Overview

Title

To require an assessment on manual operations for critical infrastructure, and for other purposes.

ELI5 AI

H.R. 8775 wants to make sure that if computers are attacked by bad guys, important things like water, electricity, and hospitals can keep working by using backup plans that don't rely on computers. They want some really smart people to figure out how to make sure this happens and to tell everyone what they need to do.

Summary AI

H.R. 8775, known as the "Contingency Plan for Critical Infrastructure Act," requires an assessment from the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA) on the readiness of critical infrastructure to operate manually during cyber incidents. The bill mandates a report on the costs, challenges, and policy recommendations related to this transition. Additionally, FEMA must update practices and guidelines to help infrastructure operators maintain operations without digital systems, detailing how to handle cyber threats effectively. This assessment aims to ensure critical services remain available to the public even if cyber disruptions occur.

Published

2024-06-18
Congress: 118
Session: 2
Chamber: HOUSE
Status: Introduced in House
Date: 2024-06-18
Package ID: BILLS-118hr8775ih

Keywords AI

critical infrastructure cybersecurity manual operations cisa fema cyber incidents policy recommendations infrastructure readiness cyber threats contingency plans

Sources

Bill Statistics

Size

Sections:
2
Words:
812
Pages:
5
Sentences:
18

Language

Nouns: 257
Verbs: 61
Adjectives: 59
Adverbs: 10
Numbers: 20
Entities: 38

Complexity

Average Token Length:
4.80
Average Sentence Length:
45.11
Token Entropy:
4.94
Readability (ARI):
27.38

AnalysisAI

The "Contingency Plan for Critical Infrastructure Act," officially titled H.R. 8775, proposes a strategic examination of how the United States could maintain operations at critical infrastructure sites during cyber incidents. As introduced in the House of Representatives, the bill underscores the necessity of assessing whether essential services could operate manually if their digital systems were compromised by a cyber threat. This effort is spearheaded by the Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Emergency Management Agency (FEMA) and other relevant bodies, with a comprehensive report to be delivered to Congress.

General Summary

The bill outlines a requirement for a sector-by-sector assessment regarding the ability of critical infrastructure to function manually when faced with cyber disruptions. It aims to identify potential costs, challenges, and policy recommendations for maintaining operations without reliance on digital systems. Additionally, the bill mandates updates to planning considerations with a focus on best practices and guidelines to endure such incidents. A central component is understanding what resources and strategies are needed to facilitate this transition and ensure that critical services remain functional for the public.

Significant Issues

There are several key issues identified in the bill. First, the timeline set for the assessment and updates is quite short—180 days—as prescribed by the bill. This could result in rushed and incomplete assessments, potentially jeopardizing the thoroughness and quality of the findings. Another concern centers around the lack of clarity in defining the practical requirements for "manual operating mode," which might lead to varied interpretations and implementations by infrastructure operators.

Moreover, the assessment's deliverables are broadly defined without specific metrics, allowing for discrepancies and potentially uneven evaluations across different agencies and sectors. The bill also does not lay out funding strategies, which could lead to budgetary challenges. The overlap of efforts by agencies like CISA and FEMA also raises concerns about efficiency and resource allocation. Finally, while policy recommendations are called for, their broad and non-specific nature might limit their effectiveness in addressing particular vulnerabilities in various infrastructure sectors.

Impact on the Public and Stakeholders

The legislative effort, if effectively implemented, could enhance national resilience against cyber threats, thereby protecting public access to essential services such as energy, water, and emergency services. For the public, ensuring that critical infrastructure can operate manually during cyber disruptions can prevent interruptions in daily life and maintain trust in these vital services. However, the uncertainty concerning execution timelines and clear operational guidelines could delay immediate benefits.

Specific stakeholders like infrastructure operators might face significant hurdles, including financial and logistical challenges, in preparing for manual operations. Without clear guidelines and support, these stakeholders might struggle to modify their systems adequately. On the positive side, successful implementation could safeguard their operations from becoming vulnerable to cyber incidents, thereby minimizing potential economic loss and reputational damage.

In conclusion, while the bill's intention to bolster the nation's infrastructure resilience is commendable, several aspects require careful consideration and clarification to ensure effective implementation and meaningful benefits for both the public and specific stakeholders.

Issues

  • The timeline set for the assessment and updates is 180 days as per Section 2(a)(1) and 2(b)(1). This duration may be too short to ensure comprehensive and quality work, which could lead to rushed processes and incomplete assessments, potentially compromising the overall effectiveness of the findings.

  • The term 'manual operating mode' in Section 2(c)(2) is defined, but the practical implications and technical requirements for implementing this mode are not clearly outlined. This lack of clarity might result in confusion or inconsistent implementation among critical infrastructure owners and operators.

  • Section 2(a)(2) broadly defines the assessment's deliverables without specific metrics or criteria, which could lead to discrepancies in the depth and scope of evaluation provided by different agencies. This lack of standardization could undermine the effectiveness of the assessment.

  • The potential duplication of efforts by CISA, FEMA, and other sector risk management agencies as mentioned in Section 2(a)(1) could lead to inefficient use of resources, raising concerns about coordination and cost-effectiveness.

  • Section 2 does not specify how funding will be allocated for the assessments and updates, which might lead to budget constraints or misallocation of resources, affecting the execution and thoroughness of the assessments.

  • The policy recommendations in Section 2(a)(2)(E) are broad and non-specific, which could result in generic outcomes that do not adequately address specific vulnerabilities within different sectors, limiting the usefulness of the recommendations.

Sections

Sections are presented as they are annotated in the original legislative text. Any missing headers, numbers, or non-consecutive order is due to the original text.

1. Short title Read Opens in new tab

Summary AI

The first section of the act provides its official name, which is the “Contingency Plan for Critical Infrastructure Act.”

2. Assessment on manual operations for critical infrastructure Read Opens in new tab

Summary AI

The bill requires the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA) to assess and report to Congress on the ability of critical infrastructure systems to function manually during cyber incidents, including costs and challenges. Additionally, it mandates updates to planning considerations for such incidents, providing best practices and guidelines for maintaining operations without internet connectivity and managing cyber impacts on control devices.