Congress Watch
Rural Utility Cybersecurity Funding Bill Advances With $250M Plan
The Rural and Municipal Utility Cybersecurity Act would reauthorize federal help for the rural utility cybersecurity grant program, giving smaller electric utilities grants, technical assistance, and prizes to defend against cyberattacks. The rural utility cybersecurity funding bill targets co-ops, municipal systems, and other smaller providers that often lack the staff and tools of large grid operators.
What the bill does
Reauthorizes DOE help for smaller electric utilities, with $250 million authorized from fiscal 2026 through 2030.
A cyber incident at a small electric utility can ripple well beyond one service territory, affecting homes, farms, schools, hospitals, and local emergency systems. That is the premise behind the Rural and Municipal Utility Cybersecurity Act, a House bill that would extend federal cybersecurity support for smaller power providers and keep money flowing to the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program.
The bill advanced in the House on June 29, 2026, signaling renewed interest in a narrow but important part of grid security: utilities that serve less-populated or locally owned systems and may have limited cybersecurity staff. Those systems still operate billing, dispatch, operations, and emergency-response networks, which makes them potential targets even if they are not the biggest players on the grid. The bill’s focus on grants, technical assistance, and priority for resource-constrained utilities reflects a practical question Congress keeps returning to: where does federal cyber help do the most good, and how much should remain shielded from public disclosure to encourage sharing threat information?
Why smaller utilities are the target
The Rural and Municipal Utility Cybersecurity Act is built around a simple premise: smaller electric utilities often face the same cyber threats as larger companies, but with fewer resources to defend against them. The bill would reauthorize section 40124 of the Infrastructure Investment and Jobs Act, keeping alive the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program for utilities that may not have enterprise-level cyber teams.
Eligible entities include rural electric cooperatives, municipally owned utilities, utilities owned by political subdivisions of a state, not-for-profit partners working with at least six eligible utilities, and investor-owned utilities that sell less than 4,000,000 megawatt hours per year. In other words, the program is designed for systems that are small enough to be vulnerable, but important enough that a disruption can quickly become a public problem.
The bill also gives priority to applicants with limited cybersecurity resources, to utilities tied to bulk-power system reliability, and to operators of defense critical electric infrastructure. That means federal dollars would be steered toward utilities where a cyber failure could have outsized consequences for public safety and infrastructure resilience.
How the federal program would work
Under the bill, the Secretary of Energy could provide hands-on technical assistance and award grants, cooperative agreements, and prizes. The statutory language is broad enough to cover help for utilities trying to protect against, detect, respond to, and recover from cybersecurity threats, which is important because the challenge is not just stopping intrusions but also restoring service quickly if an attack succeeds.
The bill authorizes $250 million for fiscal years 2026 through 2030. That does not guarantee annual spending on that schedule, but it does set the ceiling and signals congressional intent to keep the program operating over multiple years rather than treating it as a one-off response. For rural and municipal utilities that plan upgrades in phases, that longer horizon matters.
The practical effect is to make federal support more available for cyber assessments, training, technical upgrades, and incident-response planning. The bill does not create a universal grid cybersecurity regime; it narrows the focus to a segment of utilities that often serve rural communities and local infrastructure with fewer economies of scale.
What changes for transparency and privacy
One notable feature of the bill is its confidentiality language. Information shared under the program would be treated as voluntarily shared information and exempt from federal FOIA as well as similar state, tribal, and local disclosure laws. The idea is to make it easier for utilities and governments to share vulnerability and threat information without fearing that sensitive details will later become public.
That protection can encourage candor, especially when a utility is discussing weak points, incident data, or operational details with federal officials. But it also limits outside oversight. Supporters are likely to view the privacy shield as a necessary condition for information-sharing in cybersecurity. Critics may see it as a constraint on public scrutiny, particularly because the bill touches infrastructure that serves communities and may involve public funds.
This trade-off is not unique to cyber policy, but it is especially consequential here because utility systems are essential services. Congress is balancing a desire for more threat reporting against the risk that disclosure could expose weaknesses or discourage participation in the program altogether.
What to watch next in the House and beyond
The latest action on the bill was procedural: the motion to reconsider was laid on the table and agreed to without objection on June 29, 2026. That indicates the House has moved the measure forward, but it does not by itself tell you whether the bill will become law or whether the Senate will take it up in the same form.
The main questions going forward are straightforward. Will lawmakers keep the authorization at $250 million through 2030? Will the confidentiality provisions remain intact if the bill gets merged into larger infrastructure or energy legislation? And will the eligibility rules stay focused on smaller utilities, or will other categories of grid operators push to be included?
Because the bill sits at the intersection of technology, energy, and infrastructure, it is likely to be judged on implementation as much as intent. A program can look strong on paper but still fall short if utilities do not apply, if technical assistance is too thin, or if the money does not reach the systems with the greatest need.
Key takeaways
- The rural utility cybersecurity funding bill would reauthorize a DOE grant and technical assistance program for smaller electric utilities.
- It authorizes $250 million for fiscal years 2026 through 2030 and prioritizes utilities with limited cyber resources.
- Eligible recipients include rural co-ops, municipal utilities, certain not-for-profits, and some small investor-owned utilities.
- Shared information under the program would be protected from FOIA and similar disclosure laws.
- The bill is aimed at practical grid defense, not a broad federal cybersecurity overhaul.
FAQ
What is the rural utility cybersecurity funding bill?
It is the Rural and Municipal Utility Cybersecurity Act, a House bill that would extend a federal DOE program that helps smaller electric utilities improve cybersecurity through grants, technical assistance, cooperative agreements, and prizes.
Which utilities could qualify for help?
The bill covers rural electric cooperatives, municipally owned utilities, utilities owned by political subdivisions of a state, certain not-for-profit partners, and investor-owned utilities that sell less than 4,000,000 megawatt hours per year.
How much money does the bill authorize?
It authorizes $250 million for fiscal years 2026 through 2030.
Why does the bill protect information from disclosure?
The bill says information shared under the program is voluntary and exempt from FOIA and similar state, tribal, and local disclosure laws, with the goal of encouraging utilities to share sensitive cyber information more freely.