Last week the Conference Committee charged with resolving
the differences between the House and Senate on HR 1735, the National Defense
Authorization (NDA) Act for Fiscal Year 2016, completed their work on the bill
and published their Conference
Report. Most of the cybersecurity related provisions of the bill in both
the House and Senate versions remain in the bill.
Included Provisions
of Interest
The list below includes all of the major cybersecurity
provisions. Most of these are strictly military related and will have little or
no specific impact on control system security issues in the private sector. I
have briefly discussed most of these in earlier posts (here
and here).
Sec. 885. Amendments concerning
detection and avoidance of counterfeit electronic parts.
Sec. 888. Standards for procurement
of secure information technology and cyber security systems.
Sec. 1603. Council on Oversight of
the Department of Defense Positioning, Navigation, and Timing Enterprise.
Sec. 1641. Codification and
addition of liability protections relating to reporting on cyber incidents or
penetrations of networks and information systems of certain contractors.
Sec. 1642. Authorization of
military cyber operations.
Sec. 1643. Limitation on
availability of funds pending the submission of integrated policy to deter
adversaries in cyberspace.
Sec. 1645. Designation of military
department entity responsible for acquisition of critical cyber capabilities.
Sec. 1646. Assessment of
capabilities of United States Cyber Command to defend the United States from
cyber attacks.
Sec. 1647. Evaluation of cyber
vulnerabilities of major weapon systems of the Department of Defense.
Sec. 1648. Comprehensive plan and
biennial exercises on responding to cyber attacks.
Sec. 1649. Sense of Congress on
reviewing and considering findings and recommendations of Council of Governors
on cyber capabilities of the Armed Forces.
There are three other provisions that may be of specific
interest to readers of this blog:
Sec. 1065. Report on the status of
detection, identification, and disablement capabilities related to remotely
piloted aircraft.
Sec. 1089. Reestablishment of
Commission to Assess the Threat to the United States from Electromagnetic Pulse
Attack.
Sec. 1603. Council on Oversight of
the Department of Defense Positioning, Navigation, and Timing Enterprise.
Provisions Removed
There were a large number of provisions from either the
House or Senate versions of the bill that did not make it into the final
version of the bill approved by the Conference Committee. Those that may be of
specific interest to readers of this blog include:
• Availability of cyber security
and IT certifications for Department of Defense personnel critical to network
defense;
• Priority processing of
applications for Transportation Worker Identification Credentials for members
undergoing discharge or release from the Armed Forces;
• Sense of Congress regarding cyber
resiliency of National Guard networks and communications systems; and
• Comprehensive plan of Department of Defense to
support civil authorities in response to cyber attacks by foreign powers.
The first three of these provisions were originally found in
the House version of the bill; the final one was in the Senate version. For the
second and third provisions in the above list the Conferees generally agreed
with the purpose of the provision, but decided that it did not really belong in
the NDA. For the TWIC provision they urged DOD and DHS “to consult to eliminate
processing delays and waive fees for transitioning servicemembers and for
honorably discharged veterans” (pg 672). For the cyber resiliency provision the
report encourages “the National Guard to constantly explore ways to improve and
expand its communications and networking capabilities to provide for enhanced
performance and resilience in the face of cyber attacks or disruptions, as well
as other instances of degradation” (pg 764).
For the provision addressing cyber certifications for DOD
cyber personnel, the conferees suggested that there are probably few if any private
sector certifications that are directly applicable to missions performed by DOD
cyber personnel. Because of a lack of certainty about that assumption, however,
the report encourages “the Secretary of Defense to examine the needs of the
Department and determine the extent and role industry cyber security and IT
certifications should play in workforce management” (pg 670).
For the final provision listed above the conferees noted
that §1648 that was
included in the reported version of the bill already includes “a comprehensive
plan on Department of Defense support to civil authorities is required as part
of a provision requiring the Secretary of Defense to conduct national-level
cyber exercises” (pg 838) so that this provision was redundant.
Moving Forward
Last Thursday the House accepted the Conference report by a
nearly party-line vote of
270-156. The President has threatened
to veto the bill over a disagreement in how the bill gets around the
current funding caps. The Senate did, however, vote to close debate on the bill
yesterday by a vote
of 73-26. That would tend to indicate that there were sufficient votes in
both the House and Senate to override a presidential veto. The final vote in
the Senate is due today.
Posts
No comments:
Post a Comment