OMB Disapproves CISA CFATS Personnel Surety ICR Renewal

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had disapproved an information collection request renewal from CISA for “Chemical Facility Anti-Terrorism Standards (CFATS) Personnel Surety Program”. The 60-day ICR notice was published on June 23^rd, 2021. The 30-day ICR notice was published on February 11th, 2021. A single, apparently unrelated, public comment was submitted on this ICR.

In disapproving this information collection request, OIRA noted that:

“The agency will resubmit this form for approval when the underlying program has been reauthorized by Congress, following an appropriate public comment period.”

In the unlikely event that the CFATS program is reauthorized before the end of the year, CISA will not technically be able to collect information for their CFATS personnel surety program vetting against the TSA’s Terrorist Screening Database (TSDB) as that ICR collection authorization expires on November 30^th, 2024. A new ICR approval request would have to be initiated to allow the data collection after that date.

The CFATS program will not be reauthorized in the 119^th Congress because its most vocal opponent, Sen Rand Paul (R,KY), will be the Chair of the Senate Homeland Security and Governmental Affairs Committee and that Committee would be required to act on any original Senate bill reauthorizing the program or acquiesce to the Senate’s consideration of a House bill doing the same. While the House has been generally more supportive of the program than the Senate, the leadership would be unlikely to consider a CFATS reauthorization bill next session due to President Trump’s expected continued opposition to the program.

Yesterday’s announcement by OIRA is an admission by the current administration that the program is probably dead for the foreseeable future, and possibly a last minute plea for the Senate to take up HR 4470 and pass HR 4470 over Paul’s objections. The Senate leadership is unlikely to try to do that as it would interfere with their efforts to approve as many judicial appointments as possible before the end of the session. 

Short Takes – 11-19-24

Air Defense: Anti Drone Laser That Works. StrategyPage.com article. Pull quote: “The billions [spent on laser weapons development] have not been wasted, but they did buy a lot of disappointment. At the same time, the money and development effort has, slowly, moved the technology towards the point where lasers will be robust enough, and sufficiently supplied with energy, to make themselves effective for the troops. Close now, but not there yet. The Department of Defense fears that a sharp reduction of the defense budget will halt the development money. That would stop work, except for what the manufacturers might continue on their own nickel, and battlefield lasers would remain suspended just short of being useful.”

SpaceX Starship’s Sonic Boom Creates Risk of Structural Damage, Test Finds. NYTimes.com article (free). Pull quote: “The data Dr. Gee collected last month did have some inconsistencies. When measuring just in the frequencies that humans typically hear — ignoring certain low and high frequencies — the Starship test launch in October had lower levels at all the test sites than the F.A.A. had projected.”

No Wires Needed! Quick and Safe Docking with Automated Mooring for Autonomous Ships. NewsWise.com article. Pull quote: ““This automated mooring system represents a key advancement in the safe docking of autonomous vessels and will play a pivotal role in the development of smart port infrastructure,” said Dr. Yongjin Kim. “We expect this solution to set a new standard in operational safety and efficiency across the marine industry.”” Another potentially vulnerable OT cyber system.

Starships and space policy. TheSpaceReview.com article. Pull quote: “Greg Autry, who served on the first Trump administration’s NASA transition team, offered a similar note of caution. “If it was just to show that we could beat China, if it was another flags and footprints mission, then I’d be for that,” Autry, currently associate provost of space commercialization and strategy at the University of Central Florida, said at the Beyond Earth Symposium. “But the Moon has both strategic purposes, militarily, and economic development purposes that Mars doesn’t.”” Looks at Musk as a force in the next administration.

Plant-based fabrics may be more toxic than polyester is to earthworms.CEN.ACS.org article.  Pull quote: “In the second set of experiments, earthworms exposed to environmentally relevant concentrations of viscose for 28 days showed decreased reproduction rates compared with those exposed to polyester fibers. In earthworms exposed to lyocell, the researchers found reduced growth rates and more burrowing and churning activity.” ‘All Natural’ does not mean non-toxic.

Coast Guard Publishes Notice of Availability of Chinese Crane MARSEC Directive – 11-19-24

Today the Coast Guard published a notice in the Federal Register (89 FR 91413-91414) announcing the availability of Maritime Security (MARSEC) Directive 105-5. That document, marked as Sensitive Security Information (SSI) under requirements of 33 CFR §101.405(a)(1), is not publicly available. This notice directs owners and operators of STS cranes manufactured by PRC companies to contact their local COTP or cognizant District Commander to acquire a copy of the Directive.

Today’s notice justifies the Directive by reporting that:

“STS cranes manufactured by PRC companies make up the largest share of the global ship-to-shore crane market and account for nearly 80% of the STS cranes at U.S. ports. By design, these cranes may be controlled, serviced, and programmed from remote locations, and those features potentially leave STS cranes manufactured by PRC companies vulnerable to exploitation, threatening the maritime elements of the national transportation system.”

As such the Coast Guard has issued MARSEC Directive 105-5 to extend and expand the requirements of MARSEC Directive 105-4 that was also announced by a similar Federal Register notice published on February 23^rd, 2024.

Review - 1 Advisory Published – 11-19-24

Today CISA’s NCCIC-ICS published a control system security advisory for products from Mitsubishi.

Mitsubishi Advisory - This advisory describes an improper validation of specified type of input vulnerability in the Mitsubishi MELSEC iQ-F Ethernet Module.

 

For more information on this advisory, as well as a brief look at recent update notes on NVD.NIST.gov progress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-11-19-24 - subscription required.

CISA Adds 2 Palo Alto Networks Vulnerabilities to KEV – 11-18-24

Yesterday CISA announced the addition of three vulnerabilities to their Known Exploited Vulnerabilities (KEV) catalog. Two of those vulnerabilities were for the Palo Alto Networks PAN-OS Management Interface. Both vulnerabilities were previously reported by Palo Alto Networks (see links below). CISA is requiring federal agencies using the Management Interface to apply “mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable”. The deadline for completing such actions is December 9^th, 2024.

The two vulnerabilities are:

• Missing authentication for critical function - CVE-2024-0012, and

• OS command injection - CVE-2024-9474

Palo Alto Networks has a report available providing additional information about the known exploits of these two vulnerabilities. It includes indicators of compromise (including IP addresses of identified command and control sites, and SHA-256 hashes for the exploit payload).

Review - Siemens Published Out-of-Zone Advisory – 11-18-19

Yesterday Siemens published an advisory for ten vulnerabilities in their Tecnomatix Plant Simulation product. This comes almost one week after they published 12 advisories and 13 updates on Cyber Tuesday. Looking at the related ZDI advisories, it appears that Siemens published this out-of-zone advisory today as part of a coordinated disclosure agreement with the Zero Day Initiative and the researcher reporting the vulnerabilities.

 

For more details about the advisory, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/siemens-published-out-of-zone-advisory - subscription required.

Short Takes – 11-19-24 – Federal Register Edition

Decabromodiphenyl Ether and Phenol, Isopropylated Phosphate (3:1); Revision to the Regulation of Persistent, Bioaccumulative, and Toxic Chemicals Under the Toxic Substances Control Act (TSCA). Federal Register EPA final rule. Summary: “The Environmental Protection Agency (EPA or Agency) is finalizing revisions to the regulations for decabromodiphenyl ether (decaBDE) and phenol, isopropylated phosphate (3:1) (PIP (3:1)), two of the five persistent, bioaccumulative, and toxic (PBT) chemicals addressed in final rules issued under the Toxic Substances Control Act (TSCA) in January 2021. After receiving additional comments, the Agency has determined that revisions to the decaBDE and PIP (3:1) regulations are necessary to address implementation issues and to further reduce the potential for exposures to decaBDE and PIP (3:1) for humans and the environment to the extent practicable.” Effective date: January 21^st, 2025. NOTE: This final rule may be placed on hold by executive order on January 20^th when Trump takes office.

N-(1,3-Dimethylbutyl)-N′-phenyl-p-phenylenediamine (6PPD) and its Transformation Product, 6PPD-quinone; Regulatory Investigation Under the Toxic Substances Control Act (TSCA). Federal Register EPA notice of proposed rulemaking. Summary: “In granting a petition filed under the Toxic Substances Control Act (TSCA) by Earthjustice on behalf of the Yurok Tribe, the Port Gamble S'Klallam Tribe, and the Puyallup Tribe of Indians, the Environmental Protection Agency (EPA or Agency) committed to pursuing an action to solicit and collect information from the public on the potential risks associated with N-(1,3-Dimethylbutyl)-N′-phenyl-p-phenylenediamine (6PPD) (CASRN 793-24-8, DTXSID 9025114) and its transformation product, 6PPD-quinone (CASRN 2754428-18-5, DTXSID 301034849). With this document, EPA is soliciting that information, along with information about potential alternatives and regulatory options to help inform the Agency's consideration of potential future regulatory actions under TSCA.” Comments due January 21^st 2025.

Notice of Meeting of the Transit Advisory Committee for Safety. Federal Register FTA public meeting notice. Summary: “The TRACS meeting will be held on December 4, 2024, from 10 a.m. to 4:30 p.m. Eastern Time and December 5, 2024, from 9 a.m. to 2 p.m. eastern time. Requests to attend the meeting in person or virtually must be received no later than November 29, 2024. Requests for disability accommodations must be received no later than November 29, 2024. Requests to verbally address the committee during the meeting must be submitted with a written copy of the remarks to the U.S. Department of Transportation (DOT) no later than November 29, 2024. Requests to submit written materials to be reviewed during the meeting must be received no later than November 29, 2024.” Agenda includes “Update from Cyber and Data Security Systems Subcommittee Lead, Brian Alberts”.

Export Administration Regulations: Revisions to Space-Related Export Controls; Extension of Comment Period. Federal Register BIS interim-final-rule comment extension notice. Summary: “On October 23, 2024, the Bureau of Industry and Security (BIS) published in the Federal Register [link added] the interim final rule, “Export Administration Regulations: Revisions to Space-Related Export Controls” with comments originally due November 22, 2024. This notification extends the deadline for written comments to December 23, 2024. This extension is being made to allow for commenters to have additional time to review the interim final rule and to be informed by the public outreach that BIS is conducting on the rule in preparing their comments. Extending the public comment period will not in any way undermine the rule or national security of the United States.”

Export Administration Regulations: Revisions to Space-Related Export Controls, Including Addition of License Exception Commercial Space Activities (CSA); Extension of Comment Period. Federal Register BIS NPRM comment extension notice. Summary: “On October 23, 2024, the Bureau of Industry and Security (BIS) published in the Federal Register [link added] the proposed rule, “Export Administration Regulations: Revisions to Space-Related Export Controls, Including Addition of License Exception Commercial Space Activities (CSA)” with comments originally due November 22, 2024. This notification extends the deadline for written comments to December 23, 2024. This extension is being made to allow for commenters to have additional time to review the proposed rule and to be informed by the public outreach that BIS is conducting on the rule in preparing their comments. Extending the public comment period will not in any way undermine the rule or national security of the United States.