Looking Back – 4-16-21

 Nearly every morning I start my computer time by looking at information from Google about what happened in my blog in the previous 24 hours. Google, and blogspot.com is a Google service, provides interesting pieces of analytical data about my blog readership. One item of particular interest is the top ten blog posts each day. As you would expect, most of those posts were from the last couple of days, but with 16 years of publishing this blog, every once-in-a-while, a blog post from ancient history rises into that list. 

Today, a blog post from March 16th, 2021, CISA Publishes CFATS Cybersecurity Letter, made the list. It briefly discusses a notification letter that the CFATS folks sent out to chemical facilities about widespread exploitation of the Microsoft Exchange Server Vulnerabilities. The interesting thing was that CISA sent that letter to not just the 3,000+ CFATS regulated facilities, but also to over 33,000 other chemical facilities that had sent Top Screen information to CISA. The odd thing was that the letter was little more than a warning about the vulnerabilities and only recommended that facilities report “evidence of threat actor activity”. 

Review – 1 Advisory Published – 4-28-26

 Today CISA’s NCCIC-ICS published one control system security advisory for products from NSA. 

Advisories  

NSA Advisory - This advisory describes an improper restriction of XML external entity reference vulnerability in the NSA GRASSMARLIN passive network mapping tool. 

For more information on this advisory, including a brief down-the-rabbit-hole look at GRASSMARLIN, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-4-28-26 - subscription required. 

Review – Bills Introduced – 4-27-26

Yesterday, with both the House and Senate in session, there were 72 bills introduced. Two of those bills will receive additional coverage in this blog: 

S 4395 A bill to reauthorize the Terrorism Risk Insurance Act of 2002, and for other purposes. McCormick, David [Sen.-R-PA]. 

S 4397 A bill to amend the Toxic Substances Control Act to improve transparency of the regulatory process and coordination of science among Federal agencies, and for other purposes. Ricketts, Pete [Sen.-R-NE]. 

For more information on these bills, including legislative history for similar bills in the 118th Congress, as well as a brief look at an AI governance bill in the House, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-4-27-26 - subscription required. 

Short Takes – 4-28-26 - Federal Register Edition

Interim PFAS Destruction and Disposal Guidance; Notice of Availability for Public Comment. Federal Register EPA guidance availability notice. Summary: “The National Defense Authorization Act for Fiscal Year 2020 (FY 2020 NDAA) was signed into law on December 19, 2019 and directs the U.S. Environmental Protection Agency (EPA) to publish interim guidance on the destruction and disposal of perfluoroalkyl and polyfluoroalkyl substances (PFAS) and materials containing PFAS and to update the guidance at least every three years, as appropriate. The EPA is releasing an update to the April 16, 2024, interim guidance for public comment. The updated guidance builds on information pertaining to technologies that may be feasible and appropriate for the destruction or disposal of PFAS and PFAS-containing materials. The 2026 interim guidance also identifies key data gaps and uncertainties that must be resolved before the EPA can issue more definitive recommendations about PFAS destruction and disposal technologies.” 

Sunshine Act Meeting; Open Commission Meeting Thursday, April 30, 2026. Federal Register FCC public meeting notice. Includes: Modernizing Spectrum Sharing for Satellite Broadband (SB Docket No. 25-157); and Protecting Against National Security Threats in Domestic Telecommunications Service (WC Docket No. 26-82). 

Five-Year Review of the Oil Pipeline Index. Federal Register FERC Order establishing index level. Summary: “The Federal Energy Regulatory Commission (Commission) issues this Final Order concluding its five-year review of the index level used to determine annual changes to oil pipeline rate ceilings. The Commission establishes an index level of Producer Price Index for Finished Goods minus 0.55% (PPI-FG-0.55%) for the five-year period beginning July 1, 2026.” 

Miscellaneous Information Collection Requests  

Website for Frequency Coordination Request. FAA 30-day ICR renewal. 

Safety and Health Measures and Mishap Reporting. NASA 60-day ICR revision. 

Voluntary Protection Programs. OSHA 60-day ICR revision.  

Review - HR 8469 Introduced – FY 2027 MilCon Spending

 Last week, Rep Carter (R,TX) introduced HR 8469, the Military Construction, Veterans Affairs, and Related Agencies Appropriations Act, 2027. The Committee Report on the legislation has been published. This is the first FY 2027 spending bill introduced. It would provide appropriations for military construction, the Department of Veterans Affairs, and related agencies. There are no cybersecurity provisions in the bill, but there are two cybersecurity discussions in the Report. 

Moving Forward   

 The MilCon spending bill is typically one of the least controversial spending bills, but it still only drew party-line support last year. The relatively low increases in spending are unlikely to draw ire from the fiscal flank of the Republican House. Interestingly, there may be increased (over last year) Democratic support for this bill, with the ‘Minority View’ section on page 120, concluding:  

 “While the bill is not the bill Democrats would have written, it is a much-improved bill from last year. The Chairman worked in good faith towards bipartisanship both in drafting his bill and in the compromise reached during full committee markup, leading to unanimous passage out of full committee. We look forward to continuing to work with the majority as the bill moves through the process.” 

For more information on the cybersecurity provsions of this bill and report, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-8469-introduced-fy-2027-milcon - subscription required.  

Review – Committee Hearings – Week of 4-26-26

 This week, with both the House and Senate in Washington, there is an almost moderately busy hearing schedule. Budget hearings are a large part of the load (some of interest here) and the House Appropriations Committee continues to work on spending bills. There is a CISA SMRA hearing in the House (with a touch of Space Geek thrown in) and a space defense hearing. 

Cybersecurity Hearings  

On Wednesday, the Subcommittee on Cybersecurity and Infrastructure Protection of the House Homeland Security Committee will hold a hearing on “Data Centers, Telecommunications Networks, and Space-Based Systems: Modernizing DHS’s SRMA [Sector Risk Management Agency] Role for the Communications and IT Sectors”. 

Space Defense Hearings  

On Wednesday the Subcommittee on Europe of the House Foreign Affairs Committee will hold a hearing on “Orbits of Influence: Emerging Threats to U.S. Space Security and Foreign Policy Implications”.   

For more information on these hearings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/committee-hearings-week-of-4-26-26 - subscription required. 

Short Takes – 4-27-26 - Federal Register Edition

 Administrative Rulemaking, Guidance, and Enforcement Procedures. Federal Register, DOT, PHMSA, and FMCSA final rule. Summary: “This final rule reinstates and expounds upon procedural reforms for the Department's rulemakings, guidance documents, and enforcement actions rescinded by a final rule published by the Department on April 2, 2021, “Administrative Rulemaking, Guidance, and Enforcement Procedures.” Accordingly, this final rule revises and updates the Department's internal policies and procedures relating to the issuance of rulemaking documents. In addition, this final rule updates the Department's procedural requirements governing the review and clearance of guidance documents, and the initiation and conduct of enforcement actions, including administrative enforcement proceedings and judicial enforcement actions brought in Federal court.” 

Energy Conservation Program: Notification of Petition for Rulemaking. Federal Register DOE notice of proposed rulemaking. Summary: “On February 19, 2026, the Department of Energy (DOE) received a petition from the American Gas Association (AGA), the American Public Gas Association (APGA), and the National Propane Gas Association (NPGA) asking DOE to amend the compliance dates for two energy conservation standards final rules for commercial water heating equipment and consumer furnaces. Through this notification, DOE is seeking comment on whether it should grant the petition and undertake a rulemaking to consider the proposal contained in the petition, as well as any data or information that may be relevant to DOE's consideration of the petition.” 

Name of Information Collection: Automated Technology Licensing Application System (ATLAS). Federal Register NASA 60-day ICR renewal notice. Summary: “The information submitted by the public is a license application for those companies and individuals who wish to obtain a patent license for NASA patented technology. Information needed for the license application in ATLAS may include supporting documentation such as a certificate of incorporation, a financial statement, a business and/or commercialization plan, a project revenue/royalty spreadsheet, and a company balance sheet. At a minimum, all license applicants must submit a satisfactory plan for the development and/or marketing of an invention. The collected information is used by NASA to ensure that companies that see to commercialize NASA technologies have a solid business plan for bringing the technology to market.”