Thursday the Senate Appropriations Committee adopted an amendment in the form of a substitute for HR 2014 and reported the bill favorably. Since an actual copy of the ‘amended’ bill is not yet available, it is difficult to determine all of the changes made to the bill. The Committee Report is available so there are a number of things that we can determine; for example the CFATS extension for 1-year remains in the bill but now as §535 instead of §532 as found in the House passed language.
The CFATS program comes in for mention in a couple of places in the Report besides the afore mentioned program extension. This includes a discussion of coordination of federal chemical security efforts, ISCD funding, and CFATS implementation reporting.
The Committee Report talks about coordinating chemical security efforts in two separate places. On page 13 there is a general discussion where the Committee lauds the limited efforts to date by ISCD and the Coast Guard (and ignores the ISCD-NRC efforts) but notes that coordination with the TSA is lacking. They also suggest that “DHS should work in conjunction with the Office of Management and Budget to review and synchronize Federal entities involved in chemical security activities”. Presumably those other efforts would include EPA regulation of security of water treatment and waste water treatment facilities (including chemicals used therein) as well as PHMSA regulation of hazmat trucking security.
Then on page 100 in a general CFATS program discussion the lack of Top Screen submission by West Fertilizer is mentioned as demonstrating “the need for NPPD to have a more robust coordination effort to promote cooperation among industry and with other relevant Federal agencies in the chemical sector”. To help resolve this issue NPPD is required to “support the Chemical Sector Coordination Council in an effort to develop (and, of course, report to Congress on) recommendations to:
• Improve the coordination among Federal agencies;
• Streamline reporting requirements; and
• Improve the CFATS program to create efficiency and effectiveness.
The Committee Report sets the spending for Infrastructure Security Compliance (mainly CFATS program) at $ 85.6 million (pg 98; just below the $85.8 million requested by the President) compared to the House Committee’s Report $ 77.1 million (pg 82). And there is no mention of withholding funds in the Senate Report that we saw in the House Report.
There are, of course, the obligatory requirements for reporting to Congress. In addition to the reports mentioned above there is a requirement found on pages 100-101 for NPPD to report on the CFATS implementation process every six months (starting 90 days after this bill is adopted). The report would include:
• The number of: facilities covered:
• Completed inspections;
• Inspections completed by region;
• Pending inspections;
• Days inspections are overdue;
• Enforcements resulting from inspections; and
• Enforcements overdue for resolution
There is only a brief mention of TWIC in the Report on page 71. It focuses on the TSA’s effort to implement §709 of the Coast Guard and Maritime Transportation Act of 2012 (PL 112-213) that required a one-visit process for issuing new TWICs. Another report to Congress is required; “on the plan and timeline for implementing section 709 and other plans to ease the burden on workers who must travel hundreds of miles at great personal expense to obtain a TWIC card”.
Chemical Defense Program
This relatively small ($0.8 million) program run out of the Office of Health Affairs is tasked with developing a comprehensive chemical defense framework. The Report notes (pg 108) that the “Committee believes all high-risk situations [emphasis added] should be considered for study to ensure useful information is made available on mitigation and response measures”; a pretty big order for such small funding. Another report (due August 2nd) is required “on the timeframe to finalize the awards and the risk factors that will be considered in awarding demonstration projects”.
In the NPPD section of the report (pgs 101 and 102) the cybersecurity discussion is mainly about support for the security of federal computer systems and networks. The report does discuss the President’s decreased spending request for cyber-workforce training and asks that the program be fully funded in the President’s FY 2015 request.
There is an interesting demand for a briefing from NPPD and FEMA on “the likely physical and psychological consequences of a cyber attack, including the potential magnitude of the effect; State, local, and tribal government preparedness and response coordination; and Federal coordination and readiness”. I would certainly like to hear that presentation.
There is a brief mention of the President’s cybersecurity Executive order on page 102. It focuses on the incentives that the Administration will be considering to gain voluntary compliance with the Cybersecurity Framework. It does little more, however, than note that it “expects the Administration to provide a comprehensive review of the incentives to Congress, the private sector, and the public for input as soon as practicable”.
Another part of the Committee Report discussion on cybersecurity is found on page 135 in the Science and Technology section and emphasizes ‘war gaming and cyber exercise programs’. In particular it mentions the continued development “of a simulation based cybersecurity exercise tool for the financial services sector and supports the further extension of the financial sector tool into other critical infrastructure sectors such as energy, the defense industrial base, transportation, and healthcare”.
The report does specifically mention control systems in the same discussion noting that the “The Committee recognizes the cyber threats to the Nation’s electric grid and the other control systems vital to our security and economy”. To address those threats the Committee directs S&T (in collaboration with NPPD) to establish ‘operational cybersecurity research initiatives’ that include the “conduct experiments both at the lab scale and at real-world scale using test bed applications to verify models using a large-scale operational environment”.
All of this will be accomplished on a S&T cybersecurity budget of $74.5 million.
The bill is now ‘cleared’ for floor action in the Senate. I have not seen anything on when this will be scheduled for debate, but I suspect that we may see this process start later this week or next. I expect that it will be amended and approved by the Senate before the summer recess. The Conference may even be named before the recess so that work on the differences between the two bills can get started.
This is one spending bill that has a good chance of getting to the President before October 1st.