Tuesday, June 30, 2015

HR 2577 Reported in Senate – FY 2016 THUD

Last week the Senate Appropriation Committee amended HR 2577, the Transportation, Housing and Urban Development, and Related Agencies (THUD) Appropriations Act, 2016, by adopting substitute language and reported the amended bill favorably. Substantial changes were made to the bill and all of the floor amendments adopted by the House were eliminated in the new Senate version.

As with the base House version there is no specific mention of hazardous chemical transportation issues in the Senate version. There is a cybersecurity provision in the bill (that was also in the House version) that may now be interesting in light of the OPM hack. The bill includes DOT HQ spending of $8 Million dollars for:

“…necessary expenses for cyber security initiatives, including necessary upgrades to wide area network and information technology infrastructure, improvement of network perimeter controls and identity management, testing and assessment of information technology against business, security, and other requirements, implementation of Federal cyber security initiatives and information infrastructure enhancements, implementation of enhanced security controls on network devices, and enhancement of cyber security workforce training tools…” (pg 171)

Commentary: While $8 Million would be a sizeable increase to my personal budget, for a Department as large as DOT I would bet that it really does not buy much cybersecurity.

While the bill itself did not have much to say about hazmat transportation issues the same could not be said for the report that accompanied the revised bill. This is not unusual for spending bills that even with just high level spending mentioned run into the hundreds of pages. The Report allows for addressing some of the programmatic spending on selected issues of interest to the Committee.

Federal Railroad Administration

As one would expect given the on-going controversy over shipping of crude oil by train, the Committee chimed in on this issue. First it provided more money (an extra $3.4 Million) “to support FRA’s efforts to improve the safe transport of energy products. The STEP initiative supports additional crude oil safety inspectors, crude oil route safety managers, and tank car quality assurance specialists, as well as supports increased mileage of a dedicated Automated Track Inspection Program vehicle on routes with energy products traffic”(pgs 66-7).  It then added $2.0 Million “to further the Short Line Safety Institute’s mission, including continued efforts to improve the safe transportation of crude oil and other hazardous materials by rail”
(pgs 67-8).

The Committee also noted that they expect the next major STEP controversy to be the transportation of Liquefied Natural Gas (LNG) by rail. The Committee included $2.0 Million for FRA and PHMSA to accelerate the “research and development on the safe transportation of LNG” (pg 68). The Committee believes that this should allow the completion of work started this year.

Pipeline and Hazardous Material Safety Administration

PHMSA has been the lead agency for most of the regulations of crude oil transportation, so they received the most attention from the Committee on this topic. Those comments addressed three areas:

Crude oil shipment across various modes of transportation;
Crude oil volatility; and
Comprehensive oil spill response plans.


On the first topic the Committee wants a detailed report to Congress on the comparative safety of shipping oil by rail, pipeline, or truck. It would specifically include a listing by transportation mode of the total amount of crude oil shipped and the total amount spilled. The report conclusions would include a recommendation on the safest mode of transportation as well as “necessary measures to improve the safety of each form of transportation” (pg 91).

The Committee acknowledges the complexity of the issue of determining combustibility of crude oil (the basis for concern about volatility) and directs DOT to continue to work with the Department of Energy to “complete the second phase of the Department of Energy’s study on oil volatility” (pg 91).

The Committee expressed their disappointment that PHMSA has not moved fast enough on their rulemaking efforts concerning oil spill response plans for crude oil shipped by rail. This disappointment is aggrevated by the fact that additional funding had been provided for that rulemaking effort. To make their position absolutely clear the Committee is directing “PHMSA to initiate a rulemaking to expand the applicability of comprehensive oil spill response plans to rail carriers within 90 days of enactment of this act and to issue a final rule no later than 1 year after enactment of this act” (pg91).

The report also addresses the importance of protecting the integrity of pipelines at river crossings. Given the direct and immediate impact on water quality and safety issues of a pipeline failure under a riverbed, the Committee is requiring a report on “how real-time monitoring during flood events and pertinent data from other agencies such as the United States Geological Survey is being used to address challenges associated with the dynamic and unique nature of rivers and flood plains” (pg 93).

Moving Forward

If the Republicans and Democrats in the Senate can resolve their differences on the sequestration issue, there is a chance that this bill could make its way to the floor of the Senate before the summer break in August. If the Defense spending bill does not make it to the floor before that recess, I suspect none of the spending bills will and we will be worrying about a continuing resolution come the end of September.

If this bill does make it to the floor there will be a lengthy amendment process with a large number of additions of programs and spending amounts for various infrastructure projects. If spending caps remain in place (as I expect they will) the costs of those projects will have to come from administrative costs elsewhere in the bill. There will be a lot of robbing Peter to pay Paul.


Air Products Attack Update – 6-30-15

News reports are becoming much thinner on the Air Products attack in France as the investigation continues in the somewhat slower and tedious information collection phase.

A TV station in Allentown, PA (the home of Air Products) is reporting that the facility in France is now open and operational. There is no word about how much actual damage occurred or whether it has been repaired. I assume that this is more about the investigators being done with the scene.

Another news report describes Salhi’s actions as he was detained; “He was overpowered by a firefighter as he was trying to prise open a bottle of acetone in an apparent suicidal bid to destroy the factory.” This provides another indicator that there was not a bomb detonation involved in the attack.

The investigation into possible IS links continues. News reports this weekend indicated that Salhi had sent a selfie of him and the beheaded body to an unknown contact. USAToday is reporting today that that contact was Sebastien Younes in Syria. This includes unconfirmed reports that Younes is claiming to have encouraged Salhi to initiate the attack.

That USAToday report also notes that: “Air Products officials have said Salhi had an entry badge for the site in Saint-Quentin-Fallavier, near Lyon, and had never caused problems in the past.”

Commentary

The questions continue about how a man with suspected ties to radical jihadists was given routine access to what we in the United States would probably consider a high-risk chemical facility. I don’t know what sort of vetting process companies in France have for checking for potential terrorist ties, but I would assume that that would have to be done through the French authorities.

High-risk chemical facilities in the United States that are covered under the Chemical Facility Anti-Terrorism Standards (CFATS) program are supposed to include vetting all employees and unescorted visitors for terrorist ties as part of their site security plan. Unfortunately, there is currently no way to do that as the CFATS personnel surety program (PSP) has been tied up by political wrangling between the folks at DHS and the regulated community.


So, with no way to vet people for potential terrorist ties there is no way to know how many Salhi’s are currently routinely entering high-risk chemical facilities in this country.

Monday, June 29, 2015

S 1180 Reported in Senate – IPAWS Modernization Act

Last week the Senate Homeland Security and Governmental Affairs Committee published their report on S 1180, the Integrated Public Alert and Warning System (IPAWS) Modernization Act. The report contains some interesting supporting information from the Congressional Budget Office (CBO) as well as some background material on the existing IPAWS program.

Background

The existing IPAWS system which this bill is trying to codify and update was initiated in response to the 2006 EO 13407 signed by President Bush. The Report identifies two GAO reports (GAO-09-834 and GAO-13-375) that identified some of the problems that this bill attempts to resolve. The Committee Report does explain that improvements have been made at FEMA in response to those reports, but notes:

“This legislation will further this progress and help address many of the other problems stakeholders, Congress, and GAO previously identified, including helping to ensure sufficient training for emergency alerting officials, increasing collaboration at all levels of government, and ensuring Congress’s important role of oversight.”

CBO Information

The CBO is required to evaluate the costs of proposed legislation. For this bill they expect that the costs of the IPAWS upgrades would increase the funding needs over the next three years from the current spending level of $12 Million to $13 Million per year.

The CBO letter report explains that many of the requirement of this bill are currently being pursued by FEMA, but there are some new requirements for the system. Those new requirements include (pg 6):

Training state and local governments and other stakeholders to use the system;
Conducting nationwide testing of the system every three years: and
Ensuring that IPAWS can withstand terrorist attacks.

Moving Forward

This bill was introduced by Sen. Johnson (R,WI) the Chair of the HSGAC. He has moved it expeditiously through his committee and I expect that it will make it to the floor, perhaps before the summer recess. It will almost certainly be passed under the unanimous consent provisions.


Two similar bills in the House, HR 1472 and HR 1738, are still pending publication of their respective Committee Reports. There is still the jurisdictional controversy that will have to be resolved by the House leadership before one of these bills makes it to the floor in the House. S 1180 would tend to support the House Homeland Security Committee’s claim to jurisdiction over the IPAWS oversight.

Sunday, June 28, 2015

S 1611 Introduced – FY 2016 CG Authorization

Two weeks ago Sen. Thune (R,SD) introduced S 1611, the Coast Guard Authorization Act of 2015. This is the Senate version of the annual authorization bill. Unlike the House version (HR 1987 which passed in the House last month) there are two sections in this bill that will effect maritime transportation of hazardous chemicals. They deal with fishing vessels and with enforcement of hazardous material transportation law.

Fishing Vessels

Section 303 of the bill would amend 46 USC 3702, addressing the carriage of liquid bulk dangerous cargoes by fishing vessels. It would add a new paragraph (c) to that section that would generally exempt fishing or fish tender vessels from the provisions of 46 USC Chapter 37 when those vessels are “engaged only in the fishing industry” {new §3702(c)(1)}. That exemption would not apply if “the vessel is carrying flammable or combustible liquid cargoes in bulk” {new §3702(c)(2)}.

Enforcement

Section 304 would add a new section to 49 USC Chapter 51, Transportation of Hazardous Materials. The new §5129 would require the Secretary of Transportation and the DHS Secretary to “establish policies and practices to ensure that the authorities set forth in this chapter are enforced in the same manner and to the same extent, and the civil and criminal penalties are assessed or recommended in the same manner and to the same extent”.

Markup Hearing

The bill was marked up by the Senate Commerce, Science and Transportation Committee on June 25th. A number of amendments were offered and accepted by voice vote, but only one may be of specific interest to readers of this blog. The amendment was offered by Sen. Peters (D,MI) and Sen. Johnson (R,WI) and would require a report to Congress on the assessment of the effectiveness of the oil spill response activities specific to the Great Lakes.

The bill was adopted by the Committee by voice vote.

Moving Forward


This bill will move to the full Senate, probably after the summer recess. There is a good chance that the bill will be considered as expeditiously as the House version was. The two versions would then be reconciled in Conference.

Saturday, June 27, 2015

Air Products Attack Update – 6-27-15

We are still getting new, but sketchy information from the press about the attack on the Air Products plant in France yesterday. Most commentators are linking this attack with a suicide bombing attack on a mosque in Kuwait and an attack by two gunmen on tourists in Tunisia that also occurred yesterday. The Islamic State has apparently only taken credit for the suicide bombing.

News reports from the Washington Post and the Daily Mail both claim that yesterday’s attacker was a known delivery driver at the facility. The Post article is reporting that the French authorities are now saying that the attacker entered the facility normally and then accelerated into the building. Allowing a known delivery driver into a facility with minimal scrutiny is a fairly routine practice unless a facility is in a high-state of alert.

News reports continue to describe an explosion associated with this attack.  The Post article quotes a French official as saying:

“A security camera, he said, showed Salhi’s vehicle accelerating toward a covered shed, sparking an explosion. A part of the shed was destroyed in the explosion, the back of the vehicle was destroyed and the roof disintegrated.”

With the alleged explosion affecting the back of the vehicle rather than the front, it would seem that an explosive device of some kind was in the vehicle. If that was the case, it would have to have been small or only partially functioning since it appears that the driver was unharmed. Until someone describes the type of explosion or device, I am still reluctant to conclude that an actual explosive device was included in the attack. I still think that the ‘explosion’ was the sound of the truck hitting the metal sided building.


Both the Post and Fox News are commenting on the fact that the three attacks were taking place during the month of Ramadan (June 18th to July 17th this year) and noted that ISIS has called to make the month of Ramadan a time of "calamity for the infidels." 

S 1608 Introduced – Regulation of Consumer Drones

Last week Sen. Feinstein introduced S 1608, the Consumer Drone Safety Act. The bill would require the Administrator of the Federal Aviation Authority (FAA) to issue new regulations for the operation of consumer drones. Those regulations would address two major topics:

Safety requirements for operation of consumer drones; and
Safety requirements for manufacturers of consumer drones.

Consumer Drone Definition

Section 6(4) of the bill would define a ‘consumer drone’ as a civil unmanned aircraft or a civil unmanned aircraft system, weighing 55 lbs or less that is intended for commercial distribution and is {§6(4)(A)(i)}:

Equipped with an automatic stabilization system; or
Capable of providing a video signal allowing operation beyond the visual line of sight of the operator.

Operation of Consumer Drones

The FAA would be required to establish regulations concerning the safety requirements for the operation of consumer drones within 18 months of this bill being enacted. Those requirements would include {§2(c)}:

A maximum altitude above ground level for flight of consumer drones;
Circumstances or areas where flights are restricted because of the risk of unsafe interactions with manned aircraft, such as within an unsafe distance from an airport or in the flight path of a manned aircraft;
Circumstances or areas where flights are restricted because of the risk to persons or property on the ground, such as within an unsafe distance from urban areas, residential areas, electrical infrastructure, transportation infrastructure, amusement parks, or public areas where spectators are present;
Conditions that may require limitations on flight, such as weather or time of day; and
Any other requirement that the Administrator determines is necessary to minimize the risk that a consumer drone will collide with a manned aircraft or otherwise endanger the safety of the national airspace system or persons and property on the ground.

Manufacturers of Consumer Drones

Section 3 of the bill would require the FAA to establish regulations governing manufacturers, importers and sellers of drones. These regulations would establish requirements for consumer drones. These requirements would include {§3(b)}:

Limitations on altitude for consumer drones, whether through software or other technological means;
A means of preventing unauthorized operation within an unsafe distance from an airport or in protected airspace;
A system that, through sensors and software or other similar means, enables avoidance of collisions;
A technological means to maintain safety in the event that a communications link between a consumer drone and its operator is lost or compromised, such as by ensuring that the drone autonomously lands safely in a particular location;
A requirement that a consumer drone be detectable and identifiable to pilots and air traffic controllers, including through the use of an identification number and a transponder or similar technology to convey the drone’s location and altitude;
A means to prevent tampering with or modification of any system, limitation, or other safety mechanism required by the Administrator under this section or any other provision of law, including a means to identify any tampering or modification that has been made;
Educational materials to be provided to a consumer who purchases a consumer drone; and
Such other requirements as the Administrator considers necessary to ensure the safety of the national airspace system.

There are provisions for the Administrator to allow operation of consumer drones that cannot meet the above requirements because meeting the requirement for that specific type of drone “is technologically infeasible or cost-prohibitive” {§3(d)(1)}. The Administrator must still ensure that the operation of the exempted drone “does not create a hazard to users of the national airspace system or the public or pose a threat to national security” {§3(d)(2)}.

The bill also contains a requirement that manufacturers update consumer drones (at the manufacturers cost) to the above standards that were “commercially distributed before the publication of the rule so that, to the greatest extent practicable such consumer drones meet the requirements prescribed under the rule” {§3(c)(1)}. If the consumer drones cannot be modified the Administrator may apply the exemption described above.

Moving Forward

Feinstein and her cosponsor, Sen.Schumer (D,NY), are both influential Democrats, but neither are on the Senate Commerce, Science and Transportation Committee to which this bill was assigned. It is unlikely that they will be able to convince the Committee leadership to take up this bill.

Commentary

I am not sure (nor am I really qualified to judge, something that I am willing to admit) that the current crop of consumer drones could be modified to include all of the requirements outlined in this bill.

I am concerned about the ex post facto requirement for manufacturers to upgrade previously sold drones to meet these new requirements. I seem to recall that Article I, Section 9, Clause 2 of the Constitution prohibits the passage of ex post facto laws. Section 3(c)(1) certainly seems to violate that principal.


Ignoring both of those deficiencies in this bill, I am even more concerned about its lack of discussion about prohibiting the flying of consumer drones over critical infrastructure (beyond the basic undefined mention of “electrical infrastructure, [and] transportation infrastructure” in §3(c)(3). The use of these remotely controlled aerial devices in surveillance preparatory to an attack or use as a weapon delivery device (okay probably much less of a hazard) in the execution of an attack is something that there is a legitimate need to prevent. Especially since the armed forces of the Islamic State are gaining experience in using exactly these types of drones in combat operations in Syria and Iraq.

Friday, June 26, 2015

Air Products Attack Update – Morning 6-26-15

We are still a long way from knowing anything with certainty about this morning’s attack on an Air Product’s facility in France. There are some items being reported in the news that probably will not change and some items reported earlier are already being contradicted with some authority.

What We Appear to Know

Newer news reports (here, here, and here) all seem to agree that there was only one person in the car that drove through the gate of the Air Products plant. They all also continue to report that there was a decapitated body associated with this attack and it was located outside of the facility, so it would appear that the decapitation preceded the attack.

News reports continue to report the sounds of an explosion associated with the attack, but none of the news photos show any signs of fire or damage associated with an explosive device or explosion of chemicals at the site. The New York Times report states:

Thierry Gricourt, an insurance adviser who works down the street from the plant, said it was a small explosion. “We heard a noise a little before 10,” he said. “It was not very loud; we did not know it was an explosion.”

The French authorities have ‘the driver’ of the car in custody. They report that he is Yassin Salhi (though no official spelling is available) who had been under French intelligence surveillance a number of years ago. Apparently he had been determined not to be a threat.

Finally, and the best news, Air Products reports that all of their employees are present and accounted for. There are no reports of employee injuries in the news reports. Apparently the person who was attacked outside of the plant was not an Air Product employee, but no one has identified that body yet.

Commentary

I am beginning to suspect (based only on news reporting) that there may not have been an explosive device involved in the attack and it doesn’t look like there were any explosions of chemicals stored, used or produced at the facility. What people may have been reporting as an explosion may have been the sound of the vehicle hitting one of the buildings on site.

According to CNN the French are reporting that that building contained gas cylinders. If any of those cylinders had been knocked out of the building by the force of the vehicle impact, that may account for the reports of ‘gas bombs’ being thrown from the vehicle.

The front gate of most chemical facilities is going to look like the weak spot in the perimeter as long as the attacker is not interested in preventing damage to his vehicle. While most high-risk facilities will have processes to stop vehicles from driving through the gate, they are frequently not used on a day-to-day basis because they impede the normal flow of people and materials through that gate.

While there may be some places in a chemical facility where serious damage can be done by driving a car into equipment, they will be few and far between. Most facilities have already put up barricades to protect those areas from damage from forklift drivers. Where unprotected areas do exist they require detailed knowledge of the facility to find and identify.

This was an effective attack on the individual that had his head placed on the facility fence, but it was not an effective attack on the facility by any serious measure of efficacy. The plant has been shut down for the remainder of today, but it will probably be open and operational on Monday. It will only take that long due to the number of people and organizations that will be involved in the investigation of this incident.

The bigger question is what effect will this have on chemical facility security here in the US. I am sure that DHS and the CFATS folks will be taking a hard look at the results of the investigation. Depending on what type of security measures were in place and/or in use at the front gate of the facility, DHS may suggest changes to some security measures at CFATS covered facilities.

I mentioned the possibility of DHS requiring an immediate increase in security measures as a result of this attack. I have an email into DHS asking about this, but have heard nothing back yet; they may be kind of busy. I think such an upgrade is reasonable in the short term; we don’t know enough about the attack yet.


In the longer term a lot is going to depend on whether or not this attacker was directed to assault this facility by IS or al Qaeda, or whatever group or if this was a trained operative on a self-directed attack, or a self-radicalized individual striking out at a target of opportunity. The first will certainly justifying a requirement for long-term increases in security measures. The latter would probably not. The middle case will cause the most consternation in regulators and facility owners.

Bills Introduced – 06-25-15

Yesterday there were 104 bills introduced in the House and Senate. Four of those bills may be of specific interest to readers of this blog:

HR 2886 To direct the Secretary of Transportation to establish an Automated and Connected Vehicle Research Initiative, and for other purposes. Rep. Lipinski, Daniel [D-IL-3]

HR 2899 To amend the Homeland Security Act of 2002 to authorize the Office for Countering Violent Extremism. Rep. McCaul, Michael T. [R-TX-10]

HR 2933 To amend title 49, United States Code, to establish a local rail facilities and safety program to award grants for freight capacity projects, and for other purposes. Rep. Larsen, Rick [D-WA-2]

H Res 340 Returning to the Senate H.R. 1735, a bill to authorize appropriations for fiscal year 2016 for military activities of the Department of Defense, for military construction, and for defense activities... Rep. Boustany, Charles W., Jr. [R-LA-3]

Based on the testimony presented in yesterday’s hearing on vehicle-to-vehicle communication it seems that the initiative called for in HR 2886 may be a little late. It will be interesting to see the actual language of the bill.

McCaul’s bill will probably only be of tangential interest to readers of this blog, but I certainly want to read the language first.

Unless HR 2933 contains specific language that would affect chemical hazmat shipments, I probably will not mention this bill again.

H Res 340 is one of those inter-house disagreements that is of interest mainly to insiders. It seems that the Parliamentarian of the House concluded that §636 of HR 1735 that was added in the Senate was a violation of Article I, Section 7, Clause 1 of the Constitution:

“All Bills for raising Revenue shall originate in the House of Representatives; but the Senate may propose or concur with Amendments as on other Bills.”


Such usurpation of the prerogatives of the House could not be countenanced and H Res 340 was drafted, offered and passed in the House without comment. The response in the Senate was just as quick; Sen. McCain offered a unanimous consent request that the Clerk of the Senate be directed to remove §636 from the engrossed version of the bill and it was approved without objection or additional discussion. The bill will arrive back in the House today for their decision to accept, amend or request a Conference. Everyone expects a request for Conference.

NOTE: The House accepted the revised HR 1735 yesterday, disagreed with the Senate amendments and requested Conference. Added 6-26-15 9:35 CDT.

Terrorist Attack on Air Products Plant in France

News reports (here, here and here) are just now starting to come in about a possible terrorist attack on an Air Products facility in Saint-Quentin-Fallavier, France. These are early reports and there are conflicting detail, as we are used to seeing in early press reports.

What does seem to be common to the reports at this point; two men decapitated a man and then drove into the Air Products facility. Most of the reports say that the car drove into gas cylinders on the site, setting off explosions. One report says that ‘gas bombs’ were thrown from the car. One report says that the head of the man was placed on the facility fence.

An ‘Islamist flag’ has reportedly been seen on site, leading most reports to conjecture that this is a radical-jihadist terrorist attack. Reportedly one of the men is in custody and the other may be at large.

The French Government has reportedly stepped up security at all sensitive sites.

Commentary

The fact that this was an attack on an American company has not yet been determined to be of significance. I suspect that DHS will be notifying CFATS facilities to increase their security as a precaution. All covered facilities are supposed to have provisions in their security plan to put in place additional measures when there is an increased threat of potential attack.

I would bet that Air Products has increased the security at their facilities in the US without waiting for word from ISCD.


There has been no change, yet, to the National Terrorism Advisory System status.

Thursday, June 25, 2015

Homeland Security Committee Amends and Reports 10 Bills

This afternoon the House Homeland Security Committee held a markup hearing to address 10 pieces of proposed legislation. All ten bills were approved (many after being amended) on voice votes. Two of the bills, as I mentioned in an earlier post, may be of specific interest to readers of this blog:

HR 1073, the Critical Infrastructure Protection Act; and
HR 2786, the Cross-Border Rail Security Act of 2015

HR 1073

The Committee web site for this hearing had mentioned as early as Tuesday that an amendment in the form of a substitute would be offered by Rep. Perry (R,PA). I mentioned earlier that the amendment was mainly about some word changes that had no practical effect on the bill. There was an amendment offered to the Perry substitute by Rep. Thompson (D,MS). It was a another set of word changes that don’t really make a difference. They included:

∙ Substituting “national planning frameworks” for “national planning scenarios”; and
∙ Substituting “emergency response providers” for “emergency responders”.

Both amendments were adopted by voice votes.

HR 2786

There were no amendments offered on HR 2786 so it was adopted as introduced, again by a voice vote

Moving Forward


Both of these bills look like strong prospects to move forward to the House floor for consideration. If they do, they will almost certainly be considered under suspension of the rules (no amendments) and will receive broad bipartisan support.

ICS-CERT Publishes Two Advisories

This afternoon the DHS ICS-CERT published two new advisories for control system vulnerabilities in systems from Siemens and PACTware.

PACTware Advisory

This advisory describes a handling of exceptional conditions vulnerability in PACTware Consortium’s PACTware application. The vulnerability was reported by Ivan Sanchez from Nullcode Team. PACTware has produced a service pack for the application and ICS-CERT reports that Sanchez has verified the efficacy of the fix.

ICS-CERT reports that a social engineering attack would have to be used to convince an operator to load and run a specially crafted file.

ICS-CERT reports that the new version (Service Pack 3) can be downloaded from the PACTware Consortium site. There are actually seven different companies using that web site to distribute PACTware 4.1. But only one of the seven companies, KROHNE Messtechnik GmbH,  listed on the site clearly has 4.1 SP3 available for download. I could not find the PACTware download on two of the sites and the other four did not list either version numbers or SP numbers.

Siemens Advisory

This advisory describes a cross site scripting vulnerability in the Siemens Climatix BACnet/IP communication module. The vulnerability was reported by Juan Francisco Bolivar Hernandez. Siemens has produced a firmware update to mitigate the vulnerability. There is no indication that Hernandez was given an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability.


The Siemens advisory on this vulnerability notes that the new firmware version has an additional security improvement; web server authentication is enabled by default.

House Passes DHS Bills with Minimal Debate

This has been the week for the House to consider a number of low-controversy bills for DHS. Two of the bills in particular have been ones that I have been commenting on in this blog:

HR 1646 – The Homeland Security Drone Assessment and Analysis Act
HR 2200 – The CBRN Intelligence and Information Sharing Act of 2015

Both of these bills were debated on Tuesday, but neither attracted much discussion. The debate on HR 1646 lasted a little over six minutes. The debate on HR 2200 only took nine minutes. There were 40 minutes allotted for the debate of each bill.


HR 1646 was passed on a voice vote on Tuesday. When it came to vote on HR 2200 a recorded vote was requested which delayed the proceedings until this morning. The House voted 420 to 2 to approve HR 2200. Both bills now head to the Senate where they are likely to be considered under the unanimous consent process, but there is no telling when that might happen. They could even  die a quiet death by being ignored by the Senate leadership.

OMB Approves ICR Revision for PMSA Fireworks Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced the approval of a revision of a PHMSA information collection request supporting the Approvals program for hazardous materials. The revision was needed because of changes in reporting requirements for those seeking fireworks approvals included in the HM-257 final rule published in July, 2013.

According to the supporting data [.DOC download] submitted by PHMSA the new reporting requirements are expected to only affect 211 of the 11,074 Approvals applicants. The new requirements would result in an additional five minutes on each of the 24.5 (average) requests for approvals for each these applicants. This would increase the total hour burden estimate by 430 hours to 28,270 hours.

Commentary

This is a totally unremarkable revision of a long-standing ICR and as such I would typically ignore this, especially considering that OIRA approved the ICR revision without change for the standard three years. What caught my attention, however, was the fact that the ICR revision was requested on May 29th, 2014. This completely unremarkable ICR revision took over a year to approve, even after OIRA had signed off on the data during the rulemaking process just 5 months before this request was submitted.

Short of a congressional investigation or a GAO audit (often a precursor to such an investigation) we will never know why this ICR approval took so long. It is, however, part of a long history of slow movement in OIRA on conducting approvals of what are supposed to simple administrative reviews of whether or not an Agency has dotted all the “i’s” and crossed all the “t’s” in justifying collecting information from the public.

Many times we can clearly see that the delays are politically driven (see the still unapproved ICR for the CFATS personnel surety program), but that does not seem to be the situation here. While there were some objections in the fireworks community to some of the provisions of the HM-257 rulemaking, those controversies were effectively settled by the publication of the rule.


Perhaps it is time for somebody in Congress to start asking questions about the ICR approval process and the lengthy delays being experienced in the OIRA’s reviews.

OMB Approves Emergency ICR for FFIEC Cybersecurity Assessment Tool

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an emergency information collection request for the use of a cybersecurity assessment tool “that will assist financial institutions of all sizes in assessing their inherent cybersecurity risk and their risk management capabilities”.

This cybersecurity assessment tool was developed as a cooperative project of the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve (Board), and the National Credit Union Administration (NCUA), under the auspices of the Federal Financial Institutions Examination Council (FFIEC). The table below lists the burden estimates, both for the individual agencies and the total burden and is based upon the supporting data [.DOC download] submitted to OIRA. The hours-burden is based upon an estimated 80 hours per assessment.

Agency
Respondents
Hour-Burden
OCC
1,511
120,880
Board
5,282
422,560
FDIC
4,084
326,720
NCUA
6,206
496,480
All Agencies
176
14,080
Total
17,259
1,380,720

NOTE: The ‘all agencies’ figures are not well described; being listed solely as “technology service providers”.

The supporting data document also notes that (pg 3):

“The Assessment incorporates the publicly available cybersecurity framework developed by the National Institute of Standards and Technology.  The Assessment tailors this framework to the financial industry.”

Finally, even though the Treasury reports that failure to use the tool could lead to “disruption, degradation, or unauthorized alteration of information and systems could affect a financial institution’s operations and core processes and undermine confidence in the nation's financial services sector” (pg 2) the collection is voluntary.

Commentary

I certainly do not intend to start covering cybersecurity issues in the banking sector as a normal topic in this blog. But I thought that this ICR approval is an illustration of the way that this Administration is addressing the cybersecurity situation that we are currently facing in this country (and let’s face it, the world).

First off, this is little more than an adaptation of the NIST Cybersecurity Framework (CSF) that was issued in February of 2014, well over a year ago. The implementation of the CSF, a risk-management tool not a cybersecurity tool, was to be a main focus for the various critical infrastructure regulatory agencies. And now, 15 months later, the financial services sector is getting ‘emergency’ approval to use this tool. This is hardly an expeditious response for protecting a sector that is arguably one of the most targeted for cyber attack.

Finally, the Administration continues to insist on making the use of the CSF related tools completely voluntary, even in one of the most highly regulated environments. This makes absolutely no sense what so ever.


This hands-off attitude in addressing serious cybersecurity problems is a hallmark of this Administration and may be a key reason that its own cybersecurity problem keep re-occurring with such regularity.

Bills Introduced – 06-24-15

A total of 51 bills were introduced in the House and Senate yesterday. Only one of those may be of specific interest to readers of this blog:

S 1669 A bill to reform the Federal Motor Carrier Safety Administration. Sen. Fischer, Deb [R-NE]


I will only be following this bill if there are specific provisions that apply to shippers of hazardous chemicals.

Wednesday, June 24, 2015

DHS Updates CFATS Knowledge Center – 06-24-15

This afternoon the folks at DHS Infrastructure Security Compliance Division (ISCD) added a news item to the CFATS Knowledge Center web site and a new link in the documents section. Both items dealt with the 2015 Chemical Sector Security Summit being held next month.

The new document is an invitation to attend either the live CSSS in Alexandria, VA on July 21st thru 23rd, or watch two of the presentations live on the Homeland Security Information Network (HSIN). This is all essentially the same information that I posted about earlier this month.


If you cannot attend the live event, I highly recommend that you sign up for both web casts. Both presentations should include information about the new EAP program and other upcoming changes to the CFATS processes. More importantly, this is the first year that DHS is web casting any of the presentations and we need to encourage them to do more by fully participating in this effort.

House Hearing on PTC Deployment

This morning the Railroads, Pipelines, and Hazardous Materials Subcommittee of the House Transportation and Infrastructure Committee held a hearing on “The State of Positive Train Control Implementation in the United States”. I was not able to provide advance notice because the hearing was not listed on the Congress.gov website (the House site I normally monitor for hearing information) until after the hearing had started.

The witnesses were an interesting mix of government and industry representatives:

Ms. Sarah Feinberg, FRA;
Mr. Russell Kerwin, Metrolink/AECOM;
Mr. Frank Lonegro, CSX Transportation;
Mr. Charles Mathias, FCC; and
Mr. Donald Orseno, Metra Commuter Railroad

The PTC system is required by law to be installed and operable on all tracks where passenger rail operates and on Class I rail lines that are used to transport toxic inhalation (TIH) chemicals. The deadline for installation, again by law, is December 31, 2015. Some of the passenger railroads have mainly completed their PTC installations and most will apparently have their installations complete by the deadline, though the individual systems may not be approved by the FRA by that time. The freight railroads will not, however, be anywhere near meeting that deadline.

Two interesting comments about the problem can be found in the written testimony from the FRA and CSX:

FRA (pg 2) – “FRA reserves the right to use any and all enforcement tools from civil penalties to emergency orders, to require the railroads to make progress on PTC implementation to ensure public safety prior to January 1, 2016.”

CSX (pg 8) – “Operating certain trains on nonPTC-compliant tracks could be an unacceptable choice for some railroads, and the impact of railroads’ decisions on commuters and industries that rely on rail service could have significant effects that have not yet been fully examined.”
FRA is stuck. The December deadline was set by Congress and they are required to enforce the deadline. They have yet to come up with their detailed enforcement plan, but at some point in the process (CSX does not expect to have their PTC plan fully deployed until 2020) there will be imposition of some really significant fines (eg: up to $25,000/day for each line segment where PTC is not deployed).

The freight railroads may have to make a decision if they are willing to continue to allow passenger railroads to operate on their lines where PTC is not functioning. The potential liability for an accident on a line that is legally deficient in safety makes the lawyers and bankers for the railroads extremely nervous.

The issue for the transportation of TIH chemicals on lines where PTC is not yet functioning has the same issue. It is even made worse because the railroads have frequently made public their concern about their potential liability for transporting these chemicals without the PTC concerns. It is very likely that railroads will refuse to transport these chemicals on lines that do not have approved PTC deployments.


The ‘easy solution’ to the problem is for Congress to extend the deadline. There would certainly be a great deal of opposition to such an extension from the safety community. There is currently a bill on the Senate side of the hill, S 650, that is awaiting floor action in that body. There is currently no bill being considered in the House. I expect that that will change as a result of this hearing.

Tuesday, June 23, 2015

Vehicle-to-Vehicle Communications Hearing

This afternoon the House Energy and Commerce Committee updated their web site for Thursday’s hearing on vehicle-to-vehicle (V2V) communications. The site now has a witness list, copies of the witnesses’ written testimony (NHTSA testimony is not yet available) and a Committee Staff document discussing the issues to be covered at the hearing.

The witness list includes:

Nat Beuse, National Highway Transportation Safety Administration (NHTSA);
Barry Einsig, Cisco;
Harry Lightsey, General Motors;
David St. Amant, Econolite Group, Inc; and
Peter Sweatman, University of Michigan Transportation Research Institute

There are a number of issues that will be discussed during this hearing. According to the staff document those issues will include answering the following questions (pgs 6-7):

How will a rulemaking requiring V2V communications in new vehicles impact used cars on the road today?
What driver education is necessary to prepare drivers to operate vehicles equipped with V2V capability?
How does the implementation of V2V technology foster the development of vehicle automation technologies?
How is the auto industry preparing a rollout that will allow this technology to evolve? Will any technological evolution require ongoing government oversight?
What is a realistic timeframe by which drivers will see the benefits of this technology?

Readers of this blog will quickly note that there is no specific mention of cybersecurity issues in the list above. The staff background document does note that NHTSA has made attempts to address the cybersecurity and personal information protection issues potentially associated with the V2V program. Following the comment period on their advance notice of proposed rulemaking (ANPRM) last year NHTSA issued a request for information (RFI) about the development and governance of a “Security Credential Management System” (SCMS) for the system.

There is at least a mention of these SCMS issues in the written testimony:

Einsig – “This network needs interoperability, standards-based technology, as well as a tested architecture for delivering a highly secure, mobile, and high availability solution.” (pg 3)

Lightsey – “National and international standards must be adopted to insure interoperability of V2V systems deployed by all auto makers and those deploying related V2I systems. A scaleable and operational security credential management system must be developed.” (pg 3)

St. Amant – “Efforts underway to create a Security Credential Management System (SCMS) for connected vehicles are critically important.” (pg 5)

Sweatman – “Current gaps requiring federal support include: Cyber-security solutions that suit both the vehicle and the infrastructure.” (pg 8)


In point of fact, these are the only significant mentions of cybersecurity issues in the four written testimonies submitted to the Committee. Of more concern is the fact that according to Sweatman Michigan has already constructed its first V2V/V2I enabled stretch of public road and Mr. Lightsey is announcing that GM will begin to sell its first V2V equipped vehicle, the 2017 Cadillac CTS, next year. Both of these have taken place before there is an established and accepted SCMS.

HR 2795 Introduced – FRIENDS Act

Last week Rep. Jackson-Lee (D,TX)  and 14 Democrat co-sponsors introduced HR 2795, the First Responder Identification of Emergency Needs in Disaster Situations (FRIENDS) Act. The bill would require DHS to conduct a study on the circumstances which may impact the effectiveness and availability of first responders before, during, or after a terrorist threat or event.

This is a very short and simple bill with only two stipulations about the conduct of the study. First it would “include first responder input on how the presence of family in the impacted area, the adequacy of personal protective equipment, and training gaps may influence performance and availability” {§2(1)(A)}. Secondly it would “contain recommendations to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate” {§2(1)(A)}.

Moving Forward

Jackson-Lee and one of her co-sponsors Rep. Payne are an influential Democrats on the House Homeland Security Committee to which this bill was referred. Since this bill only calls for a study there is a good chance that it will be considered by the Committee. If it makes it to the floor of the House it will be considered under suspension of the rules and would almost certainly pass with a substantial bipartisan majority.

Commentary

At first glance this bill would seem to be at least slightly insulting to the first responder community. Every day these people put their lives on the line, often ignoring the needs of their families and loved ones during the conduct of their duties.

A more reasoned consideration of the topic however reveals that there may be cause for concern when a large portion of the population is directly put at risk by a terrorist attack. If the families of first responders were directly affected by that attack it is not unreasonable to suspect that some portion of the community would put their families first and their jobs a distant second.

Having said that, I am not sure that a study would be able to give an accurate picture of that possible response/failure rate. Secondly, unless there were some way to separate the families of the first responders from the communities in which they respond (and thus protecting them from the potential effects of a terrorist attack), I do not think that there is anything that could be done to mitigate the situation.


This is another reason for ensuring that planning for the emergency response to any major terrorist event includes National Guard and Federal military forces (much to the dismay of the black helicopter crowd). With these people being brought in from outside of the actual site of the terrorist attack, there would be the standard and usual separation of job and family that we have come to expect from these people. Unfortunately, we would still have to depend on the first responders to put their families second in the initial hours and days of any attack as it would take that long for a significant military response.

PHMSA Advisory – Preventing Pipeline Hurricane Damage

Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published an advisory in the Federal Register (80 FR 36042-36044) concerning “Potential for Damage to Pipeline Facilities Caused by the Passage of Hurricanes”. The purpose of this advisory bulletin is to remind owners and operators of gas and hazardous liquid pipelines, particularly those with facilities located in offshore and inland areas, about the serious safety-related issues that can result from the passage of hurricanes. 


The actual advisory (ADB-2015-02) is only six paragraphs long so it does not provide any real detailed guidance to pipeline owners and operators; much less information than was provided in their April advisory on river flooding (ADB-2015-01) for example. It does, however, provide a brief listing of general principles that owners and operators should consider in developing their plan for protecting their pipelines from potential damage in the event of the passage of a hurricane.

With the second named storm of the Atlantic Hurricane Season already passed, this advisory is probably just a little late.

Carrier Safety Fitness Determination NPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received from DOT’s Federal Motor Carrier Safety Administration a draft of their notice of proposed rulemaking changing the safety fitness determination program.

The Unified Agenda describes the rule this way:

“FMCSA proposes to amend the Federal Motor Carrier Safety Regulations (FMCSRs) to adopt revised methodologies that would result in a safety fitness determination (SFD). The proposed methodologies would determine when a motor carrier is not fit to operate commercial motor vehicles (CMVs) in or affecting interstate commerce based on (1) the carrier’s performance in relation to five of the Agency’s Behavioral Analysis and Safety Improvement Categories (BASICs); (2) an investigation; or (3) a combination of on-road safety data and investigation information. The intended effect of this action is to reduce crashes caused by CMV drivers and motor carriers that result in death, injuries, and property damage on U.S. highways by more effectively using FMCSA data and resources to identify unfit motor carriers and remove them from the Nation’s roadways.”


This rulemaking was first published in the Unified Agenda in 2007.

Monday, June 22, 2015

Homeland Security Committee Adds Markup Hearing – 6-25-15

The House Homeland Security Committee announced this evening that they were adding a full-committee markup hearing on Thursday to address a number of pending bills. Two of the bills included, HR 1073 (the Critical Infrastructure Protection Act) and HR 2786 (Cross-Border Rail Security Act of 2015) have been reviewed in this blog.


According to the announcement there will be an amendment in the form of a substitute offered by Rep. McSally for HR 1073. A quick review of that amendment shows that it does not include any significant new requirements.

Committee Hearings – Week of 06-21-15

Both the House and Senate will be in Washington this week and having a fairly normal hearing schedule. Only five hearings of potential specific interest to readers of this blog; two on the OPM hack, one cybersecurity markup, a hearing on vehicle-to-vehicle communications and the Senate version of the THUD spending bill.

OPM Hack

The House Oversight and Government Reform Committee will be holding part 2 of their hearing on the OPM hack on Wednesday. No witness list has been made available yet.

The Senate Homeland Security and Governmental Affairs Committee will look at the OPM hack and the larger issue of Federal cybersecurity on Thursday.

Vehicle-to- Vehicle Communications

On Thursday the Commerce, Manufacturing, and Trade Subcommittee of the House Energy and Commerce Committee will be meeting on Thursday to look at “Vehicle to Vehicle Communications and Connected Roadways of the Future”.

Cybersecurity Markup

The Senate Homeland Security Committee will be holding a business meeting on Wednesday. One of the bills that they will be marking up in the Einstein Act (will probably be introduced today). Nothing certain yet, but it looks like it will probably deal with the Einstein cybersecurity programs being deployed across the Federal government.

FY 2016 THUD Spending Bill

The Transportation, Housing and Urban Development (THUD) Subcommittee of the Senate Appropriations Committee will be holding a markup hearing on the FY 2015 THUD spending bill tomorrow. We did not see any crude oil train or chemical transportation safety measures in the original House bill (HR 2577) but some did make it in during the floor amendment process. We will have to wait and see what the Senate Appropriations Committee does with this bill.

On the Floor


We have a number of homeland security related bills coming to the floor of the House this week including two that I have been following in this blog; HR 2200 (CBRN Intel) and HR 1646 (Drone Assessment). I did a post yesterday on the committee report on HR 2200 and I am waiting for the GPO to publish the report on HR 1646. The bills are expected to come to the floor on Tuesday under suspension of the rules; so no amendments will be made.

Senate Amends and Passes HR 1735

Last week the Senate finished their lengthy amendment process and passed HR 1735, the FY 2016 National Defense Authorization Act (NDA). The amendments started with substitute language offered by Sen. McCain (R,AZ) that was pretty much S 1118 (the Senate version of the bill which I did not review) and then the amendments went from there. The final vote was 71 to 25 with two of the Nays coming from Sen. Cruz (R-TX) and Sen. Paul (R-KY).

The House version of HR 1735 had essentially not cybersecurity language in the original bill and only two minor cyber related amendments were added in the committee markup process. The floor amendment process in the House resulted in a cybersecurity and a drone amendment being added. The new Senate version included a number of cyber related provisions and a couple more were added during the amendment process.

TWIC for Separating Servicemembers

I’ll start of the review of the passed version of HR 1735 with a non-cyber provision that may be of interest. Section 589 directs the Secretary of Defense to consult with the DHS Secretary “to afford a priority in the processing of applications for a Transportation Worker Identification Credential (TWIC) to applications submitted by members of the Armed Forces who are undergoing separation, discharge, or release from the Armed Forces under honorable conditions” {§589(a)}. The goal is to get separating service members their TWIC within 14 days of application.

Counterfeit Parts

Section 232 requires the Secretary of Defense to conduct a ‘hardware assurance study’ to “assess the presence, scope, and effect on Department of Defense operations of counterfeit electronic parts that have passed through the Department supply chain and into field systems” {§232(a)}. There has been some interest in previous NDA’s in trying to prevent counterfeit hardware from getting into the supply chain.

Cyber Command Acquisition Authority

Section 807 would give special procurement authority to the Commander of the United States Cyber Command essentially equal to the Service Secretaries, Secretary of DHS, and the NASA Administrator {§807(a)(2); see 10 USC 2302(a)(1) for definition of Agency Head}. That authority would apply to the following procurement activities:

Development and acquisition of cyber operations-peculiar equipment and capabilities; and
Acquisition of cyber capability-peculiar equipment, capabilities, and services.

Defense Positioning, Navigation and Timing Oversight

Section 1610 establishes the ‘Council on Oversight of the Department of Defense Positioning, Navigation, and Timing  (PNT) Enterprise’ co-chaired by the Under Secretary of Defense for Acquisition, Technology, and Logistics and the Vice Chairman of the Joint Chiefs of Staff. It will be “responsible for oversight of the Department of Defense positioning, navigation, and timing enterprise, including positioning, navigation, and timing services provided to civil, commercial, scientific, and international users” {§1610(d)(1)}. It will include {§1610(d)(2)}:

Oversight of performance assessments (including interoperability);
Vulnerability identification and mitigation;
Architecture development;
Resource prioritization; and
Such other responsibilities as the Secretary of Defense shall specify for purposes of this section.

Authorization of Military Cyber Operations

Section 1631 would amend 10 USC Chapter 3 by adding a new §130g directing the Secretary of Defense to “develop, prepare, coordinate, and, when authorized by the President to do so, conduct a military cyber operation in response to malicious cyber activity carried out against the United States or a United States person by a foreign power (as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 USC 1801)).”

This is an important legal formality, especially in regards to the ‘develop, prepare, and coordinate’ functions.

Integrated Policy to Deter Adversaries in Cyberspace

In the 2014 NDA (PL 113-66) Congress directed the President “to develop a deterrence policy for reducing cyber risks to the United States and our allies” {§941(b)} and to report to Congress on that policy. Apparently the report has not been forthcoming so §1633 of this bill would withhold $10 Million in DOD funding for providing “support services to the Executive Office of the President” until the report is submitted; the power of the purse.

Cyber Vulnerabilities of Major Weapon Systems

With news reports earlier this year that DOD weapon systems are vulnerable to cyber attack §1635 requires the Secretary to conduct “an evaluation of the cyber vulnerabilities of each major weapon system of the Department of Defense by not later than December 31, 2019” {§1635(a)(1)}. The evaluation will include “strategies for mitigating the risks of cyber vulnerabilities identified in the course of such evaluations” {§1635(d)}. The bill authorizes $200 Million to conduct the study.

Cyber Defense Activities

Three separate sections of the bill deal with defending the United States and its critical infrastructure from foreign cyber-attacks. Section 1636 requires an assessment of the capability of the Cyber Command to “reliably prevent or block large-scale attacks on the United States by foreign powers with capabilities comparable to the capabilities of China, Iran, North Korea, and Russia expected in the years 2020 and 2025” {§1636(a)(1)}. This assessment would include a series of war games “through the Warfighting Analysis Division of the Force Structure, Resources, and Assessment Directorate to assess the strategy, assumptions, and capabilities of the United States Cyber Command to prevent large-scale cyber attacks” {§1636(b)}.

Section 1637 would require biennial exercises on responding to cyber-attacks against critical infrastructure. DOD would coordinate these exercises with Secretary of Homeland Security, the Director of National Intelligence, the Director of the Federal Bureau of Investigation, and the heads of the critical infrastructure sector-specific agencies. The purpose of these exercises is to {§1637(b)}.

Improve cooperation and coordination between various parts of the Government and industry so that the Government and industry can more effectively and efficiently respond to cyber-attacks;
Exercise command and control, coordination, communications, and information sharing capabilities under the stressing conditions of an ongoing cyber-attack; and
Identify gaps and problems that require new enhanced training, capabilities, procedures, or authorities

Section 1638 would require the Secretary of Defense to prepare a comprehensive plant to support civil authorities in response to cyber-attacks by foreign powers. This was added as an amendment and the wording is taken directly form S 1478 that was introduced by Sen Rounds (R,SD). I covered its provisions in some detail in an earlier post.

Guard and Reserve Cyber Capabilities

The final cyber provision is in §1639. It expresses the ‘sense of Congress’ that the Secretary of Defense “should review and consider any findings and recommendations of the Council of Governors [link added] pertaining to cyber mission force requirements and any proposed reductions in and synchronization of the cyber capabilities of active or reserve components of the Armed Forces”.
 
Moving Forward

The bill now heads back to the House to see if they will accept the changes made by the Senate. The House consideration is not currently scheduled for this week. If the House accepts the Senate version the bill goes to the President. The House could further amend the bill and send it back to the Senate. Or the House could ask for a Conference Committee to work out the differences. I suspect that the latter will be what we see.
 
/* Use this with templates/template-twocol.html */