Bill > HB6011

This bill amends the Clean and Renewable Energy and Energy Waste Reduction Act to establish cybersecurity and resilience requirements specifically for operators of large-scale solar energy facilities, defined as those with a generating capacity of 50 megawatts or more, including associated equipment and any colocated energy storage systems that support operations. The bill emphasizes that these requirements are solely to address public health, safety, and emergency-response risks related to the safe operation of these facilities and do not regulate cybersecurity generally, data centers, or other energy sectors. Operators must implement a risk-based cybersecurity and resilience program aligned with nationally recognized frameworks like those from the National Institute of Standards and Technology (NIST) or the Cybersecurity and Infrastructure Security Agency (CISA), ensuring the program is appropriate to the facility's size, complexity, and foreseeable safety risks. This includes measures for identifying cyber risks, controlling access, segmenting systems, managing supply chain risks, and conducting periodic reviews and testing. Facilities may use safeguards like redundant systems and manual overrides, and compliance does not necessitate changes to workforce levels or collective bargaining agreements. Operators must also maintain an incident response plan that coordinates with emergency responders and provide notification of material cybersecurity incidents—defined as events likely to result in a "cyber compromise" (loss of confidentiality, integrity, or availability of safety-critical systems that impairs safe operations)—to the Michigan State Police and local emergency management coordinators within 24 hours, followed by a high-level written summary within 72 hours. Records detailing specific security measures or incident response are exempt from public disclosure under the Freedom of Information Act. Violations of the bill can result in civil fines of up to $25,000 per day, with the Attorney General having the authority to request documentation related to material cybersecurity incidents or enforcement actions, but not for routine audits.