H.R.3684: A Cyber Security Perspective

The Infrastructure and Jobs Act (H.R. 3684) that was signed into law in November 2021 includes $1.2 billion for cyber security protection of federal, state, and local government organizations as well as private businesses, especially those considered part of the critical infrastructure. Cyber security provisions of the bill include:

• $1 billion over four years to fund state, local, tribal, and territorial governments to deter attacks from malicious cyber actors and modernize systems to protect sensitive data, information, and public critical infrastructure.
• $100 million to help victims of a serious attack recover quickly and help the government to improve cyber security needs by securing their networks, assessing their cyber security vulnerabilities, and building up their cyber security workforce.
• $21 million to support the recently created National Cyber Director (NCD), including securing qualified cyber security personnel.
• Plus, some of the funding allocated specifically for water and wastewater improvements is designated for cyber security.

“ .. this important bipartisan bill will help seal up network vulnerabilities in critical infrastructure companies and at all levels of government,” said Chairman of the Homeland Security and Governmental Affairs Committee Senator Gary Peters, who introduced much of the cyber security content into the bill.

The bulk of the funding will be managed by the department of homeland security by the newly appointed National Cyber Director (NCD) Chris Inglis, a former director of the National Security Agency. He will be part of the triumvirate that drive the Federal cyber security initiatives, along with his former NSA colleague Jen Easterly, who now heads the U.S. Cyber security and Infrastructure Security Agency (CISA) and Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, National Security Council.

The bill empowers CISA to coordinate federal and non-federal cyber security response efforts and allows the Secretary of DHS access to a Cyber Response and Recovery Fund that would help support federal and non-federal entities impacted by an event. It also gives DHS the authority, in consultation with the NCD, to declare a significant incident in the event of an ongoing or imminent attack that would impact national security, economic security, or government operations.

Some of the water infrastructure provisions in H.R.3684 will also impact cyber security. One requires the Environmental Protection Agency and CISA to identify public water systems that, if degraded or rendered inoperable due to a cyber-attack, would lead to significant impacts on the health and safety of the public. Another directs the EPA Administrator to work with the CISA Director to develop a Technical Cyber Security Support Plan to ensure both agencies are prioritizing their resources to offer cyber security support to water systems across the country. The bill also sets timelines for making specific services, such as penetration testing, site vulnerability assessments, and risk assessments, available to local governments.

Other parts of the bill that will impact cyber security include a mandate for the Federal Highway Administration to develop a tool to help the transportation authority manage cyber incidents; public-private sector partnership for electric utilities, including voluntary implementation of maturity models; and provisions for tighter scrutiny of the grid supply chain.

Coming down the road

The next influx of Federal funding for cyber security could come if the Build Back Better legislation (H.R.5376) passes by the end of the year, as Democrats hope. This would allocate $50 million specifically for control system cyber security. And in addition to that, a bipartisan group of senators has proposed amendments to the pending FY2022 National Defense Authorization Act (NDAA), which would release more funds for cyber security, including enforcement of prompt reporting of cyberattacks and ransom payments.

For a related story on how H.R.3684 could impact the water and wastewater industry, see  H.R.3684: Rejuvenating the Water Infrastructure.