Senate Amendments to HR 2810 (FY 2018 NDAA) – 9-12-17

Yesterday the Senate leadership continued to work out a deal for determining which proposed amendments would be considered on the floor for HR 2810, the FY 2018 National Defense Authorization Act (NDAA). Meanwhile, more amendments continue to be proposed. In addition to the previously proposed amendments (see here, here and here) a large number of possible amendments to HR 2180 were proposed in the Senate yesterday; including three that may be of specific interest to readers of this blog:

• SA 948. Mr. MORAN - national guard bureau public-private cyber-security coalition (pg S5222)

• SA 989. Mr. ROUNDS - cybersecurity of industrial control systems. (a) designation of integrating official (pg S5234)

• SA 1001. Mr. ROUNDS - designation of official for matters relating to integrating cybersecurity and industrial control systems within the department of defense (pg S5240)

ICS Cybersecurity

Both of the proposed amendments from Sen. Rounds (R,SD) would require DOD to designate a single individual to be responsible “for all matters relating to integrating cybersecurity and industrial control systems within the Department of Defense” {§1630C(a)(1)}. The difference between the two amendments is that SA 989 identifies broader responsibilities for that designated individual. Those responsibilities would include {§1630C(a)(2)}:

• Developing, implementing, and be accountable for plans, programs, and policies to improve the cybersecurity of industrial control systems [only in SA 989]; and

• Developing Department-wide certification standards for integration of industrial control systems and taking into consideration frameworks set forth by the National Institute of Standards and Technology for the cybersecurity of such systems [in both amendments].

SA 989 would also require DOD to consider conducting pilot programs designed to “to assess the feasibility and advisability of implementing various solutions for protecting industrial control systems against cyber-attacks and discerning the specific criteria that a solution should demonstrate in order to be certified for military use” {§1630C(b)(1)}. Priority would be given to “the determination of certification criteria for military energy industrial control systems” {§1630C(b)(2)}.

Moving Forward

More political wrangling on what amendments to include in the debate on HR 2810 is expected overnight. There was one amendment voted upon today (in a round-about manner) and we could see additional votes tomorrow.