Mapping the Gaps in US Grid Security Law

NGA research reveals 34 states protect critical grid data from disclosure, but remaining gaps limit utility information sharing

10 Apr 2026

New research from the National Governors Association has found that 34 US states and two territories have enacted legal protections shielding sensitive electric grid data from public disclosure, leaving a significant number of jurisdictions without formal frameworks for handling critical infrastructure information.

Published in March 2026 and supported by the US Department of Energy, the report is the first comprehensive update to the NGA's 2019 survey. It maps statutory exemptions across all 55 US states and territories covering technical grid data, including vulnerability assessments, engineering plans, and IT system configurations.

The legal approaches vary widely. Some states align with the Federal Energy Regulatory Commission's definitions directly. Others rely on broader legislative language, court precedent, or utility commission rules. Oklahoma, South Carolina, and Texas route protections through public utility commissions rather than statute.

The practical consequences are real. Where dedicated legal frameworks are absent, utilities face a structural disincentive to share vulnerability data with state authorities. Information submitted without statutory protection risks exposure under public records laws, discouraging the kind of intelligence sharing that security programmes depend on. When utilities trust that sensitive disclosures will remain protected, the NGA finds, they participate more freely in joint security exercises and threat identification efforts.

The grid's expanding complexity makes this more urgent. The spread of distributed energy resources and digital control systems has widened the potential attack surface, raising the value of coordinated information sharing between public agencies and private operators.

The report was developed in partnership with the National Association of Regulatory Utility Commissioners and the National Association of State Energy Officials, lending institutional weight to its recommendations. States without dedicated protections are urged to enact formal exemptions, develop standardised data handling procedures, and build utility trust through fusion centre liaison programmes.

Whether jurisdictions with existing gaps will act on those recommendations remains uncertain. The research draws a clear line between states with governance architecture suited to modern grid security and those still operating without it.