The U.S. House of Representatives is scheduled to vote on a $1 trillion bipartisan infrastructure bill on September 30, 2021. Back in August, the U.S. Senate passed the bill, which included $1.9 billion for cybersecurity initiatives. According to The Hill , the funds will go toward securing critical infrastructure against attacks, helping vulnerable organizations defend themselves and providing funding for a key federal cyber office, among other initiatives. The House is now set to vote on the bill, and if passed, it will go to the President for his signature.

But what exactly are the cybersecurity provisions within the Infrastructure Investment and Jobs Act (H.R. 3684)? The (ISC)² Advocacy Team did some digging and pulled together the following comprehensive list of cybersecurity initiatives that would receive funding if the bill is passed.

What do you think? What are your thoughts on the brighter light being shone on cybersecurity and its inclusion in the latest infrastructure spending proposals? What do you think of $1.9 billion investment in comparison to the overall $1 trillion proposed in the current bill? Join the conversation on the (ISC)² Community .

Division A: Title I: Subtitle E: Section 11510: Cybersecurity Tool – No later than 2 years after the date of enactment of this Act, the Administrator (Federal Highway Administration) shall develop a tool to assist transportation authorities in identifying, detecting, protecting against, responding to, and recovering from cyber incidents.

Requirements—In developing the tool, the Administrator shall— (A) use the cybersecurity framework established by the National Institute of Standards and Technology relating to improving critical infrastructure cybersecurity); (B) establish a structured cybersecurity assessment and development program; (C) coordinate with the Transportation Security Administration and the Cybersecurity and Infrastructure Security Agency; (D) consult with appropriate transportation authorities, operating agencies, industry stakeholders, and cybersecurity experts; and (E) provide for a period of public comment and review on the tool.

Cybersecurity Coordinator – No later than 2 years after the date of enactment of this Act, the Administrator shall designate an office as a ‘‘cyber coordinator’’, which will be responsible for monitoring, alerting, and advising transportation authorities of cyber incidents.

Requirements —The office designated shall, in coordination with the Transportation Security Administration and the Cybersecurity and Infrastructure Security Agency— (A) provide to transportation authorities a secure method of notifying the Federal Highway Administration of cyber incidents; (B) share the information collected with the Transportation Security Administration and the Cybersecurity and Infrastructure Security Agency; (C) monitor cyber incidents that affect transportation authorities; (D) alert transportation authorities to cyber incidents that affect those transportation authorities; (E) investigate unaddressed cyber incidents that affect transportation authorities; and (F) provide to transportation authorities educational resources, outreach, and awareness on fundamental principles and best practices in cybersecurity for transportation systems.

Division B: Title V: Section 25022: GAO Cybersecurity Recommendations – No later than 3 years after the enactment of this Act, the Secretary (of Transportation) shall implement the recommendation for the Department of Transportation made by the Comptroller General of the United States in the report entitled ‘‘Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges’’, (1) by developing a cybersecurity risk management strategy for the systems and information of the Department; (2) by updating policies to address an organization-wide risk assessment; and (3) by updating the processes for coordination between cybersecurity risk management functions and enterprise risk management functions.

(B) Work Roles – Not later than 3 years after the date of enactment of this Act, the Secretary shall implement the recommendation of the Comptroller General of the United States in the report entitled ‘‘Cybersecurity 22 Workforce: Agencies Need to Accurately Categorize Positions to Effectively Identify Critical Staffing Needs’’, by (1) reviewing positions in the Department and (2) assigning appropriate work roles in accordance with the National Initiative for Cybersecurity Education Cybersecurity Workforce Framework.

(C) GAO Review – Not later than 18 months after the date of enactment of this Act, the Comptroller General of the United States shall submit to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Transportation and Infrastructure of the House of Representatives a report that examines the approach of the Department to managing cybersecurity for the systems and information of the Department. The report shall include an evaluation of— (A) the roles, responsibilities, and reporting relationships of the senior officials of the Department with respect to cybersecurity; (B) the extent to which officials of the Department establish requirements for, share information with, provide resources to, and monitor the performance of managers with respect to cybersecurity; and 3 (ii) hold managers accountable for cybersecurity within the components of the Department.

Division D: Energy: Title 1: Subtitle B: Cybersecurity

Section 40121: Enhancing Grid Security through Public-Private Partnership – The Secretary (Energy), in consultation with the Secretary of Homeland Security  and the heads of other relevant Federal agencies, State regulatory authorities, industry stakeholders, and the Electric Reliability Organization, shall carry out a program— (A) to develop, and provide for voluntary implementation of, maturity models, self-assessments, and auditing methods for assessing the physical security and cybersecurity of electric utilities; (B) to assist with threat assessment and cybersecurity training for electric utilities; (C) to provide technical assistance for electric utilities subject to the program; (D) to provide training to electric utilities to address and mitigate cybersecurity supply chain management risks; (E) to advance the cybersecurity of third-party vendors that manufacture components of the electric grid; (F) to increase opportunities for sharing best practices and data collection within the electric sector; and (G) to assist, in the case of electric utilities that own defense critical electric infrastructure, with full engineering reviews of critical functions and operations at both the utility and defense infrastructure levels— (i) to identify unprotected avenues for cyber-enabled sabotage that would have catastrophic effects to national security; (ii) to recommend and implement engineering protections to ensure continued operations of identified critical functions even in the face of constant cyber-attacks and achieved perimeter access by sophisticated adversaries.

Report – Not later than 1 year after the of enactment of this Act, the Secretary shall submit to Congress a report that assesses— (1) priorities, policies, procedures, and actions for enhancing the physical security and cybersecurity of electricity distribution systems to address threats to, and vulnerabilities of, electricity distribution systems; and (2) the implementation of the priorities, policies, procedures, and actions assessed under paragraph (1), including— (A) an estimate of potential costs and benefits of the implementation; and (B) an assessment of any public-private cost-sharing opportunities. 

Section 40122: Energy Cybersense Program —The Secretary, in consultation with the Secretary of Homeland Security and the heads of other relevant Federal agencies, shall establish an Energy Cyber Sense program to test the cybersecurity of products and technologies intended for use in the energy sector, including in the bulk-power system.

Program Requirements.—The Secretary, in consultation with the Secretary of Homeland Security and the heads of other relevant Federal agencies, shall— (1) establish a testing process under the program to test the cybersecurity of products and technologies intended for use in the energy sector, including products relating to industrial control systems and operational technologies, such as supervisory control and data acquisition systems; (2) for products and technologies tested under the program, establish and maintain cybersecurity vulnerability reporting processes and a related database that are integrated with Federal vulnerability coordination processes; (3) provide technical assistance to electric utilities, product manufacturers, and other energy sector stakeholders to develop solutions to mitigate identified cybersecurity vulnerabilities in products and technologies tested under the program; (4) biennially review products and technologies tested under the program for cybersecurity vulnerabilities and provide analysis with respect to how those products and technologies respond to and mitigate cyber threats; (5) develop guidance that is informed by analysis and testing results under the program for electric utilities and other components of the energy sector for the procurement of products and technologies; (6) provide reasonable notice to, and solicit comments from, the public prior to establishing or revising the testing process under the program; (7) oversee the testing of products and technologies under the program; and (8) consider incentives to encourage the use of analysis and results of testing under the program in the design of products and technologies for use in the energy sector.

Section 40123: Incentives for Advanced Cybersecurity Technology Investment – Not later than 180 days after the date of enactment of this section, the Commission, in consultation with the Secretary of Energy, the North American Electric Reliability Corporation, the Electricity Subsector Coordinating Council, and the National Association of Regulatory Utility Commissioners, shall conduct a study to identify incentive-based, including performance-based, rate treatments for the transmission and sale of electric energy subject to the jurisdiction of the Commission that could be used to encourage— (1) investment by public utilities in advanced cybersecurity technology; and (2) participation by public utilities in cybersecurity threat information sharing programs.

Incentive Based Rate Treatment—Not later than 1 year after the completion of the study, the Commission shall establish incentive-based, including performance-based, rate treatments for the transmission of electric energy in interstate commerce and the sale of electric energy at wholesale in interstate commerce by public utilities for the purpose of benefitting consumers by encouraging— (1) investments by public utilities in advanced cybersecurity technology; and (2) participation by public utilities in cybersecurity threat information sharing programs. *All rates under this program shall be just and reasonable and not discriminatory or preferential. *

Section 40124: Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program – Not later that 180 days after the enactment of this act, the Secretary shall establish a program to be known as the ‘Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program’’, to provide grants and technical assistance to, and enter into cooperative agreements with, eligible entities to protect against, detect, respond to, and recover from cybersecurity threats. The objective of the program is to deploy advanced cybersecurity technologies for electric utility systems and to increase the participation of eligible entities in cybersecurity threat information sharing programs. In awarding grants and providing technical assistance under the Program, priority will be given to an eligible entity that, as determined by the Secretary, has limited cybersecurity resources, owns assets critical to the reliability of the bulk-power system, or owns defense critical electric infrastructure.

Section 40125: Enhanced Grid Security – The Secretary, in consultation with other groups, shall develop and carry out a program— (A) to develop advanced cybersecurity applications and technologies for the energy sector— (i) to identify and mitigate vulnerabilities, including— (I) dependencies on other critical infrastructure; (II) impacts from weather and fuel supply; (III) increased dependence on inverter-based technologies; and (IV) vulnerabilities from unpatched hardware and software systems; and (ii) to advance the security of field devices and third-party control systems, including— (I) systems for generation, transmission, distribution, end use, and market functions; (II) specific electric grid elements including advanced metering, demand response, distribution, generation, and electricity storage; (III) forensic analysis of infected systems; (IV) secure communications; and (V) application of in-line edge security solutions; (B) to leverage electric grid architecture as a means to assess risks to the energy sector, including by implementing an all-hazards approach to communications infrastructure, control systems architecture, and power systems architecture; (C) to perform pilot demonstration projects with the energy sector to gain experience with new technologies; (D) to develop workforce development curricula for energy sector-related cybersecurity; (E) to develop improved supply chain concepts for secure design of emerging digital components and power electronics. There are $250,000,000 appropriated for the period of fiscal years 2022 through 2026 for this section.

Energy Sector Operational Support for Cyberresilience Program – The Secretary may develop and carry out a program— (A) to enhance and periodically test (i) the emergency response capabilities of the Department; and (ii) the coordination of the Department with other agencies, the National Laboratories, and private industry; (B) to expand cooperation of the Department with the intelligence community for energy sector-related threat collection and analysis; (C) to enhance the tools of the Department and E-ISAC (Electricity Information Sharing & Analysis Center) for monitoring the status of the energy sector; (D) to expand industry participation in E-ISAC; and (E) to provide technical assistance to small electric utilities for purposes of assessing and improving cybermaturity levels and addressing gaps identified in the assessment. There is authorized to be appropriated to the Secretary to carry out this subsection $50,000,000 for the period of fiscal years 2022 through 2026.

Section 40126: Cybersecurity Plan – Any recipient of an award or funding under this division may be required to submit a plan to the Secretary that shows Cybermaturity of the recipient as well as establishing a plan for maintaining and improving cybersecurity throughout the life of the solution of the project. Plans will be reviewed by the Office of Cybersecurity, Energy Security, and Emergency Response of the Department of Energy.

Division E: Title I: Section 50113: Cybersecurity Support for Public Water Systems – No later than 180 days after the enactment of this section, the Administrator (EPA) and Director (of Cybersecurity and Infrastructure Security Agency) will develop a framework that will identify public water systems that if damaged or became inoperable, would lead to significant public health and safety issues. When identifying these systems, the Administrator will consider whether (A) cybersecurity vulnerabilities for a public water system have been identified; (B) the capacity of a public water system to remediate a cybersecurity vulnerability without additional Federal support; (C) whether a public water system serves a defense installation or critical national security asset; and (D) whether a public water system, if degraded or rendered inoperable due to an incident, would cause a failure of other critical infrastructure.

Division G: Title VI: Cyber Response and Recovery Act: Subtitle C: Declaration of a Significant Incident: Section 2231 – The purpose of this subtitle is to authorize the Secretary (Homeland Security) to declare that a significant incident has occurred and to establish the authorities that are provided under the declaration to respond to and recover from the significant incident. The Secretary is also enabled to provide voluntary assistance to non-Federal entities impacted by a significant incident.

Section 2234 – Cyber Response and Recovery Fund: There is established a Cyber Response and Recovery Fund, which shall be available for— (1) response and recovery support for the specific significant incident associated with a declaration to Federal, State, local, and Tribal, entities and public and private entities on a reimbursable or Non-reimbursable basis, including through asset response activities and technical assistance, such as— (A) vulnerability assessments and mitigation; (B) technical incident mitigation; (C) malware analysis; (D) analytic support; (E) threat detection and hunting; and (F) network protections; (2) grants for, or cooperative agreements with, Federal, State, local, and Tribal public and private entities to respond to, and recover from, the specific significant incident associated with a declaration.