Wednesday, October 7, 2015

HR 1735 Conference Report

Last week the Conference Committee charged with resolving the differences between the House and Senate on HR 1735, the National Defense Authorization (NDA) Act for Fiscal Year 2016, completed their work on the bill and published their Conference Report. Most of the cybersecurity related provisions of the bill in both the House and Senate versions remain in the bill.

Included Provisions of Interest

The list below includes all of the major cybersecurity provisions. Most of these are strictly military related and will have little or no specific impact on control system security issues in the private sector. I have briefly discussed most of these in earlier posts (here and here).

Sec. 885. Amendments concerning detection and avoidance of counterfeit electronic parts.
Sec. 888. Standards for procurement of secure information technology and cyber security systems.
Sec. 1603. Council on Oversight of the Department of Defense Positioning, Navigation, and Timing Enterprise.
Sec. 1641. Codification and addition of liability protections relating to reporting on cyber incidents or penetrations of networks and information systems of certain contractors.
Sec. 1642. Authorization of military cyber operations.
Sec. 1643. Limitation on availability of funds pending the submission of integrated policy to deter adversaries in cyberspace.
Sec. 1645. Designation of military department entity responsible for acquisition of critical cyber capabilities.
Sec. 1646. Assessment of capabilities of United States Cyber Command to defend the United States from cyber attacks.
Sec. 1647. Evaluation of cyber vulnerabilities of major weapon systems of the Department of Defense.
Sec. 1648. Comprehensive plan and biennial exercises on responding to cyber attacks.
Sec. 1649. Sense of Congress on reviewing and considering findings and recommendations of Council of Governors on cyber capabilities of the Armed Forces.

There are three other provisions that may be of specific interest to readers of this blog:

Sec. 1065. Report on the status of detection, identification, and disablement capabilities related to remotely piloted aircraft.
Sec. 1089. Reestablishment of Commission to Assess the Threat to the United States from Electromagnetic Pulse Attack.
Sec. 1603. Council on Oversight of the Department of Defense Positioning, Navigation, and Timing Enterprise.

Provisions Removed

There were a large number of provisions from either the House or Senate versions of the bill that did not make it into the final version of the bill approved by the Conference Committee. Those that may be of specific interest to readers of this blog include:

• Availability of cyber security and IT certifications for Department of Defense personnel critical to network defense;
• Priority processing of applications for Transportation Worker Identification Credentials for members undergoing discharge or release from the Armed Forces;
• Sense of Congress regarding cyber resiliency of National Guard networks and communications systems; and
• Comprehensive plan of Department of Defense to support civil authorities in response to cyber attacks by foreign powers.

The first three of these provisions were originally found in the House version of the bill; the final one was in the Senate version. For the second and third provisions in the above list the Conferees generally agreed with the purpose of the provision, but decided that it did not really belong in the NDA. For the TWIC provision they urged DOD and DHS “to consult to eliminate processing delays and waive fees for transitioning servicemembers and for honorably discharged veterans” (pg 672). For the cyber resiliency provision the report encourages “the National Guard to constantly explore ways to improve and expand its communications and networking capabilities to provide for enhanced performance and resilience in the face of cyber attacks or disruptions, as well as other instances of degradation” (pg 764).

For the provision addressing cyber certifications for DOD cyber personnel, the conferees suggested that there are probably few if any private sector certifications that are directly applicable to missions performed by DOD cyber personnel. Because of a lack of certainty about that assumption, however, the report encourages “the Secretary of Defense to examine the needs of the Department and determine the extent and role industry cyber security and IT certifications should play in workforce management” (pg 670).

For the final provision listed above the conferees noted that §1648 that was included in the reported version of the bill already includes “a comprehensive plan on Department of Defense support to civil authorities is required as part of a provision requiring the Secretary of Defense to conduct national-level cyber exercises” (pg 838) so that this provision was redundant.

Moving Forward

Last Thursday the House accepted the Conference report by a nearly party-line vote of 270-156. The President has threatened to veto the bill over a disagreement in how the bill gets around the current funding caps. The Senate did, however, vote to close debate on the bill yesterday by a vote of 73-26. That would tend to indicate that there were sufficient votes in both the House and Senate to override a presidential veto. The final vote in the Senate is due today.

No comments:

/* Use this with templates/template-twocol.html */