S 1619 Introduced, FY 2016 DHS Spending Bill

As I mentioned yesterday Sen. Hoeven (R,SD) introduced S 1619, the Senate version of the FY 2016 DHS spending bill; the House version has not yet been completed. There are no specific mentions of either cybersecurity or chemical security in the bill. Actually, this is the first DHS spending bill since 2009 that has not included language extending the CFATS; that program was finally authorized in a stand-alone bill last December.

As has become quite common in DHS spending bills there are some very interesting discussions of topics of specific interest to readers of this blog in the Senate Appropriations Committee report accompanying the bill.

MTSA Security

There is a brief mention in the discussion about Coast Guard spending mentioning the Coast Guards impending regulation on facility security officer training. This is one of many DHS bills that is behind on meeting congressionally mandated deadlines. In this report the Committee makes their displeasure known and directs the Coast Guard “to move expeditiously on this effort and the Committee expects the NPRM will be published during calendar year 2015” (Pg 77).

Cybersecurity Spending

Cybersecurity programs in DHS are not a large enough to show up as line items in the actual bill. The Committee Report does provide a breakout of cybersecurity programs in the National Protection and Programs Directorate.

	FY 2015	Budget Request	S 1619
Cybersecurity Coordination	4,311	4,318	4,275
US-CERT	98,573	98,642	97,515
Federal Network Security	171,000	131,202	130,594
Network Security Deployment	377,00	479,760	478,035
Global Cybersecurity Management	25,873	20,321	27,276
CI Cyber Protection and Awareness	70,919	77,584	75,621
Business Operations	5,524	6,516	6,439
Total Cybersecurity	753,200	818,343	819,755

NPPD Cybersecurity Spending in Thousands of Dollars

With the exception of the first two programs in the table the Committee has provided more funds for cybersecurity programs than found in this year’s spending, but not as much as the President requested. There is one program where the Committee exceeded the President’s request the Global Cybersecurity Management program. This includes the DHS Software Assurance Program that the Administration proposed to eliminate (and the Committee continues funding) and the cybersecurity education program for the government. The report makes the following comment about the training program (pg 99):

“For the second consecutive year, the administration’s proposal to reduce funding for cybersecurity education is denied. The cybersecurity education programs are critical to establishing a robust workforce for the future. Should NPPD wish to discontinue or relocate these programs within the Department, such changes should be addressed in a comprehensive manner through the budget process and the Committee should be briefed accordingly so the proposal can be adequately assessed.”

S&T Cybersecurity

There is additional information about cybersecurity issues in the S&T section of the Committee Report. Of special interest to the industrial control system community are the opening comments of that discussion (pg 130):

“The Committee continues to recognize the cyber threats to the Nation’s electric grid and the other control systems vital to our security and economy. In order to address this challenge, the Committee expects that S&T will continue to invest in control systems test beds and associated cyber education.”

The discussion also includes Committee encouragement to DHS S&T to:

∙ Expand the simulation based cyber-war gaming tool for the financial sector into additional critical infrastructure sectors;

∙ Continued development of cybersecurity tools and platforms that facilitate information sharing, threat monitoring, and response initiation at the State and local level;

∙ Consider competitively establishing one or more academic centers of excellence that focus on cybersecurity research and education; and

∙ Consider the use of cyber accelerators to help transition innovative cybersecurity technologies into commercial use.

Finally the S&T discussion closes with mention of the Safety Act application to cybersecurity operations. It states (pg 132):

“The Committee supports efforts to more thoroughly define certain aspects of the SAFETY Act, including those that relate to qualifying cyber-attacks and cyber-incidents and extending SAFETY Act protections to cybersecurity technologies. This support should not be construed to expand the scope of the SAFETY Act protections, but rather clarify the authority of the Secretary in designating events which trigger SAFETY Act protections. The Department shall report to the Committee regarding whether legislative changes are required to achieve such a change.”

Chemical Security

The Committee Report notes (pg 95) that the spending for DHS Infrastructure Security Compliance Division (ISCD, agency responsible for the CFATS program) is higher than the FY 2015 spending but less than what the administration requested. The $89.982 Million provided in the bill for ISCD includes $13 Million for the Ammonium Nitrate Security Program. The requested money for that program was reduced because ISCD has still not completed the final rule establishing that program.

The negative comments about the CFATS program that have been common in the last couple of years in Committee Reports from both Houses have been significantly reduced. This is mainly due to the passage of HR 4007 last year and the changes that that bill required in the program. Those changes are just now starting to take effect. Thus most of the Committee comments on CFATS have been continuing requirements to report to Congress on the status of the program.

Chemical Defense Program

There is a brief discussion about the Chemical Defense Program being run out of the DHS Office of Health Affairs. I briefly mentioned this program in 2013. The Committee Reports describes it this way:

“OHA has selected four cities across the United States for demonstration projects aimed at developing a comprehensive chemical defense framework and best practices to share how the Public Health community engages in large-scale events.”

The Senate bill would continue funding for that program at current levels. It also requires OHA to provide the Appropriations Committee a report on the completion of the projects in 2016.

Crude Oil Trains

There is an interesting heading in the Committee Report discussion of FEMA projects; “Ensuring Rail Security”. It has nothing to do with TSA or security, it actually refers to spending in support of emergency response to crude oil train derailments. While most of the government’s attention have been on actions taken by DOT’s Federal Railroad Administration and the Pipeline and Hazardous Material Safety Administration, the Committee also acknowledges that DHS has an important role to play in increasing crude oil train safety.

The Committee directs DHS to “to provide a briefing to the Committee within 60 days of the date of enactment of this act to outline how NPPD and FEMA programs are addressing the issue of crude oil movement, those actions being taken to address gaps in capabilities at the State and local levels, and any unfulfilled needs in coordinating with other departments and agencies” (pg 108). It also notes:

“When awarding grants and providing training, the Committee expects FEMA to consider the unique needs of first responders in meeting the issues related to crude oil shipping by rail.”

Moving Forward

The discussions, mandates and suggestions found in the Committee Reports form an interesting grey area in the legislation. In as much as they describe the intention of lawmakers in crafting these bills, they have been used by Courts in trying to interpret legislation. In the spending bills, while the numbers may be changed by amendments in subsequent legislative processes, there is very seldom any attempt to amend the Committee instructions. To the extent that executive agencies have to come back to Congress every year for funding, these mandates and suggestions do carry at least some weight with the affected agencies.

Since the House must originate any spending or taxing bills according to the Constitution, S 1619 will never be passed into law. What typically happens is that the Senate will take up this bill and pass it. Then when the House bill arrives the wording from the passed version of the Senate bill is substituted for the House language and the bill is returned to the House. The House then either accepts or rejects the Senate version. If it is rejected the two versions are sent to a Conference Committee to work out the differences.

We are, however, continuing to see the politicization of the spending bill process that has become so common. Unless something changes, neither this bill nor the probable House version will actually make it to the floor of the Senate for consideration. Even though the process in the House will certainly be completed for all twelve spending bills before the summer recess, it is unlikely than any of them will make it to the floor of the Senate because of objections from the Democrats in that body. We will probably see the continuing resolution process again be employed this year, though there is always the possibility that there will be another short term government shutdown until one of the two parties blink.