FY 2027 Spending Bill Markups – 4-17-26

 Yesterday, the House.gov website added two new committee hearings for Friday, April 17th, 2026. Both are markup hearings by subcommittees of the House Appropriations Committee. These will likely be the first two FY 2027 spending bills to be considered in the House. Those two bills are: 

• Military Construction, Veterans Affairs, and Related Agencies Appropriations Act, 2027 (MilCon), and 
• Financial Services and General Government Appropriations Act, 2027 (FinSvcs). 

These hearings are being held almost a month and a half earlier than normal. If Congress is going to have any chance of passing spending bills before the end of September, early action by the Appropriations Committee is going to be required. The Committee hearing page would seem to indicate that their plan is to begin introducing spending bill next week. Then we will have to see if the House leadership can successfully bring those bills to the floor of the House. 

Spending bills that pass in the House along party-line votes have little or no chance of passing in the Senate.  

The hearing schedule in the Senate is still focused on the President’s budget request. This means that the Committee’s versions of the spending bills will still be weeks away from being available for consideration when the Senate takes up the House passed bills. The longer that delay lasts, the less likely it will be that Congress will pass spending bills in regular order. 

Review – 4 Advisories Published – 4-16-23

 Today CISA’s NCCIC-ICS published four control systems security advisories for products from AVEVA, Anviz, Horner Automation, and Delta Electronics. 

Advisories  

AVEVA Advisory - This advisory describes a missing authorization vulnerability in the AVEVA Pipeline Simulation product. 

Anviz Advisory - This advisory describes 12 vulnerabilities in multiple Anviz time clock products. 

Horner Advisory - This advisory describes a weak password requirements vulnerability in the Horner Cscape, XL4, and XL7 PLCs. 

Delta Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Delta ASDA-Soft configuration software. 

For more information on these advisories, including a brief discussion about the missing Siemens advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-published-4-16-23 - subscription required. 

Review - TSA Publishes Surface Cybersecurity 60-day ICR Revision Notice

 Today the Transportation Security Administration published a 60-day information collection request (ICR) revision notice in the Federal Register (91 FR 20475-20477) for their “Cybersecurity Measures for Surface Modes” ICR. The revision deals with the new reporting requirements for the appointment of a primary or alternate Cybersecurity Coordinator who is not a US citizen. 

The table below shows the proposed and existing burden estimates for this ICR. Today’s notice does not report the number of annual responses expected for the revised ICR. 

Public Comments  

TSA is soliciting public comments on this ICR revision. Comments may be emailed to TSAPRA@tsa.dhs.gov. Comments should be sent by June 15th, 2026. 

For more information on this ICR, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/tsa-publishes-surface-cybersecurity - subscription required. 

Siemens S-ADP Announcement – 4-14-26

 Yesterday, Siemens added a new announcement to their Siemens ProductCERT website regarding their support and use of the new Supplier Authorized Data Supplier (S-ADP) tools available on both the NIST.NVD.gov and the CVE.org websites. This new tool allows vendors like Siemens to add information to third-party vulnerability CVE listings on each site, similar to how CISA (using CISA-ADP) is able to add pertinent information to those vulnerability listings. An example of how that new data is applied can be seen at the NIST.NVD and CVE pages for CVE-2025-2884. 

Siemens notes that: 

“With the current SADP approach, we expect that vulnerability scanners can increase the “true positive” rates for affected Siemens products. In future, when Siemens expands to incorporates "known-not-affected" product data into SADP (information currently available only through security advisories and CSAF), we expect the number of “false positives” to drop. “False positives” occur when vulnerable components are installed in a system, but the vulnerability cannot be exploited.” 

Review – Bills Introduced – 4-14-26

 Yesterday, with both the House and Senate in session, there were 51 bills introduced. One of those bills may receive additional coverage in this blog: 

HR 8267 To amend title 49, United States Code, to combat freight fraud and theft, and for other purposes. Knott, Brad [Rep.-R-NC-13] 

For more information on these bills, including legislative history for similar bills in the 118th Congress, as well a a mention in passing of a bill to establish a commission on presidential capacity to serve, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-4-14-26 - subscription required. 

HR 7512 Introduced – CWMD Authorization

 Back in February, Rep Ogles (R,TN) introduced HR 7512, the Preserving Counterterrorism Capabilities Act of 2026. This bill is a clean reauthorization of the Countering Weapons of Mass Destruction. It changes the date in 6 USC 591(e) for the termination of the authorization of the Office from December 31st, 2023, to February 28th, 2027. No new funding is authorized by this legislation. 

The Countering Weapons of Mass Destruction Office was authorized by 6 USC 591 on December 21st, 2018. That authorization terminated five years later {§591(e)}. Since there are no regulatory issues associated with the Office that need specific authorization, Congress has been able to continue funding the Office in spending bills without extending the termination date. 

Moving Forward  

Ogles is a member of the House Homeland Security Committee to which this bill was assigned for consideration. This means that there may be sufficienct influence to see this bill considered in Committee. I see nothing in ths bill that would engender any organized opposition. On the other hand, there is no regulatory issue that demands the reauthorization of this Office. If this bill were considered, I expect that it would receive bipartisan support, probably sufficient support to be considered by the full House under the suspension of the rules process. 

Commentary  

The FY 2027 Budget Request (pg 27) notes that the Administration intends to reorganize the CWMD Office, reducing the funding requested by $40 million. This bill would not address the changes being proposed by the Administration. It is not yet clear if there is support in Committee for the reorganization. If not, there may be changes made in this bill to codify the existing organization so that it would be more difficult to effect an administrative reorganization without specific congressional authorization.