Funded, Not Secured: The April 20 DPA Determinations & the Bulk Electric System
By Patrick Miller
Two April 20 Defense Production Act determinations expand domestic capacity for grid components and large-scale energy infrastructure. Neither directly addresses cybersecurity. For the electric sector, NERC CIP and the O&P standards still apply. A practitioner's view of intersections with CIP-013, CIP-014, PRC, FAC, and TPL, and why domestic capacity is not domestic assurance. Federal industrial policy now treats grid equipment as essential to national defense. NERC CIP still treats it as a regulated cyber-physical system. The two are aligned in direction and silent on each other in execution. The compliance burden doesn’t move.
Overview
On April 20, 2026, the President issued four Defense Production Act Section 303 determinations. Two land directly on the electric sector:
Grid Infrastructure, Equipment, and Supply Chain Capacity - Targets components and their upstream supply chains: transformers, transmission lines and conductors, substations, high-voltage circuit breakers, power control electronics, protective relay systems, capacitor banks, electrical core steel, and related raw materials and manufacturing tools.
Development, Manufacturing, and Deployment of Large-Scale Energy and Energy-Related Infrastructure- Targets project execution machinery: engineering, site acquisition and preparation, permitting, early-stage risk mitigation financing instruments, domestic manufacturing capacity, and enabling infrastructure.
Five things to take from this package:
The mechanism is federal spending and procurement authority, not new regulation. NERC CIP and the Order 693 reliability standards continue to apply unchanged.
The components named in the Grid memo sit inside CIP scope. The cyber attack surface they carry is not addressed in either memo.
New domestic suppliers stood up under DPA financing introduce a CIP-013 supply chain risk problem that federal financing does not solve. The Registered Entity inherits it.
Order 693 O&P standards are not in conflict with the memos, but deployment sequencing creates real planning, protection, and modeling risk.
Domestic origin does not equal domestic assurance. Steel and copper are not the threat surface. Firmware, build pipelines, and vendor remote access are.
What the Memos Do Not Do
But before we get too deep, the first question most are asking is… Does this restrict purchasing equipment not made in the USA?
Short answer, no. Longer answer, Section 303 of the Defense Production Act is spending authority, not prohibition authority. It lets the President fund domestic production capacity through purchases, purchase commitments, subsidies, loans, and loan guarantees. It does not prohibit anyone from buying foreign equipment, impose tariffs, block imports, or require utilities to source domestically. The 303(a)(7) waiver in the memos waives the procedural findings that would otherwise be required before DOE can spend the money. It does not waive anyone's right to import.
What the Two Memos Authorize
| Element | Grid Infrastructure memo | Large-Scale Energy Infrastructure memo |
|---|---|---|
| Authority | Section 303, 50 U.S.C. 4533 | Section 303, 50 U.S.C. 4533 |
| Waiver invoked | 303(a)(7), waiving 303(a)(1) through (a)(6) | 303(a)(7), waiving 303(a)(1) through (a)(6) |
| Underlying emergency | EO 14156 (National Energy Emergency, January 20, 2025) | EO 14156 (National Energy Emergency, January 20, 2025) |
| Stated barriers | Foreign supply dependence, long production lead times, insufficient capital investment | Financing risks, regulatory delays, market barriers |
| Scope of action | Components and upstream supply chains | Project execution and deployment |
| Tools authorized | Purchases, purchase commitments, financial support for production capabilities | Purchases, commitments, financial instruments to enable projects |
| Implementing agency | Department of Energy | Department of Energy |
| Cybersecurity language | None | None |
The two memos are paired by design. One funds the parts. The other funds the build.
Where the Memos Land in NERC CIP
The Grid memo names components that NERC CIP regulates as cyber-physical assets. The mapping is direct:
| Component named | CIP-relevant character | Most-implicated CIP standards |
|---|---|---|
| Protective relay systems | BES Cyber Asset, often routable, firmware-driven | CIP-002, CIP-005, CIP-007, CIP-010, CIP-013 |
| Power control electronics (RTUs, IEDs, FACTS, HVDC controls) | BES Cyber Asset or Protected Cyber Asset, firmware-driven | CIP-002, CIP-005, CIP-007, CIP-010, CIP-013 |
| High-voltage circuit breakers | Physical asset with a cyber control surface (associated relays, SCADA tie-ins) | CIP-013 procurement; indirect via associated BCAs |
| Substations | Facilities containing BES Cyber Systems and Physical Security Perimeters | CIP-002 categorization; CIP-006; CIP-014 |
| Transformers (GSUs, LPTs) | Increasingly instrumented (DGA monitors, bushing sensors, GIC monitoring); CIP-013 in procurement scope | CIP-013, CIP-014 (when sited in critical substations) |
| Capacitor banks | Switched and protected via cyber-bearing relays and gear | CIP-002, CIP-013 |
The most direct intersection is CIP-013. The standard requires Registered Entities to identify and assess cybersecurity risks during procurement of high and medium impact BES Cyber Systems, verify software integrity and authenticity, and coordinate vendor remote access controls. Federal action expanding domestic capacity does not change any of those requirements.
A relay manufactured in Ohio under DPA financing is still subject to CIP-013 procurement controls. Domestic origin does not produce a CIP-013-compliant relay by default. That is the gap to plan around.
The likely tension is structural. DPA Title III is built for speed and scale. CIP-013 is built for risk analysis and management. New domestic suppliers spun up rapidly under DPA financing may not arrive with the cybersecurity engineering maturity, secure development practices, signed-firmware infrastructure, or vulnerability disclosure programs that established Tier-1 vendors have built over a decade. Procurement and security teams should expect to perform more vendor cybersecurity due diligence on new entrants, not less.
CIP-014. The Grid memo explicitly names substations. As DPA financing accelerates new builds and replacements, CIP-014 critical substation analyses and physical security plans need to be in scope from day one. Retrofitting physical security after construction is more expensive and less effective.
Echo of EO 13920. The 2020 Bulk-Power System executive order used IEEPA to prohibit certain foreign-adversary equipment procurement (a regulatory push). The April 20 DPA action uses spending authority to incentivize domestic supply (a financial pull). They are complementary in direction. If the administration adds a new prohibited-transaction layer through Section 232, IEEPA, or a refreshed BPS rule, the regulatory and financial tracks would converge and CIP-013 documentation requirements would intensify.
Where the Memos Land in Order 693/O&P Standards
The Order 693/O&P (Operations & Planning) Reliability Standards are largely performance-based and entity-conduct-focused. The DPA action is upstream, but several intersections matter:
| O&P standard family | Intersection with the April 20 memos |
|---|---|
| PRC (Protection and Control) | New domestic relays must satisfy PRC-005 maintenance, PRC-019 coordination, PRC-024 voltage and frequency ride-through, and PRC-025 generator protective relay loadability. Field-proving cycles for new platforms can create temporary deployment friction. |
| FAC (Facilities Design and Ratings) | New transformers and conductors with revised ratings affect FAC-008 facility ratings methodology and indirectly FAC-003 vegetation management when reconductoring expands clearance envelopes. |
| TPL (Transmission Planning) | New equipment with different impedance, ratings, and thermal characteristics flows into TPL-001 planning studies and TPL-007 GMD assessments. |
| MOD (Modeling, Data, and Analysis) | Equipment characteristics for new domestic platforms must be established and validated before deployment at scale. |
| EOP (Emergency Preparedness and Operations) | Spare equipment strategies and system restoration plans (EOP-005, EOP-006) assume certain equipment availability. DPA-funded spare programs intersect here directly. |
| TOP and IRO (Operations) | Operating procedures and real-time tools accommodate new equipment characteristics. Less direct, but real for Reliability Coordinators and Transmission Operators. |
There is no direct conflict in the memo text. The risk lives in sequencing. Deployment ahead of modeling, protection coordination studies, or operator training lands on the Reliability Coordinator and Transmission Operator. That is operational risk, not regulatory conflict, but it is real.
Hardware? Or Cyber?
The plain reading of both memos is industrial. Steel, copper, conductors, and capacity. The components named in the Grid memo are not industrial in the 1950s sense. A protective relay is a computer with current transformer inputs. Power control electronics run firmware. A modern transformer often ships with a digital monitoring stack. A substation is a facility full of cyber assets bound by Physical Security Perimeters and Electronic Security Perimeters.
The cyber surface the memos do not address:
Firmware integrity and signing. New domestic manufacturers need secure development lifecycle practices, signed firmware infrastructure, and vulnerability disclosure programs. The memos do not require any of this.
Manufacturing environment security. Build pipeline integrity, OT security in the factory itself, and protection of design and configuration data. Not addressed.
Embedded vulnerabilities. What ships in the box. Not addressed.
Vendor remote access posture. CIP-005 R2 and CIP-013 vendor access controls assume mature vendor practices. New entrants may not arrive with them.
SBOM and software transparency. Not mentioned. EO 14028 and subsequent OMB guidance asked for SBOMs in federal procurement. Whether DPA-funded purchases inherit those requirements is not specified in the memo text.
The policy gap is very significant. The DPA action treats grid equipment as an industrial commodity. Modern grid equipment is a software product wrapped in steel and copper. Federal industrial policy is moving to expand domestic capacity for cyber-physical equipment without an accompanying federal cybersecurity assurance framework for that equipment. The Registered Entity inherits the gap.
What This Means by Stakeholder
Generation. The Coal/Baseload and Natural Gas siblings carry more direct generation impact, but the Grid memo touches generator step-up transformers, generator protective relays (PRC-019, PRC-024, PRC-025), and substation work at plant interconnections. New equipment from new suppliers will trigger CIP-013 procurement work and PRC field-proving cycles.
Transmission. The center of gravity. Transformer, conductor, breaker, relay, and substation procurement and replacement decisions intersect with CIP-002 categorization, CIP-013 supply chain risk management, CIP-014 critical substation security, and the full PRC, FAC, TPL stack. Engineering, planning, and compliance need a shared view of the deployment pipeline.
Distribution. Federal action focuses on bulk system equipment, but distribution-level utilities operating substations that interconnect to BES facilities, or running their own SCADA and protection systems, should expect supplier landscape shifts. State PUC supply chain expectations may track federal direction.
Compliance. CIP-013 vendor risk assessment methodology needs to accommodate new domestic entrants without lowering the bar. Expect CIP-002 categorization reviews triggered by equipment swaps. Maintain documentation discipline around procurement decisions made under accelerated timelines.
Procurement. New supplier qualification programs. Cybersecurity attestation requirements built into POs. Contractual provisions covering firmware signing, vulnerability disclosure, secure development lifecycle attestations, vendor remote access controls, and supply chain provenance. The temptation to relax due diligence in exchange for delivery speed should be resisted in writing.
Engineering and Operations. Modeling parameters for new platforms validated before bulk deployment. Protection coordination studies updated. Operator training and procedure revisions sequenced ahead of energization, not behind it.
Executive and Board. This is a strategic supply chain shift. Treat it as one. Allocate budget for vendor due diligence and field-proving. Allocate calendar for protection coordination and modeling work. Communicate the speed-versus-assurance tradeoff to the board and to the regulator before it shows up in an audit finding.
Audit Preparation Questions
For each component class named in the Grid memo, what is our current vendor base, and what is the CIP-013 supply chain risk posture for each vendor?
When a new domestic entrant emerges, what is our process for cybersecurity due diligence beyond the standard procurement checklist?
For substations on our CIP-014 critical asset list, what is the design and construction sequence for cyber and physical security controls? Baseline or retrofit?
Where in our CIP-005 vendor remote access program do we accommodate new vendors with less mature security operations?
For procurement decisions made under accelerated timelines, what evidence package do we maintain to demonstrate CIP-013 R1 and R2 compliance?
What is our position on signed firmware, SBOMs, and vulnerability disclosure in vendor contracts? Is it consistent across procurement categories?
For new equipment families, who owns the modeling parameter validation, the protection coordination study update, and the operator training? Is the schedule realistic?
Forward-Looking Open Questions
Will DPA-funded purchases inherit federal cybersecurity assurance requirements (EO 14028 SBOM expectations, NIST SP 800-161 supply chain risk practices, secure software development attestation), or will those be left to the buyer?
Will the administration pair this DPA action with a refreshed BPS prohibited-transaction rule, a Section 232 measure, or new NERC CIP-013 enhancements? Convergence of regulatory and financial tracks would change the compliance posture materially.
Will DOE implementation guidance specify cybersecurity criteria for funded production capacity, or will it focus on industrial throughput?
How will FERC and NERC respond to a near-term wave of new domestic equipment from suppliers without an established cybersecurity engineering track record?
Will state PUCs align supply chain expectations with federal direction, or will the patchwork of state-level cybersecurity rules continue to grow?
For long lead-time assets, particularly large power transformers, how will the DPA action interact with the Strategic Transformer Reserve and SPARE-style programs?
The April 20 package is a real industrial policy move. It is welcome in direction. It is not a substitute for the cybersecurity assurance work that lives with the Registered Entity, the Reliability Coordinator, and the operator. Domestic capacity is necessary. It is not sufficient. The work continues.
