The much-anticipated $1 trillion Senate bipartisan infrastructure bill unveiled on August 1 shows big cybersecurity funding wins for state and local governments with a $1 billion for a cybersecurity grant program, and electric utilities that will be receiving $550 million through cybersecurity programs to protect the electric grid.
The 2,700-page bill, titled the Infrastructure Investment and Jobs Act, also includes $140 million to fund a Cyber Incident Response and Recovery Fund until fiscal year (FY) 2028, as well as cybersecurity directives for the Department of Transportation.
The bipartisan group of 20 legislators first announced the framework of the package towards the end of June and reached an agreement on the details of the legislation July 28. But the exact financial details of the agreement did not become clear before the final legislative language was released this weekend.
Negotiations on the package were led by Sens. Kristen Sinema, D-Ariz.; Rob Portman, R-Ohio, Mark Warner, D-Va.; Susan Collins, R-Maine, Joe Manchin, D-W.V.; Mitt Romney, R-Utah; John Tester, D-Mont.; Lisa Murkowski, R-Alaska; Jeanne Shaheen, D-N.H.; and Bill Cassidy, R-La.
“Over the last four days we have worked day and night to finalize historic legislation that will invest in our nation’s hard infrastructure and create good-paying jobs for working Americans in communities across the country without raising taxes,” the senators said in a statement. “This bipartisan bill and our shared commitment to see it across the finish line is further proof that the Senate can work. We look forward to moving this bill through the Senate and delivering for the American people.”
Senate Majority Leader Chuck Schumer, D-N.Y., said he wants to get the package passed in the Senate before the chamber leaves for its summer recess on August 9, and previously expressed a willingness to cancel the recess should the Senate not pass the package before then.
While most of the funding in the bill will go toward improving “traditional” infrastructure like roads and bridges, the legislation also features an extensive list of cybersecurity and tech-related spending.
State and Local Cybersecurity Improvement Act
The need to shore up the nation’s cybersecurity has been a prime issue for Congress in light of an increased rate of cyberattacks over the past year and a half. Topping the bill’s cybersecurity-related spending is a $1 billion measure to fund cybersecurity grants for state, local, tribal, and territorial governments over four years.
That part of the Senate infrastructure bill matches with existing legislation – the State and Local Cybersecurity Act – which was passed by the House of Representatives July 22. While the House version of the bill calls for a $500 million per year grant program, the Senate bill breaks it down differently.
The grant program, to be run by the Department of Homeland Security (DHS), would receive $200 million in FY2022, $400 million in FY2023, $300 million in FY2024, and $100 million in FY2025.
State, local, tribal, and territorial governments will have to present a comprehensive cybersecurity plan to be able to access and use any grant money from the program.
A previous iteration of the SLG cyber grant bill had been approved by the House in the last Congress but stalled in the Senate.
Electric Grid Cybersecurity
The infrastructure bill includes several grid-protection measures that collectively will feed hundreds of dollars of funding into the effort. The Government Accountability Office (GAO) released a report in March that said United States electric grids are increasingly vulnerable to cyberattacks.
The cybersecurity items include $250 million to fund a cybersecurity grant program focused on the electric grid.
Separately, the package also includes $250 million for a Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program, as well as a variety of other programs aimed at shoring up the industry’s cybersecurity practices.
The grant program would receive the funding over the five-year period from FY2022 to FY2026, and look to “deploy advanced cybersecurity technologies for electric utility systems” and increase the threat-sharing capabilities in the sector. Priority for the grants will be given to operators that either have limited cyber capabilities, own facilities that the bulk power system relies on, or are a part of defense critical infrastructure.
The bill would also authorize $250 million for cybersecurity research and development in the energy sector, and $50 million over the same period for modeling and assessing risks to energy infrastructure.
As with the SLG cybersecurity grant program, any utility companies or entities that are looking to receive funding through one of these programs will need to develop a comprehensive cybersecurity plan.
Other Cybersecurity Items
The Cyber Incident Response and Recovery Fund headlines the other cybersecurity provisions in the sprawling bill, which also includes directives for the Federal Highway Administration (FHA) to create a cyber tool and coordinating office, and gives the Department of Transportation (DoT) three years to implement cyber recommendations from the GAO.
The Cyber Response and Recovery Act – originally introduced in April by Sens. Portman and Gary Peters, D-Mich. – would be fully funded at $20 million annually from FY2022-FY2028. The funds would assist Federal and non-Federal entities impacted by major cyber events. The title also gives the DHS Secretary authority to declare a “significant cyber incident” after private and public network breaches.
If the infrastructure bill becomes law, FHA would have two years to build a tool to help transportation authorities identify, mitigate, and recover from cyberattacks. The FHA administrator would also have two years to designate a cyber coordinating office that would work with the Transportation Security Administration and DHS’s Cybersecurity and Infrastructure Security Agency and be responsible for monitoring transportation agencies for cyber incidents and alerting them of any intrusions.
Under the legislation, DoT would need to develop a cybersecurity risk management framework for the department to comply with recommendations GAO issued July 2019 and report back to Congress within three years.