Today the House Rules Committee web site announced a hearing to be held this afternoon to formulate the Rule for the consideration of the Conference Committee Report on HR 4310, the National Defense Authorization Act of FY 2013. The Report includes language for the revised version of HR 4310 that was adopted by the Conference Committee.
Nothing in the final version of the bill directly addresses industrial control system security, but there are a number of cyber provisions in the bill. They include:
§244. Report on cyber and information technology research investments of the Air Force.
§931. Implementation strategy for Joint Information Environment.
§932. Next-generation host-based cyber security system for the Department of Defense.
§933. Improvements in assurance of computer software procured by the Department of Defense.
§934. Competition in connection with Department of Defense tactical data link systems.
§935. Collection and analysis of network flow data.
§936. Competition for large-scale software database and data analysis tools.
§937. Software licenses of the Department of Defense.
§938. Sense of Congress on potential security risks to Department of Defense networks.
§939. Quarterly cyber operations briefings.
§940. Sense of Congress on the United States Cyber Command.
§941. Reports to Department of Defense on penetrations of networks and information systems of certain contractors.
I have covered most of these in some detail in earlier blog posts on the Committee Report on HR 4310, House floor action on the bill, the introduction of S 3254, and the Senate floor action on that bill. Only two of the House provisions made it to the final bill, §244 and §939. There are two provisions that I cannot find in either the House or Senate versions of the bill (§931 and §936), but neither of them deal with cybersecurity so I did not look real hard for the earlier versions.
The three most significant provisions that will almost certainly have an impact on civilian cybersecurity are found in §932, §933, and §941. The host-based cybersecurity systems developed for DOD will almost certainly affect the development of similar systems for non-defense critical infrastructure systems. The software development security protocols should also migrate well to control system development. Finally, the network penetration reporting requirements will almost certainly find their way into any cybersecurity legislation for critical infrastructure protection.
The rule reported by the Committee will certainly be a closed rule with no floor amendments allowed. There will be a limited debate; probably 40 minutes. And, when this comes to a floor vote on Thursday evening or Friday it will almost certainly pass with a substantially bipartisan vote.