Monday, September 30, 2013

House Insists on Its Amendment

The House Rules adopted H Res 368 to finish out the consideration of HJ Res 59 for today. The resolution states that the House insists on its latest amendment to the CR and requests a conference with the Senate to resolve the differences between the two latest versions of the bill.

The House is currently debating that resolution for an hour (ending no later than about 12:37 am EDT) at which time it will vote upon and almost certainly pass the resolution. That will effectively put an end to any efforts to prevent a federal government shut down this year.


It remains to be seen how long it would the conference committee to come to some acceptable common ground between the two factions and then send a revised HJ Res 59 back to both houses for a vote.

House Homeland Security Committee Markup Hearing – 10-2-13

The House Homeland Security Committee announced this morning that they would be holding a markup hearing on Wednesday to look at six bills, four of which might be of specific interest to readers of this blog.

Those four bills would be:

HR 1204, The Aviation Security Stakeholder Participation Act of 2013;
HR 1791, The Medical Preparedness Allowable Use Act;
HR 2952, The Critical Infrastructure Research and Development Advancement Act of 2013; and
HR 3107, The Homeland Security Cybersecurity Boots-on-the-Ground Act.

The Committee web site indicates that there will be an amendment in the form of a substitute offered for three of the four bills listed above:

H.R. 1204, Amendment in the Nature of a Substitute [PDF];
H.R. 2952, Amendment in the Nature of a Substitute [PDF]; and
H.R. 3107, Amendment in the Nature of a Substitute [PDF]


I haven’t had a chance to do a detailed review of the substitute language, I’ll probably report on that tomorrow.

House Rules Committee Addresses HJ Res 59 a Third Time

Earlier this evening the House Rules Committee approved H Res 367, the latest effort of the Republican leadership to craft an a version of HJ Res 59 that would be acceptable to the Republican’s conservative base and might pass muster this evening in the Senate.

House Rule

The latest move would vacate Saturday’s House amendments to the Senate amendment to HJ Res 59 and then put into place new language at the end of the Senate version that would:

• Changes end date to December 15th, 2013 {§138};
• Delays individual mandate requirements of Obamacare one year {§141}; and
• Removes the government contribution to the health insurance for Congress, its staff, the President and his staff and the political appointees in the executive branch {§142}.

It appears relatively obvious that the leadership accepts at face value Sen. Reids’ assertion that no modification of Obamacare will pass the Senate. Section 2 of H Res 367 provides that the currently approved waiver of House Rules with respect to the restrictions on the same day action on a House Rules Committee rule is extended to October 7th, 2013.

Floor Action

The House took up H Res 367 this evening and passed it on a nearly party-line vote (6 Republicans voted no) of 225 to 204. A short time later on a slightly more mixed vote (12 Republicans voted no and 9 Democrats voted yes) the House passed the newly revised language of HJ Res 59 on a 228 to 221 vote. The Senate subsequently voted to table consideration of the Republican amendment the expected party-line vote of 54-46, effectively dropping the matter back into the House.


It is remotely possible that the House might take the matter up again tonight; they recessed after the earlier vote instead of adjourning. In fact, the House Rules Committee just announced that it was holding another meeting tonight at 10:30 EDT.

Senate Rejects House Amendments to HJ Res 59

As expected, this afternoon the Senate rejected the House Amendments to HJ Res 59 by a straight partly-line vote of 54-46. The House Rules Committee has already announced that they will meet this afternoon at 4:15 to determine how the House will respond to the Senate vote. The full House will be able to take up the CR as soon as the Rules Committee publishes their rule.


If the House concurs with the Senate’s amendment then there will be no shut down of the government at midnight. If the final vote doesn’t take place until 1:00 am (or 4:00 am for that matter) it will not make any difference as that will still be today by congressional conventions as long as there is no adjournment.

Congressional Hearings Week of 9-29-13

Well the shutdown is still looming, but there are three hearings currently scheduled for this week that might be of interest to readers of this blog, if they are held. They will look at freight transportation, a committee business hearing and threats to the homeland.

Transportation
The only House hearing will be held by a special panel from the House Transportation and Infrastructure Committee on Tuesday. This is part of a continuing series and the public panel includes Mr. F. Edmond Johnston, III, Sustainability Manager, DuPont. This means that at least some chemical issues will be raised.

Business Meeting

The Senate Homeland Security and Governmental Affairs Committee will be holding a business meeting this evening. There still is not an agenda on their web page, but I understand that the nomination of Ms. Spaulding to be Undersecretary for NPPD at DHS will be addressed.

Threats to Homeland

The same Senate committee will be holding a hearing on Thursday to look at the current status of threats to homeland security. The witness list includes:

• Rand Beers. Acting DHS Secretary;
• Matthew G. Olsen,Director, National Counterterrorism Center; and
• Sean M. Joyce, Deputy Director, FBI

I expect that this will be a fairly wide ranging but superficial look at the current threat situation. Cybersecurity will certainly come up, but I doubt that there will be any mention of threats against chemical facilities. There will be no discussion of any specific threats and general threats will be covered in only the broadest vaguest terms since this is not a classified hearing.

Sunday, September 29, 2013

Bills Introduced – 09-29-13

The House was busy yesterday with spending issues. Not only did they amend and re-pass the continuing resolution they also introduced a number of other bills related to how spending should be accomplished in the coming months. Two of those bills might be of specific interest to readers of this blog.

HR 3210 Latest Title: Making continuing appropriations for military pay in the event of a Government shutdown. Sponsor: Rep Coffman, Mike (R,CO)

HR 3213 Latest Title: Making appropriations for all departments and agencies of the Federal Government for fiscal year 2014, and for other purposes. Sponsor: Rep Grayson, Alan (D,FL)

HR 3214 Latest Title: Making continuing appropriations for personnel critical to national security during a Government shutdown. Sponsor: Rep Gallego, Pete P. (D,TX)

The alert reader will note that I listed three bills not two. I’ve included HR 3210 which also passed last night because I can now list the author of the bill and a GPO copy of the bill as introduced is now available. This saves me a blog post.

The Grayson bill, Fiscal Sanity Act of 2013, is a full year continuing resolution that is short, sweet and incomplete. All real CRs follow a pretty standard format with a lot of necessary legislative gobbledygook. This bill deals with funding the federal government for FY 2014 and deals with the debt ceiling for all of 2014 in three short (two pages) sections. Unfortunately that doesn’t get the job done. For example, there is no language explicitly extending the CFATS authorization. Fortunately, since Grayson is not a member of the Appropriations Committee and is a Democrat to boot, there is no way that this bill will ever see the light of day; political grandstanding at its worst.

The Gallego bill has not yet been received/published by the GPO so it is not clear just exactly who is ‘critical to national security’. It could even include CFATS inspectors. I suspect that the bill will give the DOD and DHS Secretaries authority to decide who is critical. That would be an interesting last minute decision process to watch.


We’ll have to wait and see when it is printed. 

BTW: If the government shuts down on Tuesday, we probably won’t see an official version until after the fiasco is over.

House Passes Both Amendments to HJ Res 59 and HR 3210

Late Saturday night the House passed both amendments to HJ Res 59, dumping the ball back in the Senate’s court. Amendment #1 which did not include the Obamacare language passed by a slightly bipartisan vote of 248 to 174 with 17 Democrats voting with all of the Republicans on the amendment. Amendment #2, which was identical to the first amendment with an additional section postponing the Obamacare implementation one year, lost two Republican and 15 Democrat votes to pass by a vote of 231 to 192.

It is still not clear how the slightly contradictory versions of language for HJ Res 59 would actually operate. Both bills specifically replaced the Senate language in the bill. The second amendment did not modify the bill as revised by the first amendment. I suspect, however, that is what the parliamentarians will decide happened in effect, so it will look as if the first amendment never actually took place.

The interesting part of the vote is that the 17 Democrats that joined the Republican majority on Amendment #1 could be enough votes to offset a conservative vote against a Senate bill that removed just the Obamacare delay. . It depends on just how many Republicans that would put their political principals above shutting down the government.

HR 3210, the military pay bill that I described late last night, passed by a unanimous vote. It should also be able to pass in the Senate on Monday, so at least the military folks would have some guarantee that there pay would continue even if the House and Senate can’t get together on a funding bill by Monday midnight.

Saturday, September 28, 2013

PHMSA Pipeline Class Location RFI

The Pipeline and Hazardous Material Safety Administration (PHMSA) published a notice in Monday’s Federal Register (available on line Saturday; 78 FR 59906-59907) correcting an earlier publication of an ‘NPRM’ on pipeline class location requirements and extending the comment period on that action.

Last month PHMSA published an ‘NPRM’ on the topic. As I noted in my post on the publication it did not really take the form of a notice of proposed rulemaking in that it didn’t actually pose any specific changes to existing regulations or propose  new regulations. It turns out that it should have been characterized as a ‘notice of inquiry’.

This notice of inquiry is intended to gather information supporting a congressionally mandated {§5 Pipeline Safety, Regulatory Certainty, and Job Creation Act of 2011 (PL 112-90)} report on whether integrity management program (IMP) requirements should be expanded beyond HCAs and whether such expansion would mitigate the need for class location requirements. PHMSA is still looking for responses to the questions outlined in the original notice.


The American Petroleum Institute (API) and American Gas Association (AGA) have requested an extension of the time for submitting comments so that they can get information from their member organizations to fully answer PHMSA’s questions. PHMSA has agreed and the new deadline for submitting comments is November 1sth 2013. Again, public comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # PHMSA-2013-0161).

House Rules Committee Rule for 2nd Consideration of HJ Res 59

The House Rules Committee approved H Res 366 a rule for the consideration of HJ Res 59 as amended by the Senate. This resolution provides for the House to choose between two versions of substitute language for HJ Res 59 and the consideration of HR 3210, the Pay Our Military Act; a bill designed to ensure that military members and critical DOD civilians and contractors would continue to get paid if the government is shut down by the failure to approve a FY 2014 spending bill.

The Solomon Decision

Both of the proposed substitute languages {the Paulsen (R,MN) and the Blackburn (R,TN) amendments} proposed by the rule would, according to the Rules Committee web site:

• Repeal the Medical Device Excise Tax;
• Amend the expiration date of the CR to be December 15, 2013;
• Make a technical change to the Eisenhower Memorial Commission provision; and
• Add a new provision to extend the authority for the U.S. to issue Special Immigrant Visas.

The Blackburn Amendment would have the added effect of postponing the implementation of Obamacare for one year.

It looks like the leadership believes that Paulsen amendment may be an acceptable (to the Democrats) alternative to shutting down the government. Allowing it to be considered first would allow some Democrats to vote for the adoption of the language. It certainly won’t be acceptable to the conservative faction of the House that is trying hardest to kill Obamacare. If enough Democrats vote for the Paulsen amendment to overcome the objections of the conservative faction of the Republican Party then this could pass.

What I am not clear on is whether or not the passage of the Paulsen Amendment would stop the consideration of the Blackburn Amendment. If it does, then the bill would go to the Senate and Sen. Reid and company would have to decide if they want to shut down the federal government. They would probably blink and pass the bill since their most vehement objection would have been removed.

If the Blackburn Amendment comes to a vote it would probably pass. If the Paulsen Amendment were not in the picture, it would certainly pass on a straight party-line vote. The question would be how many moderate Republicans would vote against it after supporting the Paulsen Amendment.

If the Paulsen Amendment is passed and sent to the Senate the Speaker is going to face some loud calls for his resignation from the right. The conservatives will have been defeated in one of their most dearly held fights by the action of the Republican leadership. The remainder of this term would be a very tense and trying time for the Republican caucus.

If the Paulsen Amendment fails, the Speaker will clearly and publicly place the blame on the Democrats if the Senate does not concur (and it won’t) with the Blackburn version of HJ Res 59. Whether that blame will stick won’t be clear until a year from now when the next congressional elections role around.

HR 3210

This bill, introduced by… hmm there is no introducer’s name that I can find on the House Rules Committee web site, oh well. This bill would insure that military pay would continue if a continuing resolution doesn’t pass before October 1st or if any time this year the government is left without funding. It specifically requires meeting the payroll for active duty military (and Guard and Reserve personnel on active duty) and Coast Guard on military duty. It would also require meeting the payroll for selected DOD (and DHS for Coast Guard) civilian and contractor personnel who are directly supporting military operations. The Secretaries would determine who would be ‘selected’ and report that back to Congress.

This is a motherhood and apple pie bill and should pass with some bipartisan support, though the support from Democrats will be grudging.

H Res 366 Passed in House


As I finish writing this blog post I notice that the House has completed their one-hour debate on H Res 366 and just passed the bill. The vote tally was not yet available on House Clerk’s web site but I suspect that it was a fairly straight party-line vote. The final result for HJ Res 59 will probably be done by midnight.

House Rules Committee Saturday Evening Meeting on CR Announced

The House Rules Committee just announced that it would meet at 5:30 EDT today to form the rule for the consideration of the Senate amendment to HJ Res 59 and a new bill HR 3210, the Pay Our Military Act. The language for that bill has yet to be published, but it appears that it will be a bill that would ensure that in the event of a government shutdown that military members and perhaps DOD employees would still be paid.

There are news reports (see TheHill.com for instance) that the Republicans intend to modify the Senate approved version of HJ Res 59 by restoring the end date to December 15th, extending the Obamacare implementation date by one year, and repeal the 2.3 percent medical device tax included in Obamacare.

A vote could possibly come this evening and would probably pass on straight party-line vote. It would then go back to the Senate for final action on Monday. Sen. Reid has vowed that any bill changing the Obamacare implementation would not pass in the Senate.

OMB Approves TSA Pipeline CSR ICR Extension – SCADA Included

Yesterday the Office of Management and Budget announced the approval of the TSA’s information collection request (ICR) renewal for the questionnaire used in their Pipeline Corporate Security Review (CSR) program. The 60-day request notice was published in February and the 30-day request notice in May.

The ICR

TSA and OMB both reported that the renewal request was made ‘without change’, but as I noted I my post on the 60-day request there were two changes; an increase in the number of annual reviews from 12 to 15 and a change in the annual cost burden from $11,076 to $0. The ICR request clearly identified the change in reviews but did not explain the cost change. The OMB notice explains the reason for the cost change:

“TSA's 2011 submission to OMB erroneously listed the cost of hour burden to industry in Question 13 of the supporting statement. That cost has been removed from the current submission resulting in a decrease of $11,076.48 in cost burden.”

Too bad we don’t get to see the ‘supporting statement’ to see exactly how question 13 is worded. It might explain why there are no costs to the public from most of these federal collection efforts. I’ll look into that.

Pipeline SCADA Security

One of the interesting things that we only get to see once the ICR is approved is a copy of the form that the agency provided to OMB for approval. It sure would be nice if that was publicly available during the comment process. In this case there appears to be some interesting differences between the previous form and the new form.

I don’t recall looking at the old form before today, but I took a good look at both and was both pleased and disappointed at the control system security coverage on the questionnaire. Keeping in mind that the TSA Ground Security Inspector is almost certainly not acquainted with ICS use, much less a cybersecurity expert, the questions in the SCADA section of the questionnaire provide a pretty good overview of the cybersecurity situation for the pipeline SCADA systems.

There are two questions that were added to the new questionnaire:

6. Does your corporation have a backup control center?
8. Do you restrict any remote operation of your SCADA system from portable electronic devices other than the pipeline control center?

Actually question 8 was re-worded to reflect that by definition SCADA systems are remotely operated. I guess the TSA folks got tired of the strange looks they got when they asked the old question; “Can your corporation’s SCADA system be controlled remotely?”

The most technical question is #15; “Which of the following features does your corporation use to secure your SCADA system(s)?” It then list the following possible security features:

• Locked facilities
• Strong passwords
• Communication gateways
• Access-control lists
• Authenticators
• Separation of duties
• Invocation of least privilege—only able to access information and resources that are necessary
• Keycards
• Access lists
• Entry logs
• Firewalls
• Demilitarized zone (DMZ)
• Intrusion-detection system
• Intrusion-prevention system
• Maintain patches

Admittedly it would take a cybersecurity specialist to review the actual implementation of these ‘features’ to ensure that they were effective, but I think most folks would agree that organizations that had all of these in place would be well on their way to having a fairly secure control system. And remember, there is no such thing as a ‘secure control system’ or a ‘secure’ anything for that matter. What one expert can secure another expert, given the time and resources, can bypass.

No Reference to ICS-CERT

The disturbing thing about this questionnaire is that there is no reference to ICS-CERT anywhere in the document. Now I understand that TSA and NPPD (the parent organization for CERT in general) are not in the same agency (Okay, if you call DHS an agency….) but there are a number of places where the questionnaire ask for other agencies that are contacted or coordinated with and even local law enforcement is included, but not ICS-CERT.

In my opinion ICS-CERT should have been included in the possible responses to the following questions:

• Does your corporation have an ongoing relationship with the following entities/departments/ agencies/organizations?
• From whom does your corporation receive threat information to assist in your SVA?
• Which of the following external agencies/organizations is on the corporation security incident, threat or suspicious activity notification list?
• Which organizations does your corporation work with during a security incident?


Oh well, maybe next time.

Bills Introduced – 9-27-13

While the Congress is still in deep disagreement on the 2014 spending program they do continue to be hard at work drafting new legislation proposals. There were three bills introduced yesterday that might be of specific interest to readers of this blog:

HR 3202 Latest Title: To require the Secretary of Homeland Security to prepare a comprehensive security assessment of the transportation security card program, and for other purposes. Sponsor: Rep Jackson Lee, Sheila (D,TX)

HR 3208 Latest Title: To clarify that certain natural gas facilities are not subject to the Natural Gas Act. Sponsor: Rep McKinley, David B. (R,WV)

HJ RES 66 Latest Title: Making continuing appropriations for fiscal year 2014, and for other purposes. Sponsor: Rep Reed, Tom (R,NY)

TWIC

The bill from Rep. Jackson-Lee is almost certainly a direct (though certainly delayed) response to the Government Accounting Office recommendation made in a Congressional Hearing on May 8th. It will be interesting to see what gets included in this bill.

Natural Gas

I’m not sure what the purpose of this bill is; there is nothing on Rep. McKinley’s web site about the bill. I suspect that it deals with exportation of natural gas, but we will just have to wait and see.

Another Continuing Resolution


This is another conservative Republican alternative Continuing Resolution. It would continue the current sequestered spending limits until December 15th (and extends the CFATS authorization to that date). It delays Obamacare funding for one year instead of killing Obamacare; so it is an attempt at compromise, probably not enough though. Rep. Reed is not a member of the Appropriations Committee, so it is unlikely that this will get to the floor, but it has already been printed by the GPO so it is possible that it could reach the floor of the House.


Friday, September 27, 2013

Senate Passes Short-Clean Version of CR

Early this afternoon the Senate moved forward to amend and then pass HJ Res 59, Continuing Appropriations Resolution, 2014. The cloture vote to end debate on the un-amended bill came first and it was not close, 79 to 19. Next came the vote on the Reid Amendment (SA 1974) which, as expected, was a straight party-line vote, 54 to 44 (two Republicans not voting). The final vote on the bill had the same result.

The bill now goes to the House for action. Nothing will be done today as the House has already adjourned and is scheduled to meet tomorrow at 10:00. They did not take up H Res 361 so that will probably be the first order of business. Then I expect HR 2642 to come up. Neither is currently listed on the Majority Leader’s web site.

There may be a House Rules Committee hearing today (not too likely) or early tomorrow on HJ Res 59, but only if the Republican leadership has figured out what they can accomplish.


Remember there is always the possibility of a new short-short term CR to keep things going while the internal Republican debate continues.

Updates on Chemical Safety and Security WG – 09-27-13

While there still haven’t been any real public comments on the progress being made by the Chemical Safety and Security Working Group, I am hearing some unofficial information about the current status of the implementation of the President’s executive order (EO 13650).


Interagency Pilot Program

It still seems as if the most progress is being made on a program that was actually started before the EO was signed. The Effective Chemical Risk Management Project (ECRM2) is underway in the New York – New Jersey area and includes a variety of State, local and federal agencies trying to coordinate chemical safety and chemical security programs in that area. A couple of group meetings have been held and a variety of working groups established.

I’m hearing that the group, rather than trying to create a program out of whole cloth, is trying to leverage the Local Emergency Planning Committee (LEPC) structure already mandated under the EPAs Emergency Planning and Community Right-to-Know Act (EPCRA)[Updated 9-27-13, 12:20 CDT, in response to reader comment - see below]. Now I’ve commented on the short comings of the LEPC program a couple of times and the ECRM2 project seems to be running into some of the inherent problems with that program.

The EPCRA [Updated 9-27-13, 12:20 CDT, in response to reader comment - see below] program calls for the States to establish the LEPCs and only gives the broadest guidelines of how those committees are to be established and operated. Most importantly from my perspective is that there is no federal funding of these groups and no federal oversight. This means that there are 50 (or more) different implementations of the LEPC structure with varying degrees of effectiveness.

The differences between the two programs in New York and New Jersey give a good perspective on this, especially when the ECRM2 is trying to overlay a new federal working group structure on top of the existing structure. In New York the LEPCs are run at the county level and are more closely controlled by the State so there is a certain level of homogeneity in the local programs. New Jersey takes more of a home-rule approach where the LEPCs are organized at the county, city or even neighborhood level and there is very little supervision. This leads to a wide variety of organizations and the effectiveness depends mainly on the drive of local personalities (a very common problem with the LEPC program).

If the ECRM2 is able to come up with a coordinated federal, State and local program that can be overlaid on these two different styles of LEPCs, they should be able to expand the program to a national level. I wish them the best of luck.

Working Group Progress

The Working Group and its sub-groups continue to slog away at the various problems set before them by the President. The biggest problem that they appear to be facing is the short deadlines included in the EO. As the various deadlines approach there is going to be more of distractive debate whether the Working Group should spend time ginning up some sort of report that ‘meets the deadline’ but doesn’t really accomplish anything or whether they should bite the bullet and tell the President, and the public, that they need more time to get something worthwhile done.

This is the same problem that NIST is going to face in a couple of weeks. Their October 10th deadline to have a Preliminary Cybersecurity Framework published in the Federal Register is fast approaching. The work of the 4th Workshop, by all reports, didn’t get them close enough to have a real document ready for the printers by that deadline. If the recently announced 5th Workshop is really an effort to get the document into publication shape, then NIST will miss the deadline, but will have a better chance of having a workable Framework. I’m afraid, however, that this will just be a public meeting to try to fix a poorly prepared, but on-time document.

It will be interesting to see how the Working Group responds to this problem. I’m hoping that the lack of a public report on the ECRM2 project is a sign that the Working Group is waiting for concrete results instead of just going for the empty-accomplishment announcement route.


I will suggest to the Working Group, though, a lesson I’ve learned in a long professional life. If you have to miss a deadline, tell your boss (the President and the Public in this case) about it in advance with an explanation of what the problems are. The complaints and threats are not nearly as bad that way.

Thursday, September 26, 2013

ICS-CERT Publishes Emerson RTU Advisory

Today the DHS ICS-CERT published a control system advisory for Emerson Process Management RTUs for multiple vulnerabilities. The vulnerabilities were reported by Dillon Beresford, Brian Meixell, Marc Ayala, and Eric Forner of Cimation in a coordinated disclosure. ICS-CERT reports that Emerson has developed a patch that has been validated by the Cimation researchers.

ICS-CERT reports that there are three separate hidden functionality vulnerabilities and a hard-coded credential vulnerability. The four vulnerabilities are:

• OSE debug broadcast, CVE-2013-0693;
• OSE debug service, CVE-2013-0692;
• TFTP server, CVE-2013-0689; and
• Use of hardcoded credentials, CVE-2013-0694.

NOTE: The CVE links will be functional in the near future.

The advisory notes that each of these vulnerabilities are remotely exploitable and would allow a relatively low skilled attacker to execute arbitrary code and gain full control of the device. These are all serious vulnerabilities; the lowest CVSS v2 base score is 9.0.


Organizations with a large number of these RTUs, particularly those in distribution systems, will have a large degree of difficulty in patching all of the affected devices in a timely manner and their systems will remain vulnerable until all RTUs are patched.

House Rules Committee Approves Rule to Reconsider HR 2642

Late this afternoon the House Rules Committee announced an emergency meeting this evening to consider H Res 361, which modifies the House Rules for consideration of a continuing resolution or debt limit bill before October 1st. It also addresses the House action to be taken on HR 2642, the Agriculture Reform, Food, and Jobs Act of 2013 as adopted by the Senate. The resolution was adopted in a party-line vote.

Modifying House Rules

Section 1 is a pretty standard change to House Rules when a statutory deadline approaches. In this case the deadline is September 30th and the rule {Rule XIII, clause 6(a)} is the requirement that it takes a 2/3 vote to a consider a rule, joint rule, or the order of business on the same day it is presented to the House. This rule would be waived only for a rule concerning a continuing resolution or a debt ceiling bill. This would allow for a continuing resolution to be considered right up to the deadline of midnight on the 30th.

I think that a debt ceiling bill was included so that an aggressive debt ceiling bill could be offered to the conservative members of the Republican Caucus as an incentive to vote for a continuing resolution that does not defund Obamacare.

HR 2642

Another sop to the conservatives is one of the least productive legislative moves that I have ever heard of. Back in July the Senate approved an alternative version of HR 2642 that removed virtually every conservative program included in the bill. This is a fairly standard occurrence and usually the House either accepts the new version (not too often lately) or demurs and requests a Conference Committee to iron out the differences between the two bills.

In this case, however, the resolution, if passed would accept the Senate version of the bill, but make two “minor” amendments and send it back to the Senate for concurrence in the amendments. The first amendment would remove the Senate language and re-insert the earlier House version (including chemical security and chemical safety provisions). The second little amendment would be the addition of HR 3102 (a bill recently passed in the House that drastically cuts funding for food stamps) as a new title in HR 2642.

There might have been a slim (very slim) chance that the Senate might have gone along with the re-insertion of the original House language, but there is no way that the Senate is going to concur with the insertion of HR 3102; the food stamps program is a favorite of Democratic lawmakers. As I see it there are only three possible responses:

• No action by the Senate and no agriculture department authorization bill for FY 2014 (most likely in my opinion);
• Declining the House Amendment and requesting a Conference Committee be appointed; and
• Concurring in the House vote but re-substituting the Senate language for the entire bill (a bit of tit for tat).


This will almost certainly pass on a straight party line vote when it comes up tomorrow.

Reid Introduces Clean CR Amendment to HJ Res 59

As expected yesterday (which was administratively changed to 9-24-13 in the Congressional Record for the Senate) Sen. Reid (D,NV) introduced an amendment (SA 1974) in the form of a substitute for HJ Res 59, Continuing Appropriations Resolution, 2014. The new language would extend FY 2013 funding levels until November 15th, 2013. This would also extend the CFATS authorization to that date.

The cloture vote for stopping debate on HJ Res 59 is currently scheduled for Friday morning. Vote on the Reid amendment (and others) will take place after that vote.

TSA Publishes 30-day TWIC ICR Notice

Today the Transportation Security Administration (TSA) published a 30-day information collection request (ICR) notice in the Federal Register (78 FR 59364-59365) for their Transportation Workers Identification Credential (TWIC). This is a follow-up to their submission of a 60-day notice in May. There were no comments received on that notice and no indications that there are any new changes in the ICR being submitted to OMB.


TSA is soliciting public comments on this ICR. Comments may be submitted by email (oira_submission@omb.eop.gov) and should be received by OIRA by October 28th, 2013.

FMCSA NPRM for Tank Vehicle Definition Update

Today the Federal Motor Carrier Safety Administration (FMCSA) published a notice of proposed rulemaking in the Federal Register (78 FR 59328-59333) revising the definition of ‘tank vehicle’ for the purpose of determining which Commercial Driver’s License (CDL) holders are required to have a tank vehicle endorsement. This is being done to align the regulatory language with the 2012 guidance document on the matter.

Rule Summary

The rule would modify the definition of ‘tank vehicle’ in 49 CFR 383.5 to clarify two points:

• That the quantity amounts apply regardless of the method of tank securement; and
• That the transportation of tanks manifested as empty or as residue, provided they are actually empty or contain only residue, does not require the driver to have a tank endorsement.

The preamble discussion notes that this new definition clearly means that transportation of multiple IBCs (greater than 119 gallons) that contain an aggregate capacity of 1,000 gallons, providing they are not empty or just contain residues, will require the driver to have a tank vehicle endorsement. This requirement may specifically affect LTL drivers.

Public Feedback

FMCSA is soliciting public comments on this proposed rule. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # FMCSA-2013-0140) and should be submitted by November 25th, 2013.

Commentary: While this is not really new {it was stated in a guidance document published in the Federal Register on May 12, 2012 (76 FR 26854)}, this will have at least temporary effect of further reducing the number of drivers that allowed to carry chemical shipments if/when it goes into effect. I would suspect that it will have the greatest impact on LTL carriers.


BTW: This rule was not published in the latest Unified Agenda nor was it apparently reviewed by the OMB’s Office of Information and Regulatory Affairs.

Bills Introduced – 9-25-13

With 32 pieces of legislation introduced yesterday only one may be of specific interest to readers of this blog; another alternative version of a continuing resolution.

HJ RES 65: Requiring reaffirmation of the Affordable Care Act and making continuing appropriations for fiscal year 2014, and for other purposes. Sponsor: Rep Crawford, Eric A. "Rick" (R,AR)


The title indicates that this includes another attempt to defund Obamacare, but I won’t know how until the GPO publishes their version of the bill. That isn’t likely to occur until sometime after September 30th unless the House Rules Committee takes up the bill and publishes it on their web site.

NOTE: Rep Crawford is not on the Appropriations Committee, so there is not a high possibility of this being considered.

Wednesday, September 25, 2013

Senate Unanimously Votes to Close Debate on HJ Res 59

Today the Senate voted on the cloture motion to close debate on the motion to proceed to the consideration of HJ Res 59, the Continuing Appropriations Resolution, 2014. In a surprise vote on one of the most controversial bills of the session, the Senate vote unanimously in favor of the cloture motion.

There will be more debate on the bill and a number of amendments, but it seems clear that the Senate will pass a version of the bill that will not contain the Obamacare defunding or credit limit restrictions that were placed in the bill to appease the more radical elements of the Republican Party base. This will give the Republicans the up or down vote on Obamacare that many commentators have opined that was the real reason for including the provisions in this bill in the first place.


The bill will go back to the House late this week or this weekend. It is not yet clear whether the Republican leadership will be able to put together enough votes (a Republican-Democrat moderate coalition) to approve what will probably be something close to the original version of HJ Res 59, probably with a shorter time limit. I suspect that the that leadership will not know for sure until the actual vote is taken if they have enough votes to keep the government operational on October 1st. The less sure they are of the vote outcome, the later the vote will probably take place.

Chemical Safety and Security EO – First Deadline Passed

This is part of a continuing series of blog posts discussing President Obama’s recently signed executive order on “Improving Chemical Facility Safety and Security” (EO 13650). The other posts in the series are:


It has been a while since I’ve written on this EO and I thought that since the first deadline set by the President has passed it might be appropriate to look at where things stand.

45 Day Deadline

The first deadline set in the EO was a 45-day deadline that expired on September 21st. As I noted in the ‘Clock Starts Clicking’ post this deadline was for the establishment of a pilot program that I described this way:

The Working Group shall deploy a pilot program, involving the EPA, Department of Labor, Department of Homeland Security, and any other appropriate agency, to validate best practices and to test innovative methods for Federal interagency collaboration regarding chemical facility safety and security.

While this requirement was technically met before the EO was signed I had really hoped for a press release from the Working Group on the progress on the pilot program. There has been nothing that I have seen publicly about this pilot program. I know that it exists and I know that at least initial organizational meetings have taken place, but this initial attempt at interagency cooperation on chemical safety issues is being oddly kept quiet.

Next Deadline

The next deadline set in the EO, the 90-day deadline, will arrive on November 5th. There is a rather extensive set of requirements that the President set for achieving by that date; I’ll refer readers back to the ‘Clock Starts Clicking’ post for the whole list. I understand that the Working Group, its various sub-groups and the Departments involved are working on these projects and a lot of this must take place out of the public view.

A few, however, should certainly involve some serious public discussion. They include:

The Working Group shall develop options for improved chemical facility safety and security that identifies improvements to existing risk management practices through agency programs, private sector initiatives, Government guidance, outreach, standards, and regulations

The Secretary of Homeland Security, the Secretary of Labor, and the Secretary of Agriculture shall develop a list of potential regulatory and legislative proposals to improve the safe and secure storage, handling, and sale of ammonium nitrate and identify ways in which ammonium nitrate safety and security can be enhanced under existing authorities.

The Administrator of EPA and the Secretary of Labor shall review the chemical hazards covered by the Risk Management Program (RMP) and the Process Safety Management Standard (PSM) and determine if the RMP or PSM can and should be expanded to address additional regulated substances and types of hazards.

The EPA and the Department of Labor shall develop a plan, including a timeline and resource requirements, to expand, implement, and enforce the RMP and PSM in a manner that addresses the additional regulated substances and types of hazards.

The Secretary of Homeland Security shall identify a list of chemicals, including poisons and reactive substances, that should be considered for addition to the CFATS Chemicals of Interest list.

The Secretary of Labor shall identify any changes that need to be made in the retail and commercial grade exemptions in the PSM Standard.

I would have expected to see at least a couple of requests for information published in the Federal Register by now on these topics by now. With the deadline approaching it is probably too late for a formal public comment period to initiated and still have time for the agencies to read, review and incorporate the information in their response to the President. And that is too bad as there are certainly a wide variety of ideas available to look at for ways of addressing these issues.


I think it would be beneficial for the Working Group to look at the public participation that has been the hallmark of the response to the President’s cybersecurity EO. That would be a very good working model for continued work on this complex and important issue.

Tuesday, September 24, 2013

PHMSA Publishes Penalty Scofflaw NPRM

Today the Pipeline and Hazardous Material Safety Administration (PHMSA) published a notice of proposed rulemaking in the Federal Register (78 FR 58501-58507) to establish operational sanctions on persons who fail to pay a civil penalty or abide by a civil penalty agreement for violations under the hazardous material regulations (HMR). It would prohibit such persons from performing activities regulated by the Hazardous Materials Regulations until payment is made.

While this rule is being issued by PHMSA it could be applied to failure to pay situations for HMR violations under the following additional agency rules:

• Federal Aviation Administration under 14 CFR § 13.16(c);
• Federal Motor Carrier Administration under 49 CFR Part 386; and
• Federal Railroad Administration under 49 CFR Part 209, Subpart B

This rule would enforce congressional requirements under §33010 of the Moving Ahead for Progress in the 21st Century Act (MAP-21) (Pub. L. 112-141, page 126 STAT 838) that added paragraph (i)(1) to 49 USC 5123:

“Except as provided under paragraph (2) [Chapter 11 bankruptcy exemption], a person subject to the jurisdiction of the Secretary under this chapter who fails to pay a civil penalty assessed under this chapter, or fails to arrange and abide by an acceptable payment plan for such civil penalty, may not conduct any activity regulated under this chapter beginning on the 91st day after the date specified by order of the Secretary for payment of such penalty unless the person has filed a formal administrative or judicial appeal of the penalty.”.

The proposed rule would add a new subpart E to 49 CFR 109 [which should probably have required a change in the title for that section] that would include two new sections:

§109.101 Prohibition of Hazardous Materials Operations.
§109.103 Notice of Nonpayment of Penalties.

PHMSA is soliciting public comments on this proposed rulemaking. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # PHMSA-2012-0258). Comments need to be submitted by November 25th, 2013.

BTW: This NPRM was not listed in the DOT Unified Agenda nor was it apparently processed through the Office of Information and Regulatory Affairs review process at the OMB.

Monday, September 23, 2013

ICS-CERT Updates (again) Schneider Advisory

Today the DHS ICS-CERT published a second update for a series of Schneider Electric alerts and advisories dating back to December 2011 (12-12-11 Alert, 1-17-12 Advisory, 3-5-13 Alert, and 6-4-13 Advisory Update). The original alert was based upon a partially coordinated disclosure (we still haven’t heard the whole story on that) by Ruben Santamarta. The second alert was based upon an S4 Conference disclosure by Arthur Gervais.

This advisory update reports that:

• This advisory corrects and expands on the details in the specified alert and subsequent advisory updates;
• ICS-CERT has coordinated with Schneider Electric, and they have produced patches and firmware upgrades for Quantum and other affected products;
• Schneider Electric has created firmware upgrades that resolve the Telnet and Windriver debug port vulnerabilities for all affected products by removing the Telnet and Windriver services from these modules; and
• Schneider has also released a firmware upgrade to address the FTP service vulnerability by allowing the user to disable the FTP service.

The ICS-CERT advisory provides a link to the Schneider Electric download site but I cannot find a reasonably identifiable upgrade that deals with removing the Telnet and Windriver services from the Quantum Ethernet Module. Of course this fix was supposedly developed in 2011 for two of the affected modules so it may take some searching to find these upgrades. Hopefully someone in the Schneider Electric service department will be able to help owners locate the appropriate upgrades.

The advisory notes that the removal of these two services should not impact operations since they were included only for “advance troubleshooting use” and were not intended to be used by customers.


ICS-CERT left language in the updated advisory {pg 5} that would seem to indicate that additional mitigation measures are expected. It is not clear from reading the rest of the updated advisory if this was simply an editorial oversight or if additional work is actually expected from Schneider.

Aegis Update and Vulnerability Debate

Adam Crain has a very interesting blog post over at Automatak.net providing additional information about his Aegis project (earlier blog post on Aegis). The Aegis Consortium is an important new business model for researchers and for that reason alone this post is worth reading. More importantly, he is adding an important new dimension to the disclosure debate.

Background

Adam is relatively new to the control system security field, but he has already made a significant mark. His first vulnerability discovery was reported by ICS-CERT in June of this year and he already has 8 ICS-CERT advisories with his name on them (along with Chris Sistrunk). All of these have been coordinated disclosures. His Project Robus lists 17 additional vulnerability disclosures that are wending their way through the coordinated disclosure process.

All of the disclosures that have been made public to date have dealt with vulnerabilities in various implementations of the DNP3 protocol. I assume that a number of the pending vulnerability disclosures will also involve that protocol. Adam is quick to note that the problem isn’t with the DNP3 protocol, but with the various implementations by the affected vendors. In fact he goes so far as to say “we have yet to find a proprietary DNP3 implementation without an issue”.

Fuzzer Tool Release

Adam developed the fuzzer tool that he used (again along with Chris and a new associate Adam Todorski) to find these 25 vulnerabilities. Now fuzzer tools are not new in the cybersecurity realm, and I don’t know what make his different than others, but his tool certainly has an impressive early track record. Adam has promised that he will publicly release his fuzzer in March at the SANS NA ICS Security Summit.

Again, I have no idea how user friendly his fuzzer is, but presumably anyone with a modicum of cybersecurity research experience will be able to use this tool to find new vulnerabilities in control system applications. Adam has demonstrated its efficacy with DNP3 so any vendor with a DNP3 application has cause to be concerned that currently undiscovered vulnerabilities in their systems might not remain undiscovered for long after this tool is released.

Now a fuzzer is just a tool, not inherently good or bad. A security researcher like Adam puts it to good use identifying vulnerabilities in a system and reporting them to the vendor. A vendor can use it to find and correct the same vulnerabilities. And a terrorist can use it to find a way to gain system access and control for part of a control system attack.

With this in mind, Adam is offering vendors and researchers access to his fuzzer before its public release; for a fee. After all Adam needs to make a living just like anyone else and he should be able to profit from his talents and efforts.

Vulnerabilities are Available

Some will complain that Adam is making the job of the black hat hacker that much easier by making this tool publicly available. I would seriously disagree. With making this tool available to vendors and other white hat researchers ahead of time, Adam is decreasing the potential attack surface that is vulnerable to attack.

Any criticism of Adam’s making this tool publicly available ignores a very important point in the vulnerability disclosure debate. Adam did not put these vulnerabilities in the DNP3 implementations; he just made them easier to find. They were put there by vendors that did not do an adequate job of testing their product before they made them available to the public. It is the vendor, not the researcher, who is responsible for the vulnerabilities.


Now it is hard to blame the vendor when the owner/operators have already given them a free pass for any vulnerabilities that exist in their systems. We as a user community have accepted the almost universal vendor terms of service that declaim that the vendor is not responsible for any defects in their product and that they don’t warrant its use for any particular application. As long as we give vendors a free pass on the quality of their products, we have little room to complain about the existence of vulnerabilities or researchers who find them.

Sunday, September 22, 2013

Reader Comments – 9-19-13 – Disclosure Debate Continues

I had four very interesting responses from three readers, Dale Peterson (here and here), Jake Brodsky (here) and Adam Crain (here), to my previous post about the debate on recognizing researchers who disclose vulnerabilities without coordinating their disclosure with vendors. All four comments are certainly worth reading; particularly Jake’s since he has specific recommendations on how to proceed.

Code of Ethics

Jake unabashedly supports his self-interest (and as he points out all of our self-interest as we could all be affected by a successful attack on critical infrastructure) by calling for standards on how researchers disclose their vulnerability disclosures.

“However, we CAN set standards for how we expect people to behave. We can promulgate expected disclosure policies from reputable researchers. We don't have to give them a podium and recognition for acting in irresponsible ways.”

But we already have a de facto code of ethics set forth by ICS-CERT. Tell them about the vulnerability; they will coordinate with the vendor. If the vendor doesn’t respond within 45 days ICS-CERT will publish the vulnerability anyway. The problem with a ‘code of ethics’ is that it is only as effective as the sanctioning body that enforces it. See for example the lawyer’s code of ethics as enforced by the American Bar Association; well, maybe that’s not a good example.

We also have to remember that there is a certain anarchistic streak in the background of a large proportion of the hacker community. For this portion of the community cooperation with ICS-CERT is something to be avoided and even expecting their cooperation with vendors is a pretty long stretch.

The Legal Approach

Dale makes the point that researchers are going to do what they want with the vulnerability that they discover and Jake acknowledges that point:

“There will be people who violate these standards. And no, we can't stop them any more than we can stop some lunatic from shooting up a school or work-place. But we can prosecute them and anyone who assists them.”

To prosecute someone we need something more than a code of conduct we need a body of law that addresses the issue. So let’s look at how such a law might work. Let’s start with the simplest form such a law could take; it is illegal to publicly disclose a software vulnerability. Forget that, even the most conservative court is going to rule that that is overly broad and vague and a violation of the first amendment protections of free speech.

Okay, lets limit it to control system vulnerabilities, surely that provides a societal protection reason for limiting freedom of speech; you know the old falsely shouting ‘fire’ in a movie theater exemption. I don’t know though; this could include a discussion in a hot rod magazine about how to tweak an automotive control chip to get better performance. Or, a discussion in a medical journal about a new type of interference in the operation of an insulin pump.

Okay, we’ll limit it to control systems at critical infrastructure facilities and we’ll come up with some sort of definition of all of the technical terms that the courts can easily interpret and apply in an appropriately limited manner. And we’ll train investigators and prosecutors and judges and juries so that everyone understands all of the technical jargon and the ins and outs of cybersecurity so that people can be appropriately prosecuted for offenses against these neat new laws.

And this will stop the uncoordinated disclosures of vulnerabilities. Yep, just like the drug laws have stopped the sale of illegal drugs; and just like the laws against cyber-theft have protected credit cards. Oh, and remember that US laws only apply in the US, not to researchers in other countries or more importantly to researchers working for other governments.

And meanwhile, the legitimate and ethical security researchers withdraw from the business because the legal restrictions that they have to work with make it too hard to make a living. Without those researchers and the services that their firms provide, how are we going to deal with the vulnerabilities that are discovered and reported via the underground electronic counter-culture that will still thrive? How will we develop the tools to deal with the vulnerabilities that are discovered by criminal organizations? How will we develop the methods of protecting control systems from attacks by foreign powers and terrorist organizations? Are we going to rely on the government and academia?

Embrace all Researchers

No, we need to remember that the problem isn’t recalcitrant and uncooperative researchers; the problem is that the vulnerabilities exist in these control systems. Control systems software, firmware and devices are just so complex that it is not reasonably possible to develop a system that is free of vulnerabilities.

We need a vibrant and diverse research community to find the vulnerabilities and figure out ways to mitigate their effects. We cannot rely on the vendor community to find these flaws; it runs contrary to the way these organizations operate. Their mandate is to produce reasonably functional products at the lowest possible cost. Even if we were to mandate a vulnerability detection organization within each vendor firm, that organization would never receive the support it needs because it would be a cost center within the company not a profit center.

We need to find a way to encourage independent researchers to continue to look for vulnerabilities in critical systems. And we need to find a way to get those researchers to share the information in manner that allows vendors to correct deficiencies in their products and allows owners to implement improvements to their systems in a timely manner.

Researchers like Adam and Chris (and a whole lot of others as well) have demonstrated their commitment to finding vulnerabilities and working with both the vendor community and ICS-CERT to get the vulnerabilities recognized and mitigated. Their voluntary efforts need to be recognized and their business models need to be supported.

But we cannot ignore the contributions of researchers like Luigi who now sells his vulnerabilities in the grey marketplace or researchers like Blake who freely publish their discoveries. The vulnerabilities that they discover are no less valuable to the control system community than those reported by Adam and Chris. And yes, vulnerabilities are valuable, both for what they tell us about they systems in which they are found, but also for the insights they provide into control system architecture in general.

Ignoring these researchers and their contributions will not stop them from probing our systems for weaknesses. It will not slow their method of sharing vulnerabilities. In fact, for many of these individuals threatening them or ignoring them simply ensures that they will go that much further to gain the recognition which is their due.

Dealing with the Devil You Know

Just because these unrepentant researchers are unlikely to play by any rules we set up does not mean that they can or should be ignored. Ignoring them or persecuting them will only drive them deeper underground and perhaps even into the arms of the criminal or terrorist organizations or unfriendly states that would find their discoveries useful.

No one wants an unresolved vulnerability published for the world to see; it raises the risk of the exploitation of that vulnerability way too high. But with it seeing the light of public exposure this also allows the vendor and owners to immediately begin working on the means to counter or mitigate the vulnerability or at least make it more difficult to exploit.

An exploitable vulnerability that is kept from the control system community while it is distributed or sold through the underground economy is much more dangerous because no one is working to resolve the issue. Waiting for such vulnerabilities to be used in a destructive attack on a critical infrastructure control system to start work on fixing the problem is much too late.

What we need to do is to find a way to encourage these electronic loners to become part of the solution to the problem that they pose. We should encourage them to not only find these vulnerabilities but to come up with interim solutions that system owners can use to protect their systems while the vendor is trying to fix the vulnerability. If we can convince them that the system owners are innocent bystanders and deserve their help against the inadequate response from vendors, then we can turn these outlaw researchers into some sort of folk hero in the control system security community instead of a semi-criminal outsider.

Discuss the Issue


We need to continue this discussion and widen the audience that is participating. We need to include more of the system owners, particularly the ones without Jake’s system expertise. We need to include more researchers that wear white, grey and black hats. We need to include system vendors and vendors of fixes to those systems. We need to include the regulatory community that is becoming more involved in cybersecurity issues.  And we need to include the general public because they are the ones that are most likely to be affected without having any measure of control over the situation.

Friday, September 20, 2013

House Passes HJ Res 59

As expected this morning the House passed HJ Res 59, the Continuing Appropriations Resolution, 2014. The vote was a mainly along party lines (1 Republican voted No and 2 Democrats voted Aye). The bill now goes to the Senate where there has been a great deal of discussion about how Sen. Reid may go about bringing the bill to the floor and strip out the sections defunding Obamacare without facing a cloture vote.

5th Cybersecurity Framework Workshop

Yesterday the NIST Information Technology Laboratory (ITL) announced that they would be holding a 5th Cybersecurity Framework Workshop in Raleigh, NC on November 14th and 15th. The announcement provides no information beyond the note that “NIST will continue discussions on the implementation and future governance of the Cybersecurity Framework”. Registration and agenda information will be made available.

Bills Introduced – 9-19-13

There were 34 bills introduced in the House and Senate yesterday, but only two might be of specific interest to the readers of this blog, but it is hard to tell for sure due to the relatively vague title given to the two bills.

HR 3143 : To deter terrorism, provide justice for victims, and for other purposes.
Sponsor: Rep King, Peter T. (R,NY)

S 1535 : A bill to deter terrorism, provide justice for victims, and for other purposes.
Sponsor: Sen Schumer, Charles E. (D,NY)


I would assume that these are companion bills which should make them very interesting due to the political differences between the two sponsers.

Thursday, September 19, 2013

DHS NICCS Publishes Cybersecurity Training and Education Catalog ICR

The DHS Cybersecurity Education Office (CEO) published a 30-day information collection request (ICR) notice in today’s Federal Register (78 FR 57643-56744) supporting the data collection efforts of the National Initiative for Cybersecurity Careers and Studies (NICCS) for the Cybersecurity Education and Training Catalog (CETC).

The CETC is a national level resource for the listing of cybersecurity training and certification programs. Given the DHS responsibility for cybersecurity operations within the Federal Government it appears that the CETC is currently focused on training programs by and/or for federal government agencies, but the ICR certainly allows for registration of private sector training providers. The ICR covers the registration of cybersecurity training and certification programs and their provision of standardized information about their programs.

The burden forecast for this ICR indicates that the CEO only expects about 300 cybersecurity training and certification respondents to register with the system. They expect the average respondent will interface with the program seven times at about an hour a response.


Public comments on this ICR notice may be provided to the Office of Management and Budget (OMB) via email (oira_submission@omb.eop.gov). Comments should be filed by October 21st, 2013.

DHS Announces CIPAC Meeting – 11-5-13

The DHS National Protection and Programs Directorate (NPPD) published a meeting notice in today’s Federal Register (78 FR 57644) for a meeting of the Critical Infrastructure Partnership Advisory Council (CIPAC) in Washington, DC on November 5th, 2013. The meeting will be open to the public.

The notice provides only a very sketchy agenda, noting that CIPAC topics will include:

• Executive Order for Improving Critical Infrastructure Cybersecurity;
• Presidential Policy Directive 21—Critical Infrastructure Security and Resilience; and
• Critical Infrastructure Program Updates

Public participation is being solicited by DHS. There will be a limited period for oral comments from the public at the end of the meeting. Such comments will be limited to matters involving critical infrastructure security and resiliency. The limited comment time will require first come first serve registration at the meeting site. Written comments will be accepted and should be received by CIPAC by September 24th. Written comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2103-0050).


BTW: Once again DHS fails to provide web coverage of a public advisory committee meeting.
 
/* Use this with templates/template-twocol.html */