnerabilities; and request a Coordinated Vulnerability Disclosure to demonstrate safety and effectiveness of a device. This passed the House in H.R.7667.
- The RANSOMWARE Act (H.R. 4551), introduced by Reps. Gus Bilirakis (R-FL) and Jan Schakowsky (D-IL), requires the Federal Trade Commission to report on cross-border complaints received that involve ransomware or other cyber-related attacks committed by certain foreign individuals, companies, and governments. The report must focus specifically on attacks committed by (1) Russia, China, North Korea, or Iran; or (2) individuals or companies that are located in or have ties to those countries. This bill passed out of the House July 27, 2022.
- The GUARD Act (H.R. 3262), Introduced by Reps. Fred Upton (R-MI) and Debbie Lesko (R-AZ), requires the Department of Transportation (DOT) to study the state of cybersecurity regarding motor vehicles, including by developing a comprehensive list of federal agencies with jurisdiction over cybersecurity and a brief description of the jurisdiction or expertise of such agencies.
- The Understanding Cybersecurity of Mobile Networks Act (H.R. 2685), introduced by Reps. Anna Eshoo (D-CA) and Adam Kinzinger (R-IL), would require NTIA, in consultation with the Department of Homeland Security, to submit a report to Congress within 1 year examining the cybersecurity of mobile service networks, any potential vulnerabilities of these networks, and any surveillance conducted by adversaries on these networks. It passed out of the House December 21, 2022.
- The Secure Equipment Act of 2021 (H.R. 3919), introduced by Reps. Steve Scalise (R-LA) and Anna Eshoo (D-CA), would direct the Federal Communications Commission to clarify that it will no longer review or approve applications from companies on the FCC’s “Covered List.” The bill was signed into law on November 11, 2021.
- The Information and Communication Technology Strategy Act (H.R. 4028), introduced by Reps. Billy Long (R-MO), Abigail Spanberger (D-VA), Buddy Carter (R-GA), and Jerry McNerney (D-CA), would direct NTIA to submit to Congress within one year a report analyzing the state of economic competitiveness of trusted vendors in the ICT supply chain, identify which components or technologies are critical or vulnerable, and identify components or technologies on which U.S. networks are dependent. Subsequent to this report, NTIA is directed to submit a whole of government strategy to ensure the competitiveness of trusted vendors in the United States within 6 months. It passed out of the House on October 20, 2021.
- The Open RAN Outreach Act (H.R. 4032), introduced by Reps. Colin Allred (D-TX), Brett Guthrie (R-KY), Tom O’Halleran (D-AZ), and Richard Hudson (R-NC), directs NTIA to provide outreach and technical assistance to small communications network providers regarding Open Radio Access Networks. It passed the House on October 20, 2021.
- The FUTURE Networks Act, (H.R. 4045), introduced by Reps. Michael Doyle (D-PA), Bill Johnson (R-OH), and Lucy McBath (D-GA), would require the FCC to create a 6G Task Force. It passed the House on December 1, 2021.
- The NTIA Policy and Cybersecurity Coordination Act (H.R. 4046), introduced by Reps. Jeff Duncan (R-SC), Susan Wild (D-PA), and John Curtis (R-UT), would authorize the existing National Telecommunications and Information Administration (NTIA) Office of Policy Analysis and Development as the Office of Policy Development and Cybersecurity. In addition to codifying the responsibilities of NTIA in administering the information sharing program established in the Secure and Trusted Communications Networks Act, the Office would be assigned functions to coordinate and develop policy related to the cybersecurity of communications networks.
- The American Cybersecurity Literacy Act (H.R. 4055), introduced by Reps. Adam Kinzinger (R-IL), Marc Veasey (D-TX), Gus Bilirakis (R-FL), and Chrissy Houlahan (D-PA), would require NTIA to develop and conduct a cybersecurity literacy campaign to educate the American people about common cybersecurity risks and best practices. This campaign would be aimed at individuals as opposed to businesses. It passed out of the House on December 1, 2021.
- The Communications Security Advisory Act of 2021 (H.R. 4067), introduced by Reps. Elissa Slotkin (D-MI), Tim Walberg (R-MI), and Kurt Schrader (D-OR) would codify the FCC’s existing Communications Security, Reliability, and Interoperability Council (CSRIC). It passed the House on October 20, 2021.
