Homeland Security Bills Marked Up

Yesterday the House Homeland Security Committee held a markup hearing at which seven bills were approved (some after amendment) by voice votes. Only two of those bills (HR 3875 and HR 3878) may be of specific interest to readers of this blog.

HR 3875 – CBRNE Office

Rep. McCaul (R,TX) offered an amendment in the form of a substitute for this bill. It removed some of the language that I mentioned in my earlier post that made it seem that this bill was primarily a biosecurity bill. It also added new language to the proposed Title XXII of the Homeland Security Act of 2002 that created four Divisions within the proposed CBRNE Office; the Chemical Division, the Biological Division, the Nuclear Division and the Explosive Division.

The revised language still does not include the chemical security folks from the DHS Infrastructure Security Compliance Division (ISCD), but it did add specific language providing for a continuation of the Chemical Defense Program (that I first mentioned here) under the Chemical Division.

An amendment to the revised language was offered by Rep. Thompson (D,MS). It made a number of word changes to clarify certain issues, but there were no modifications to the intent of the bill.

Both amendments were agreed to by voice votes.

HR 3878 – Port Cybersecurity

Rep. Torres (D,CA) offered substitute language for the bill which was essentially a complete re-write of the original language, if not the general intention, of the bill. A new §2 of the bill would require the development and implementation of “a maritime cybersecurity risk assessment model” {§2(1)}. Additionally the section would also require the establishment of guidelines “for voluntary reporting of maritime-related cybersecurity risks and incidents” {§2(4)}.

The new language also removes all specific mention of the Maritime Information Sharing and Analysis Center; substituting more generic language (“at least one information sharing and analysis organization” representing the maritime community). The other information sharing provisions have had minor wording changes.

An amendment to the revised language was offered by Rep. Donovan (R,NY). It would add an additional section to the bill that would amend portions of 46 USC regarding maritime security plans under the Maritime Transportation Security Act. First it would modify §70101(b)(1)(C) to add ‘cybersecurity’ as one of the areas of weakness to be evaluated in facility and vessel vulnerability assessments. Second it would modify §70103(c)(3)(C) to add ‘cybersecurity’ as one of the required provisions of a vessel or facility security plan. Area security plans were not addressed by this amendment.

The Torres language on cybersecurity provisions on area and facility site security plans was revised slightly by the Donovan amendment, but it still only applies those requirements to plans approved after the development of the new cybersecurity risk assessment model required by the bill has been completed. Thus existing security plans would not be required to be changed to reflect the cybersecurity requirements until their next five year renewal.

Both amendments were approved.

Moving Forward

Both of these bills appear to be on Chairman McCaul’s fast track for consideration. It is very likely that these will be considered on the floor of the House before the end of the year. Neither bill has any provisions that will spark any serious opposition so they will both probably be considered under suspension of the Rules.

Commentary

The changes to the CBRNE Office bill that were made yesterday make a lot of sense to me. The establishment of the five offices reflecting the different attack vectors seems like it has the potential to centralize the Departments disparate efforts at reducing the probability of a high-consequence CBRNE attack. It would also place CBRNE on a bureaucratic par with Cybersecurity within the Department.

I still would have preferred to see ISCD added to the Chemical Defense Office, but I suspect that if the Senate does not make that move (a low probability event, I doubt that any amendments will be made to the bill as it will probably be considered under unanimous consent provisions at the end of a daily session) I suspect that this would be one of the changes that would be recommended by the Secretary in his initial report to Congress required by the bill.

The revised language on the port cybersecurity bill are also a substantial step forward. Even before the Donovan amendment the changes that were made bring the language within the current information sharing meme that is wending its way through conference committee. This internal consistency of language is important from a bureaucratic point of view.

For critical infrastructure like ports I would have preferred to see some mandatory level of cybersecurity reporting. Using the general concepts used in the recent NRC cybersecurity reporting rule, this bill should have mandated reporting of cybersecurity events that had a cyber-physical impact (or at least those that affected the handling of hazardous chemicals) and specifically encouraged reporting cybersecurity events that affected safety security, or emergency response.

I was very happy to see the Donovan amendment make the statutory changes necessary to make the changes to vulnerability assessments and security plans. I am not sure, however, if the failure to include maritime area security plans in those changes was deliberate or an oversight. I suspect that it was deliberate and I would tend to agree that requiring cybersecurity security plan coverage at the vessel and facility level is probably more important than trying to deal with it at the area level.