Review - HR 8469 Introduced – FY 2027 MilCon Spending

 Last week, Rep Carter (R,TX) introduced HR 8469, the Military Construction, Veterans Affairs, and Related Agencies Appropriations Act, 2027. The Committee Report on the legislation has been published. This is the first FY 2027 spending bill introduced. It would provide appropriations for military construction, the Department of Veterans Affairs, and related agencies. There are no cybersecurity provisions in the bill, but there are two cybersecurity discussions in the Report. 

Moving Forward   

 The MilCon spending bill is typically one of the least controversial spending bills, but it still only drew party-line support last year. The relatively low increases in spending are unlikely to draw ire from the fiscal flank of the Republican House. Interestingly, there may be increased (over last year) Democratic support for this bill, with the ‘Minority View’ section on page 120, concluding:  

 “While the bill is not the bill Democrats would have written, it is a much-improved bill from last year. The Chairman worked in good faith towards bipartisanship both in drafting his bill and in the compromise reached during full committee markup, leading to unanimous passage out of full committee. We look forward to continuing to work with the majority as the bill moves through the process.” 

For more information on the cybersecurity provsions of this bill and report, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-8469-introduced-fy-2027-milcon - subscription required.  

Review – Committee Hearings – Week of 4-26-26

 This week, with both the House and Senate in Washington, there is an almost moderately busy hearing schedule. Budget hearings are a large part of the load (some of interest here) and the House Appropriations Committee continues to work on spending bills. There is a CISA SMRA hearing in the House (with a touch of Space Geek thrown in) and a space defense hearing. 

Cybersecurity Hearings  

On Wednesday, the Subcommittee on Cybersecurity and Infrastructure Protection of the House Homeland Security Committee will hold a hearing on “Data Centers, Telecommunications Networks, and Space-Based Systems: Modernizing DHS’s SRMA [Sector Risk Management Agency] Role for the Communications and IT Sectors”. 

Space Defense Hearings  

On Wednesday the Subcommittee on Europe of the House Foreign Affairs Committee will hold a hearing on “Orbits of Influence: Emerging Threats to U.S. Space Security and Foreign Policy Implications”.   

For more information on these hearings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/committee-hearings-week-of-4-26-26 - subscription required. 

Short Takes – 4-27-26 - Federal Register Edition

 Administrative Rulemaking, Guidance, and Enforcement Procedures. Federal Register, DOT, PHMSA, and FMCSA final rule. Summary: “This final rule reinstates and expounds upon procedural reforms for the Department's rulemakings, guidance documents, and enforcement actions rescinded by a final rule published by the Department on April 2, 2021, “Administrative Rulemaking, Guidance, and Enforcement Procedures.” Accordingly, this final rule revises and updates the Department's internal policies and procedures relating to the issuance of rulemaking documents. In addition, this final rule updates the Department's procedural requirements governing the review and clearance of guidance documents, and the initiation and conduct of enforcement actions, including administrative enforcement proceedings and judicial enforcement actions brought in Federal court.” 

Energy Conservation Program: Notification of Petition for Rulemaking. Federal Register DOE notice of proposed rulemaking. Summary: “On February 19, 2026, the Department of Energy (DOE) received a petition from the American Gas Association (AGA), the American Public Gas Association (APGA), and the National Propane Gas Association (NPGA) asking DOE to amend the compliance dates for two energy conservation standards final rules for commercial water heating equipment and consumer furnaces. Through this notification, DOE is seeking comment on whether it should grant the petition and undertake a rulemaking to consider the proposal contained in the petition, as well as any data or information that may be relevant to DOE's consideration of the petition.” 

Name of Information Collection: Automated Technology Licensing Application System (ATLAS). Federal Register NASA 60-day ICR renewal notice. Summary: “The information submitted by the public is a license application for those companies and individuals who wish to obtain a patent license for NASA patented technology. Information needed for the license application in ATLAS may include supporting documentation such as a certificate of incorporation, a financial statement, a business and/or commercialization plan, a project revenue/royalty spreadsheet, and a company balance sheet. At a minimum, all license applicants must submit a satisfactory plan for the development and/or marketing of an invention. The collected information is used by NASA to ensure that companies that see to commercialize NASA technologies have a solid business plan for bringing the technology to market.” 

Advisory Follow-Up – Researcher Follow Through

 I have written an unknown number of posts over the years about cybersecurity vulnerabilities and the advisories published about those vulnerabilities. Most often those posts get written, posted, and mostly forgotten. All of the response takes place at facilities that use the affected products. Every once-in-a-while, however, a researcher decides that there is more to the story that needs to be shared with the public. Here is a brief look at one of those; vulnerabilities in products from Gardyn, and further follow-up by Michael Groberman, the researcher who identified the vulnerabilities. 

Background Information  

CISA Advisory (ICSA-26-055-03) published February 24th, 2026.3 

CISA Advisory updated April 2nd, 2026. 

Groberman exploit published April 3rd, 2026. 

New Information  

Groberman has established a web site that addresses the published vulnerabilities and the various responses to issues involved. I do not imagine that every set of reported vulnerabilities deserves this level of dedication, but it is interesting to see how far a committed researcher is willing to go to share information about a problem that is reported to be corrected.  

Looking Back – 6-2-2010

 Nearly every morning I start my computer time by looking at information from Google about what happened in my blog in the previous 24 hours. Google, and blogspot.com is a Google service, provides interesting pieces of analytical data about my blog readership. One item of particular interest is the top ten blog posts each day. As you would expect, most of those posts were from the last couple of days, but with 16 years of publishing this blog, every once-in-a-while, a blog post from ancient history rises into that list. 

Today, a blog post from June 2nd, 2010, “Chemical Storage Dikes”, made the list. It looks at a common safety feature at chemical facilities and its importance to chemical security plans. Anytime a facility relies on chemical safety measures to limit the consequences for a potential terrorist attack, a fresh look needs to be taken at that safety measure to ensure that it will adequately perform its function in the event of an attack on the facility. 

Review - Public ICS Disclosures – Week of 4-18-26 – Part 2

 For Part 2 we have three additional vendor disclosures from Pilz, SEMTECH, and VEGA. There are six vendor updates from HPE, Mitsubishi (2), and Moxa (3). We also have a researcher report for vulnerabilities in products from Lantronix and Silex. Finally, we have two exploits for products from FortiGuard. 

Advisories  

Pilz Advisory - CERT-VDE published an advisory that discusses an insecure default initialization of resource vulnerability (with publicly available exploits) in the Pilz PASvisu Runtime. 

SEMTECH Advisory - SEMTECH published an advisory that describes three vulnerabilities in their LR11xx transceivers. 

VEGA Advisory - CERT-VDE published an advisory that describes a missing authentication for critical function vulnerability in the VEGA VEGAPULS 6X product. 

Updates  

HPE Update - HPE published an update for their Aruba Networking advisory that was originally published on January 13th, 2026, and most recently updated on January 27th, 2026. 

Mitsubishi Update #1 - Mitsubishi published an update for their MELSEC iQ-F Series advisory that was originally published on March 3rd, 2026. 

Mitsubishi Update #2 - Mitsubishi published an update for their Ethernet Function advisory that was originally published on April 25th, 2026, and most recently updated on February 3rd, 2026. 

Moxa Update #1 - Moxa published an update for their Ethernet Switch advisory that was originally published on October 23rd, 2025 and most recently updated on October 31st, 2025. 

Moxa Update #2 - Moxa published an update for their SSH Weak Algorithms advisory that was originally published on December 12th, 2025. 

Moxa Update #3 - Moxa published an update for their ICMP Timestamp Request advisory that was originally published on October 21st, 2025, and most recently updated on January 5th, 2026. 

Researcher Reports  

Lantronix Report - Forescout published a report that described eight vulnerabilities in the Lantronix EDS3000PS and EDS5000PS Series serial device servers. 

Silex Report - Forescout published a report that describes 12 vulnerabilities in the Silex D330-AC serial device server. 

Exploits  

FortiGuard Exploit #1 - Ashraf Zaryouh published an exploit for an OS command injection vulnerability in the FortiGuard FortiSandbox product. 

FortiGuard Exploit #2 - Indoushka published an exploit for a relative path traversal vulnerability (which is listed in CISA’s KEV catalog) in the FortiGuard FortiWeb product. 

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-4b8 - subscription required.