First Look at Cybersecurity Provisions in the Infrastructure Investment and Jobs Act

Published: August 05, 2021

Federal Market AnalysisCritical Infrastructure ProtectionCybersecurityDOEEPAEOPDHSInfrastructurePolicy and LegislationDOT

The new bipartisan infrastructure bill contains more than $1.75 billion in cybersecurity provisions.

As July came to a close, the U.S. Senate announced that both parties had struck a deal on the Infrastructure Investment and Jobs Act, H.R. 3684. The 2,700-page bill is built upon the traditional surface transportation reauthorization bill and by most accounts expands what many would consider to be “infrastructure.” 

Funding Caveats

There are some very important caveats to note regarding the funding amounts listed with the programs and provisions below. First, if the amounts are identified as appropriated then the funds would be provided by Congress once the bill becomes law. However, in some instances the bill enumerates specific amounts that are authorized (only) in the bill’s current form. Congress would need to also appropriate those funds – either by amendment to the existing bill or within separate appropriations – for those monies to become available. Other provisions that authorize spending without specific amounts enumerated would also require some form of appropriation by Congress. Finally, these are the amounts that would be authorized or appropriated if the bill passes in its current form. Congress may still amend the current bill as it moves through the legislative process, but it seems that things are getting fairly solid.

Cybersecurity Provisions

What follows is a rapid analysis of the major cybersecurity provisions in the current bill. Other “cyber nuances” may be found, but this is my best attempt to capture the main items.  

It is noteworthy that the bill includes several cybersecurity provisions that adapts and expands the scope of existing infrastructure programs to consider cyber- and other security concerns. The bill also creates new cybersecurity programs that may be considered adjacent markets, if you will.

Much of the funding comes in the forms of grants to States and local entities. However, it is likely that tens of millions of dollars will also be available for contract support at both the federal and state/local level.

Executive Office of the President

White House Office of the National Cyber Director – Appropriates $21M to remain available through FY 2022 to cover salaries and expenses.

Department of Energy

Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program – Appropriates $250M, $50M per FY 2022-2026. Establishes the grant program ‘‘to provide competitive grants and technical assistance to, and enter into cooperative agreements with, eligible entities to protect against, detect, respond to, and recover from cybersecurity threats.

Cybersecurity for the Energy Sector Research, Development, and Demonstration Program – Appropriates $250M, $50M per FY 2022-2026. Establishes a R&D program to develop advanced cyber applications for the energy sector.

Energy Sector Operational Support for Cyberresilience Program – Appropriates $50M. Establishes a program to enhanced and test emergency response and expand coordination with other agencies, the Intelligence Community (IC) and private industry.

Modeling and Assessing Energy Infrastructure Risk – Appropriates $50M. Establishes a program to develop an advanced energy security program to secure energy networks, conduct research on hardening solutions and mitigation/recovery, and provide technical assistance to states.

Promoting the Physical Security and Cybersecurity of Electric Utilities. Authorizes the creation of a program to promote and advance physical security and cybersecurity of electric utilities (maturity models, assessments/audits, assist with threat assessment, cyber training, technical assistance, advance 3rd party vendors that manufacture components of electric grid; increase opportunities for sharing best practices and data collection.

Energy Cyber Sense Program. Establishes a voluntary program to test the cybersecurity of products and technologies intended for use in the energy sector, including in the bulk-power system.

Department of Transportation  

Cyberskilling for Intelligent Transportation Technologies – Authorizes $5M for each year from FY 2022-26. Directs DOT and the National Academy of Sciences to develop a workforce needs assessment that addresses the education, development and recruitment of a technical workforce for the intelligent transportation technologies and systems industry, including skills in data analysis and review and cybersecurity. Directs DOT to establish a working group to develop an intelligent transportation technologies and systems industry workforce development implementation plan and an outreach program increase awareness of career opportunities in the transportation sector.           

University Transportation Centers Program. Directs DOT to add “the cybersecurity implications of technologies relating to connected vehicles, connected infrastructure, and autonomous vehicles” to considerations and research and innovation activities under the DOT University Transportation Centers grants program.

Risk Management and Cyber Workforce Framework. Requires DOT to implement GAO recommendations regarding developing and implementing enterprise cybersecurity risk management and applying the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework to DOT’s cybersecurity workforce practices, both within 3 years. Directs the GAO to assess and report on the DOT’s cybersecurity program and practices within 18 months.                                                    

Environmental Protection Agency

Water Data Sharing Pilot Program – Authorizes $15M each year from FY 2022-26. Establishes at the (EPA) a competitive grant pilot program to establish systems that improve the sharing of information concerning water quality, water infrastructure needs, and water technology, including cybersecurity technology, between States or among counties and other units of local government within a State.

Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA)

Declaration of a Significant Cyber Incident. Authorizes the DHS Secretary to declare that a significant cyber incident has occurred, to establish the authorities to respond to and recover from the significant incident, and to enable DHS to provide voluntary assistance to non-Federal entities impacted by a significant incident.

Cyber Response and Recovery Fund – Appropriates $100M, $20M per year from FY 2022 through FY 2026, with all funds remaining available through FY 2028. Establishes the fund to support Federal, State, local, and Tribal entities and public and private entities for cyber incident response and recovery. Covered response activities and technical assistance include: vulnerability assessments and mitigation; technical incident mitigation; malware analysis; analytic support; threat detection and hunting; network protections; hardware or software updates or replacement; and technical contract personnel support.

State and Local Cybersecurity Grant Program – Authorizes $1B in grants through FY 2025; $200M, $400M, $300M, and $100M for FYs 2022, 2023, 2024 and 2025 respectively. Creates a new program to award grants to eligible entities to address cybersecurity risks and cybersecurity threats to information systems owned or operated by, or on behalf of, State, local, or Tribal governments. Funds may be used to develop, implement or revise the entities cybersecurity plan; assist with activities that address imminent cybersecurity threats; or any other appropriate activity as determined by the Cybersecurity and Infrastructure Security Agency (CISA). The section also includes detailed provisions and parameters of how the program would operate.

CISA Protection, Preparedness, Response, and Recovery Operations Support – Appropriates $35M to remain available through FY 2026. Operations and Support funding for CISA risk management operations and stakeholder engagement and requirements under an emergency response requirement.

The Path Forward

The bill is currently in the U.S. Senate where amendments are being offered to further shape the final legislation. It is still possible that the bill could face some effort by House members to create an even more expansive infrastructure package when they return to session in September.

Whatever the final outcome, the new legislation is pointing to billions of dollars in cybersecurity spending at the federal level and beyond, promising contracting opportunities that will span the next several fiscal years and beyond.