StacksVerified U.S. regulatory reference

42 U.S.C. § 18721

Verified against govinfo.gov as of June 20, 2026View official text on govinfo.gov
  1. (a)In this section:
    1. (1)The terms “bulk-power system” and “Electric Reliability Organization” has the meaning given the terms in section 824o(a) of title 16.
    2. (2)The terms “electric utility” and “State regulatory authority” have the meanings given the terms in section 796 of title 16.
  2. (b)
    1. (1)The Secretary, in coordination with the Secretary of Homeland Security and in consultation with, as the Secretary determines to be appropriate, the heads of other relevant Federal agencies, State regulatory authorities, industry stakeholders, and the Electric Reliability Organization, shall carry out a program—
      1. (A)to develop, and provide for voluntary implementation of, maturity models, self-assessments, and auditing methods for assessing the physical security and cybersecurity of electric utilities;
      2. (B)to assist with threat assessment and cybersecurity training for electric utilities;
      3. (C)to provide technical assistance for electric utilities subject to the program;
      4. (D)to provide training to electric utilities to address and mitigate cybersecurity supply chain management risks;
      5. (E)to advance, in partnership with electric utilities, the cybersecurity of third-party vendors that manufacture components of the electric grid;
      6. (F)to increase opportunities for sharing best practices and data collection within the electric sector; and
      7. (G)to assist, in the case of electric utilities that own defense critical electric infrastructure (as defined in section 824o–1(a) of title 16), with full engineering reviews of critical functions and operations at both the utility and defense infrastructure levels—
        1. (i)to identify unprotected avenues for cyber-enabled sabotage that would have catastrophic effects to national security; and
        2. (ii)to recommend and implement engineering protections to ensure continued operations of identified critical functions even in the face of constant cyber attacks and achieved perimeter access by sophisticated adversaries.
    2. (2)In carrying out the program under paragraph (1), the Secretary shall—
      1. (A)take into consideration—
        1. (i)the different sizes of electric utilities; and
        2. (ii)the regions that electric utilities serve;
      2. (B)prioritize electric utilities with fewer available resources due to size or region; and
      3. (C)to the maximum extent practicable, use and leverage—
        1. (i)existing Department and Department of Homeland Security programs; and
        2. (ii)existing programs of the Federal agencies determined to be appropriate under paragraph (1).
  3. (c)Not later than 1 year after November 15, 2021, the Secretary, in coordination with the Secretary of Homeland Security and in consultation with, as the Secretary determines to be appropriate, the heads of other Federal agencies, State regulatory authorities, and industry stakeholders, shall submit to Congress a report that assesses—
    1. (1)priorities, policies, procedures, and actions for enhancing the physical security and cybersecurity of electricity distribution systems, including behind-the-meter generation, storage, and load management devices, to address threats to, and vulnerabilities of, electricity distribution systems; and
    2. (2)the implementation of the priorities, policies, procedures, and actions assessed under paragraph (1), including—
      1. (A)an estimate of potential costs and benefits of the implementation; and
      2. (B)an assessment of any public-private cost-sharing opportunities.
  4. (d)Information provided to, or collected by, the Federal Government pursuant to this section the disclosure of which the Secretary reasonably foresees could be detrimental to the physical security or cybersecurity of any electric utility or the bulk-power system—
    1. (1)shall be exempt from disclosure under section 552(b)(3) of title 5; and
    2. (2)shall not be made available by any Federal agency, State, political subdivision of a State, or Tribal authority pursuant to any Federal, State, political subdivision of a State, or Tribal law, respectively, requiring public disclosure of information or records.