The PROTECT the Grid Act would require the Secretary of Commerce, in coordination with other federal officials, to deliver a report within 270 days assessing national security risks posed by foreign-adversary-controlled applications that can attack or undermine the electric grid through high-wattage IoT devices. The bill defines high-wattage IoT devices as appliances that consume or control more than 500 watts and expands the definition of foreign adversaries to include certain state actors and Venezuela while Maduro is in power.
In addition to the risk assessment, the act codifies Executive Order 13873 into law and directs consideration of mitigation options such as procurement restrictions, labeling or certification for devices, and related safeguards. The overarching aim is to prevent smart-home software and devices from serving as entry points for adversaries, thereby reducing the likelihood of grid disturbances.Ultimately, the measure frames grid security as a domestic sovereignty issue: secure home devices, secure data flows, and secure demand signals, in order to protect critical infrastructure and the broader economy.
At a Glance
What It Does
Requires a Commerce Department-led report within 270 days that assesses national security risks from foreign-adversary-controlled apps capable of manipulating high-wattage IoT devices tied to the electric grid. The report must consider deployment scale, risks to grid stability, and potential mitigation options.
Who It Affects
Households with IoT-enabled appliances, manufacturers and importers of high-wattage devices, electric grid operators (utilities, ISOs/RTOs), and federal agencies coordinating ICTS security.
Why It Matters
The report aims to identify and address vulnerabilities where consumer devices and software could be leveraged to destabilize the grid, potentially preventing large-scale outages and preserving national security.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
Section by section, the bill sets up a framework to evaluate threats from internet-connected home devices and the apps that control them. Section 1 establishes the act’s short title—the PROTECT the Grid Act.
Section 2 lays out findings about the rapid growth of high-wattage IoT devices (like EV chargers and smart appliances) and the risk that foreign-controlled applications could manipulate demand on the grid. Section 3 provides definitions you’ll see throughout the law, including what counts as a high-wattage IoT device (over 500 watts) and who is a foreign adversary (including PRC-linked entities and Venezuela under Maduro).
Section 4 is the substantive deliverable: within 270 days, the Secretary of Commerce must submit a report to Congress assessing national security risks from foreign-adversary-controlled apps with the capability to attack or destabilize critical infrastructure. The department must consider deployment breadth, potential impacts on grid stability, and public input, and it should outline mitigation options such as restricting certain transactions, labeling or certification, and other measures.
Finally, Section 5 codifies Executive Order 13873 into law and requires its text to be published in slip form and in the Statutes at Large.Taken together, the bill positions grid security as a supply-chain and consumer-tech issue. By forcing a formal risk assessment and potential mitigations, it aims to curtail the risk that smart-home software and devices become vectors for foreign interference or large-scale outages, while also ensuring the government has a clear basis for future policy action.
The Five Things You Need to Know
The bill requires a Commerce Department-led report within 270 days assessing national security risks from foreign-adversary-controlled apps affecting high-wattage IoT devices.
High-wattage IoT devices are defined as consumer appliances that consume or control more than 500 watts.
Foreign adversaries include PRC-linked entities and Venezuela (Maduro) as defined in the bill.
The act codifies Executive Order 13873 into law and directs the inclusion of its text in slip form and the Statutes at Large.
The report may recommend mitigation measures such as procurement restrictions, device labeling, or certification requirements.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title and citation
Section 1 establishes the official short title of the act as the PROTECT the Grid Act (also referenced by its longer title) and sets the naming convention for citation in law and discussion.
Findings and purposes
Section 2 presents findings on the growth of high-wattage IoT devices, the role of foreign-adversary-controlled platforms, and the potential for coordinated demand manipulation to threaten grid stability. It also states the purposes of harmonizing ICTS security and directing a Congress-briefing report on safeguards.
Definitions
Section 3 defines key terms used throughout the act: Consumer Product, Covered Entity, Critical Infrastructure, Foreign Adversary, Foreign Adversary-Controlled Application, High-Wattage IoT Device, IoT, and Relevant Federal Official. The definitions narrow who and what fall under the act’s scope and set measurable thresholds (e.g., 500 watts for high-wattage devices).
Report on national security risks posed by foreign-adversary-controlled applications with the capability of controlling high-wattage IoT devices
Section 4 requires the Secretary of Commerce, within 270 days of enactment, to submit a report evaluating national security risks associated with foreign-adversary-controlled apps that can influence high-wattage IoT devices. It directs consideration of deployment scale, risks to grid stability, and public input, and calls for mitigation recommendations (e.g., restricting transactions, labeling, and other measures).
Codification of Executive Order 13873
Section 5 codifies EO 13873 into law and requires the Archivist to publish the EO’s text in slip form and in the United States Statutes at Large after the act’s enactment, ensuring formal legal status and accessibility.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Utilities and grid operators (utilities, ISOs, and regional grid operators) gain enhanced visibility into risks and potential mitigations, supporting reliability and resilience.
- Federal agencies coordinating ICTS supply chain security (including Commerce and related agencies) obtain a clearer mandate and framework to address vulnerabilities.
- Household consumers with IoT devices benefit from a more secure environment that could reduce outage risk and data exposure associated with vulnerable apps.
- Domestic IoT device manufacturers that invest in secure design and compliant practices may gain a competitive edge in a safer market and clearer procurement signals.
Who Bears the Cost
- Foreign-adversary-controlled app developers and foreign IoT suppliers could face restrictions or exclusion from government procurement and market access.
- Retailers and distributors of high-wattage IoT devices may incur costs related to labeling, certification, or enhanced screening of products.
- Utilities and grid operators may incur upfront and ongoing costs for risk assessments, monitoring, and potential system upgrades to accommodate new standards.
- Small manufacturers and startups could bear disproportionate compliance costs in order to meet potential new safeguards and labeling requirements.
Key Issues
The Core Tension
The central tension is between aggressive grid protection through restrictions on foreign-adversary-controlled applications and the practical realities of a diverse, rapidly evolving consumer IoT market—creating a policy choice between security and access/innovation.
The bill’s focus on foreign-adversary-controlled applications and high-wattage IoT devices raises policy tensions around security, innovation, and consumer choice. The references to China’s legal and political structures and to Venezuela under Maduro highlight a security-centric lens that could influence trade dynamics and market access.
The 500-watt threshold creates a clear criterion for device inclusion, but what counts as a device’s role in grid operations and how to verify the control channel (apps, cloud services, or device firmware) will require procedural clarity in implementation. The act also relies on new or reinterpreted procurement and labeling mechanisms that may affect government and private-sector purchasing across federal agencies and the broader market.
Unresolved questions include how to enforce the definitions of foreign adversary-controlled apps, how to prevent overreach into legitimate consumer software ecosystems, and how to balance rapid risk mitigation with market innovation. The text invites recommendations, but the effectiveness of any measures will depend on accompanying implementing guidance, interagency coordination, and funding to support risk analyses, compliance checks, and potential device recalls or restrictions.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.