S 307 Introduced – DOD Cyber Capability Database

Earlier this month Sen. Ernst (R,IA) introduced S 307, the Department of Defense Emergency Response Capabilities Database Enhancement Act of 2017. The bill would require DOD to specifically include cybersecurity capabilities in an existing DOD emergency response capabilities database.

Database Expansion

The bill would amend §1406 of the ‘John Warner National Defense Authorization Act for Fiscal Year 2007 {PL 109-364 §1406 (120 STAT. 2436)} which required DOD to establish a database that recorded the “emergency response capabilities that each State’s National Guard, as reported by the States, may be able to provide in response to a domestic natural or manmade disaster, both to their home States and under State-to-State mutual assistance agreements” {§1406(1)}.

The bill would add two specific cybersecurity related requirements to that database {§2(b)(2)}:

• Cyber capabilities of the National Guard that are identified by the Department as important to national security and for response to domestic natural or manmade disasters.

• Cyber capabilities of the other reserve components of the Armed Forces that are identified by the Department as important to national security.

Moving Forward

Ernst is a member of the Senate Armed Services Committee (the committee to which the bill was assigned for consideration) and two of her co-sponsors {Sen. Gillibrand (D,NY) and Sen. Fischer (R,NE)} are members of the Cybersecurity Subcommittee of that Committee. This means that there is a good chance that there will be sufficient political influence to have that Committee take up this bill.

There is nothing in this bill that would cause any substantial opposition to its consideration. If this bill were taken up on its own, it would likely be considered under the Senate’s unanimous consent procedure. This bill is also a good candidate for inclusion in the 2018 DOD authorization bill, either in the initial draft or as a floor amendment.

Commentary

There is nothing in the bill that would specifically require the inclusion of industrial control system security experience/expertise in the database listing. It is likely that DOD would take that step on their own initiative.

What is not clear with respect to either the original database requirement, or this modification, is to what use DOD is expected to put this database; whether it is only for internal DOD use or whether other government organizations (FEMA for example) would have access to the database. This bill would be a good place to clarify which agencies are expected to have access to the database.