The bill tasks the Secretary of Commerce with producing a comprehensive assessment of national‑security vulnerabilities arising from internet‑connected, high‑power appliances and the applications that control them, and it enacts Executive Order 13873 into statute.
Lawmakers frame the package as a targeted response to research showing how coordinated manipulation of Internet‑of‑Things devices (sometimes called MaDIoT attacks) could destabilize power systems. For regulated stakeholders—utilities, appliance makers, importers and federal procurement officers—the bill sets up a policy review that could lead to procurement limits, labeling or certification, and other supply‑chain controls.
At a Glance
What It Does
Directs the Secretary of Commerce to produce a timed, cross‑agency report identifying risks posed by foreign‑adversary‑controlled applications that can operate high‑wattage IoT devices and to recommend mitigation measures. The bill also converts Executive Order 13873 (securing ICTS supply chains) into law and requires the Archivist to append the order to the statute print.
Who It Affects
Manufacturers, importers, and app developers of appliances that draw or control more than 500 watts; federal procurement officials; utilities and grid operators asked to model demand‑manipulation scenarios; and agencies asked to participate in the interagency assessment. It also targets entities that meet the bill’s ‘‘covered entity’’ definition—those owned by, controlled by, or subject to foreign adversaries.
Why It Matters
The bill codifies an existing executive‑branch supply‑chain authority and places the Commerce Department at the center of a national‑security study of consumer IoT tied to power demand—an area where technical research suggests coordinated demand manipulation could cause grid instability. Its recommendations could prompt procurement bans, certification rules, or labeling that materially reshape appliance supply chains and federal buying practices.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The Act sets a short, structured pathway for the federal government to identify whether consumer‑facing applications and platforms can be leveraged—intentionally or inadvertently—by foreign adversaries to alter electricity demand on a scale that matters to the grid. The Commerce Secretary must work with other federal agencies to gather deployment data, technical analyses, and stakeholder input and to produce a report with findings and policy recommendations.
The bill gives a non‑exhaustive menu of mitigation options that the report may recommend, including applying the authorities in Executive Order 13873, restricting federal procurement, and setting device certification or labeling rules.
To make the analysis practical, the text defines the scope of covered devices and actors: a ‘‘high‑wattage IoT device’’ is any internet‑connected appliance or device capable of consuming or controlling more than 500 watts, and a ‘‘covered entity’’ includes firms owned by, controlled by, or otherwise subject to foreign adversaries (as cross‑referenced to existing statutory definitions). The bill asks the Commerce Department to inventory deployment, assess technical risks to grid stability (frequency imbalances, cascading failures), and gather public comments, academic findings, and industry input to ground its recommendations.The report must be delivered to specific congressional committees and is due within a fixed window after enactment.
Beyond the report requirement, the Act expressly enacts Executive Order 13873 into law, preserving its text in an appendix to the Statutes at Large. That codification signals Congress’s intent to make the executive order’s supply‑chain authorities permanent and available as a policy lever for the mitigation options the Commerce report may propose.
The Five Things You Need to Know
The bill establishes a 270‑day deadline for Commerce to deliver the assessment to the Senate Commerce Committee and the House Energy and Commerce Committee.
It defines a ‘‘high‑wattage IoT device’’ as any internet‑connected appliance or device capable of consuming or controlling more than 500 watts.
The statutory definition of ‘‘covered entity’’ targets companies owned, controlled by, or subject to foreign adversaries and cross‑references the covered nation definition in 10 U.S.C. 4872(f).
Among recommended mitigations, the bill lists applying Executive Order 13873 authorities to IoT transactions, restricting federal procurement of products with foreign‑adversary‑controlled applications, and establishing certification or labeling for high‑wattage devices.
Section 5 transforms Executive Order 13873 into statute and requires the Archivist to append the full text of the Executive Order to the Act when published in slip form and the Statutes at Large.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Gives the Act its public name, ‘‘PROTECT the Grid Act’’ (Preventing Remote Operations by Threatening Entities on Critical Technology for the Grid Act). This is a caption only but signals the bill’s targeting of remote‑control vectors in consumer technology.
Findings and purposes
Lists congressional findings that underpin the report requirement: widespread deployment of high‑wattage IoT appliances, specific concerns about companies under foreign adversary influence, reference to the People’s Republic of China’s Cybersecurity Law and embedded Party structures, and academic MaDIoT research. The findings are intended to justify a national‑security framing for supply‑chain measures and to narrow the policy conversation to appliances and applications that interact with electrical demand.
Key definitions
Specifies operative terms the rest of the Act uses: consumer product (as CPSC uses it), foreign adversary (via reference to 10 U.S.C. 4872(f)), covered entity (broadly capturing ownership, control, or direction), foreign adversary‑controlled application (explicitly including parent/subsidiary chains), and the 500‑watt threshold for ‘‘high‑wattage IoT device.’’ Practically, these definitions determine the perimeter of the Commerce assessment and any downstream policy options like procurement restrictions or labeling requirements.
Commerce report: mandated assessment and recommended mitigations
Directs the Secretary of Commerce to convene relevant federal officials and compile a report assessing national‑security risks posed by foreign‑adversary‑controlled applications that can operate high‑wattage IoT devices. The statute lists minimum considerations—deployment extent, risk to grid stability (frequency imbalances, cascading failures), and soliciting public comments and stakeholder input—and offers a non‑exclusive set of mitigation options the report may include (application of EO 13873 tools, federal procurement limits, certification/labeling). The list frames what policy levers Commerce should evaluate and leaves the final selection to the agency’s judgment in consultation with peers.
Codification and publication of Executive Order 13873
Enacts the text of Executive Order 13873 into law and requires the Archivist to append the Executive Order’s text to the Act in the official Statutes at Large print. That change elevates previously executive‑only authorities over ICT supply chains into statutory form, which can expand legal durability and provide statutory footing for procurement and transaction restrictions identified in the Commerce report.
This bill is one of many.
Codify tracks hundreds of bills on Infrastructure across all five countries.
Explore Infrastructure in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Grid operators and regional reliability entities — benefit from a mandated federal assessment and potential mitigation steps that could reduce systemic risk from coordinated demand‑manipulation attacks, enabling targeted operational prep and investment prioritization.
- Federal security and procurement officials — gain a statutory toolset and an official report to justify policy actions (procurement restrictions, transaction reviews, certification standards) when defending critical‑infrastructure risk decisions.
- Domestic appliance manufacturers and trusted platform vendors — could gain a competitive advantage if mitigation recommendations favor certification, provenance, or domestic sourcing, creating market differentiation that benefits compliant producers.
- Energy policymakers and regulators — receive consolidated, cross‑agency analysis and recommended actions they can translate into regulatory guidance or standards to strengthen resilience.
- Consumers in high‑risk regions — may see improved protections if the report leads to mandatory labeling or removal of certain foreign‑controlled applications from federally procured products, reducing exposure to coerced demand‑manipulation scenarios.
Who Bears the Cost
- Foreign‑adversary‑affiliated companies and their U.S. distributors — face potential transaction restrictions, loss of access to federal procurement, and reputational costs if identified as ‘‘covered entities.’
- Retailers and importers of low‑cost appliances — could bear compliance costs if certification, labeling, or testing regimes are recommended and implemented, with added supply‑chain burdens and possible product delistings.
- Federal agencies tasked with implementation — must allocate personnel and budget to review the report’s recommendations, implement procurement restrictions, and coordinate interagency responses without an explicit appropriation in the bill.
- Utilities and grid operators — may absorb near‑term operational costs to model and mitigate demand‑manipulation risks, including investments in telemetry, demand management schemes, and emergency procedures.
- Consumers — could face higher prices or reduced device choice if mitigation measures increase compliance costs or curtail imports of lower‑cost foreign‑made appliances.
Key Issues
The Core Tension
The bill confronts a genuine trade‑off: aggressive supply‑chain controls, procurement bans, or certification rules can reduce the risk that foreign‑influenced applications are used to manipulate power demand, but those same tools can restrict consumer choice, raise costs, strain U.S. manufacturing capacity, and create diplomatic and trade friction—forcing policymakers to weigh immediate national‑security risk mitigation against longer‑term economic and geopolitical consequences.
The Act creates immediate policy leverage by making Commerce the focal point for a cross‑agency assessment, but it leaves key implementation choices underspecified. The 500‑watt threshold is administratively simple but blunt: it captures a wide range of devices (EV chargers, dryers, HVAC equipment) while excluding lower‑power devices that can be aggregated into attack vectors.
Similarly, the definition of ‘‘covered entity’’ uses broad ownership and control language and cross‑references to an existing statutory definition of covered nations; in practice this will require careful legal and factual work to determine which firms or apps actually meet the standard, particularly where ownership is layered through global corporate structures.
Codifying Executive Order 13873 amplifies executive authorities over ICTS transactions, but statutory elevation also changes the enforcement and legal landscape; for example, procurement bans or transaction conditions grounded in the new statute may face new trade‑law, administrative‑law, or interagency coordination questions. The bill does not provide funding or a clearance mechanism for Commerce to perform deep technical reverse‑engineering or large‑scale device telemetry collection, nor does it create an explicit role or standard for independent technical testing labs—practical gaps that could limit the report’s factual basis or delay recommended actions.
Finally, recommendations that affect imports or single suppliers may have geopolitical and commercial consequences that extend beyond the technical threat the bill targets, raising risks of overreach or unintended market disruption.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.