HR 2928 Introduced - Cyber Sense Program
Back in March Rep Latta (R,OH) introduced HR 2928, the Cyber Sense Act of 2021. The bill would require DOE to establish “a voluntary Cyber Sense program to identify and promote cyber-secure products intended for use in the bulk-power system” {§2(a)}. Similar bills have passed in the House in the last three sessions of congress, most recently HR 360 in the 116th.
NOTE: The analysis in this post was done using a Committee print of the bill. The Government Printing Office has not yet published the bill.
The Program
The bill would require DOE to establish the Cyber Sense Program. DOE would be required to {§2(b)}:
Establish a testing process under the Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system, including products relating to industrial control systems and operational technologies, such as supervisory control and data acquisition systems,
For products and technologies tested under the Cyber Sense program, establish and maintain cybersecurity vulnerability reporting processes and a related database,
Provide technical assistance to electric utilities, product manufacturers, and other electricity sector stakeholders to develop solutions to mitigate identified cybersecurity vulnerabilities in products and technologies tested under the Cyber Sense program,
Biennially review products and technologies tested under the Cyber Sense program for cybersecurity vulnerabilities and provide analysis with respect to how such products and technologies respond to and mitigate cyber threats,
• Develop guidance, that is informed by analysis and testing results under the Cyber Sense program, for electric utilities for procurement of products and technologies,
Provide reasonable notice to the public, and solicit comments from the public, prior to establishing or revising the testing process under the Cyber Sense program,
Oversee testing of products and technologies under the Cyber Sense program, and
Consider incentives to encourage the use of analysis and results of testing under the Cyber Sense program in the design of products and technologies for use in the bulk-power system.
The bill specifically provides DOE with liability protection “with respect to the testing of a product or technology under the Cyber Sense program” {§2(d)}}.
Information Protection
Any cybersecurity vulnerability reported under the Cyber Sense program, “the disclosure of which the Secretary of Energy reasonably foresees would cause harm to critical electric infrastructure” {§2(c)} would be treated as Critical Electric Infrastructure Information (CEII, 18 CFR 388.113). This sensitive but unclassified set of data protections prohibits DOE and other government agencies from releasing the information to the public via a Freedom of Information Act (FOIA) request or similar requests at State and local levels when federal government agencies share the restricted access information with agencies at those levels.
Moving Forward
On Thursday of this week the House Energy and Commerce Committee held a markup hearing where this bill was considered. The Committee considered HR 2928 without amendments and ordered it favorably reported to the House by a voice vote. The bill will be considered by the full House, likely before the Summer Recess. The bill will be considered under the suspension of the rules process. This means limited debate, no floor amendments and a super majority will be required for passage. The bill will almost certainly pass (yet again) with strong bipartisan support.
The problem with this bill has always been trying to get the Senate to take up the legislation. As I have explained with a number of other bills, it is just not important enough to take up the time necessary for the normal full debate and amendment process. The abbreviated unanimous consent process is available, but a single Senator can stop that process from moving forward. And, objections to the consideration of the bill need not have anything to do with the language in the bill or even the same area of government.
Commentary
I have talked in my posts on the earlier iterations of this bill about my objections to the information sharing limitations imposed in §2(c). While the bulk power grid does have a lot of equipment unique to the operation of the grid, probably the majority of the control system equipment that would be potentially covered by the proposed Cyber Sense Program, would also be used in control systems in a number of different industrial settings. A blanket CEII label would put the non-grid users of the equipment at increased risk of a cyber-attack. I would prefer to see a 60-day or 90-day limit placed on labeling a cybersecurity vulnerability as CEII. This would make it closer to the CISA process of releasing a limited number of vulnerability advisories on the Homeland Security Information Network (HSIN) with limited access to allow vendors and owner/operators some time to mitigate the vulnerability.
I would like to add a new proposal for a value-added feature that should be made part of the Cyber Sense Program, a software bill of materials {SBOM, as defined in §10(j) of EO 14028} requirement for all product submissions that include software or firmware. This would help DOE notify other vendors of potential vulnerabilities in their systems due to new vulnerabilities being reported to DOE in other affected products. This will be especially critical while there is a CEII restriction on publication of the vulnerability. To make this happen, we could revise §2(b)(2):
(2) for products and technologies tested under the Cyber Sense program, the Secretary would establish:
(i) a requirement to submit a software bill of materials (SBOM), as that term is defined in §10(j) of EO 14028 for each product or technology submitted for evaluation;
(ii) and maintain cybersecurity vulnerability reporting processes and a related database; and
(iii) provide notification to affected vendors when a vulnerability reported to the Cyber Sense program potentially affects their product, based upon their SBOM listing on file with the program.