$1.2 trillion infrastructure bill passes House, tying cyber to physical investments

Dive Brief:

The House of Representatives passed the $1.2 trillion infrastructure bill Friday, allocating billions of dollars in funding for cybersecurity infrastructure investments.
The Senate passed the Infrastructure Investment and Jobs Act in August, and the bill now awaits President Joe Biden's signature. The legislation includes $550 billion in new spending for U.S. transportation and utility infrastructure.
The White House called the bill "the largest investment in the resilience of physical and natural systems in American history." It allocates $50 billion for protection against climate change and cyberattacks.

Dive Insight:

With about $2 billion set aside for cybersecurity investments, half of the funding is for State, Local, Tribal and Territorial (SLTT) Cyber Grant Program within the Cybersecurity and Infrastructure Security Agency (CISA) over four years.

The legislation will also give the national cyber director a $21 million budget and creates a $100 million Cyber Response and Recovery Fund over the next five years.

The legislation will closely tie cyber with physical investments as the government works to empower cross-sector information sharing, transportation-related security mandates, and identification of the nation's most vulnerable critical infrastructure.

Within two years of the bill passing, the legislation mandates the Administrator of the Federal Highway Administration to develop a tool for transportation authority to identify, detect, protect, and respond to cyber incidents. The tool will incorporate frameworks provided by the National Institute of Standards and Technology (NIST) and coordinate with the Transportation Security Administration (TSA) and CISA.

The bill calls on a public-private sector partnership for electric utilities, to in part develop voluntary implementation of maturity models, self assessments, auditing methods, and advancing the cybersecurity of third-party vendors manufacturing components for the grid.

The bill's cyber inclusion comes as congress is pushing for more cybersecurity regulation.

With the FY2022 National Defense Authorization Act (NDAA) pending, congress has the opportunity to plug pieces of their cyber legislation into the annual bill. At least one part of the Cyber Incident Reporting Act of 2021, introduced by Senators Gary Peters, D-Mich., and Rob Portman, R-Ohio, is expected to make it into the NDAA as an amendment, with the support of Senators Mark Warner, D-Va., Susan Collins, R-Maine, and Krysten Sinema, D-Ariz.

The amendment would require civilian federal agencies and critical infrastructure owners and operators to report any covered cyber incident, meaning a confirmed cyberattack, within 72 hours after the victim organization "reasonably believes" when the incident happened to CISA. Organizations will also have to report ransom payments to CISA no later than 24 hours post-payment.