The Act amends Part II of the Federal Power Act to provide the secretary of the Department of Energy (DOE), under direction from the President, with the authority to order “any entity that is registered with the [North American Electric Reliability Corporation (NERC)] as an owner, operator, or user of the bulk-power system to take such actions as the secretary determines will best avert or mitigate” cybersecurity threats.1 In carrying out such an order, the secretary is required under the Act to coordinate with Canada and Mexico on interconnection issues that might arise as a result of the cybersecurity threat, as well as consult with various affected parties (grid operators and generators; NERC; the Electricity Subsector Coordinating Council; and federal and state agencies). Taking into account the added costs that electric utilities and generators might face due to an emergency order, the Act directs the Federal Energy Regulatory Commission (FERC) to adopt regulations that permit affected parties to “seek recovery of prudently incurred costs” from their ratepayers.
Like other provisions of the Act focused on channeling investments in modern grid technologies and infrastructure, the Act directs $100 million worth of funding per year from 2017 to 2025 towards four separate DOE-led programs designed to (i) advance cybersecurity applications and technologies for the energy sector; (ii) identify vulnerabilities of energy sector supply chain products to known cybersecurity threats; (iii) enhance the emergency response capabilities of the DOE and expand cooperation of the DOE with the intelligence communities for energy‑sector-related threat collection and analysis; (iv) and secure energy networks, including electric, natural gas and oil exploration, transmission and delivery.
Finally, the Act exempts critical electric infrastructure information (CEII) from disclosure under the Freedom of Information Act,2 directs FERC to work with the DOE to issue such orders and regulations regarding the proper sharing and designation of CEII, and designates the DOE as the sector-specific agency for cybersecurity for the energy sector.
1 The Act defines a cyber security threat as the “imminent danger of an act that severely disrupts, attempts to severely disrupt, or poses a significant risk of severely disrupting the operation of programmable electronic devices or communications networks (including hardware, software, and data) essential to the reliable operation of the bulk-power system.”
2 5 U.S.C. § 552(b)(3).