HR 2825 Amended and Approved in Committee

Last week the House Homeland Security Committee held a markup hearing on HR 2825, the DHS Authorization Act of 2018 [corrected date 6-19-17 0710 EDT]. The Committee adopted a large number of amendments, including substitute language.

Substitute Language

The original bill was extremely light in its coverage and was obviously missing some titles. The substitute language offered by Rep. McCaul (R,TX) substantially enlarged and expanded the coverage of the bill. New sections in the substitute language that may be of specific interest to readers of this blog include:

§403. Cyber at ports.

§409. Repeal of interagency operational centers for port security and secure systems of transportation.

§572. Surface transportation security assessment and implementation of

risk-based strategy.

§577. Surface transportation security advisory committee.

§583. Study on surface transportation inspectors.

§584. Security awareness program.

§585. Voluntary use of credentialing.

§586. Background records checks for issuance of hazmat licenses.

§587. Recurrent vetting for surface transportation credential-holders.

§588. Pipeline security study.

§589. Repeal of limitation relating to motor carrier security-sensitive material

tracking technology.

§620. Cyber preparedness.

§642. Medical Countermeasures Program.

The provisions I discussed in my post about the original bill remain essentially unchanged.

Maritime Security

Title IV of the substitute language addresses maritime security issues. Most of the provisions found in this title were included in HR 2831, the Maritime Security Coordination Improvement Act that I reviewed yesterday. That bill includes provisions not seen in this bill, so it is likely to continue forward. I suspect that the duplicate provisions in this bill are those that McCaul considers the most important.

The cybersecurity provisions that I discussed in HR 2831 are included in this bill (§403) essentially unchanged.

Surface Transportation Security Studies

The substitute language contains a new Title V, Subtitle G (sections 571 thru 589) that addresses a number of surface transportation security issues. Many of them deal with various study and report requirements. There are two studies outlined in this subtitle that may be of specific interest to owners and operators of surface transportation organizations and activities.

Section 583 would require the Government Accountability Office (GAO) to conduct a study looking at potential duplications or redundancies between TSA and DOT “relating to surface transportation security inspections or over sight” {§583(1)}. While TSA has been given the responsibility for overseeing all transportation security issues, its main (some would say almost exclusive) focus has been on passenger air transportation security. As a result, the DOT modal agencies have continued to oversee the pre-TSA security requirements that were initiated by the modal agencies. There exists a very real potential that this study could lead to the disbanding of the TSA surface transportation security program as duplicative and ineffective.

Section 588 requires a separate GAO study of the TSA/DOT oversight conflict in the pipeline security arena. Of particular interest to readers of this blog is the specific inclusion of cybersecurity issues in the study parameters. The GAO is tasked with looking at how the current memorandum of understanding between DHS and DOT adequately delineates the responsibility for {§588(a)(1)}:

• Protecting against intentional pipeline breaches and cyber-attacks;

• Responding to intentional pipeline breaches and cyber-attacks; and

• Planning to recover from the impact of intentional pipeline breaches and cyber-attacks.

The big problem here is that most of the activities that are used to respond to a pipeline breach are the same for both intentional and accidental breaches. Given the fact that accidental breaches are much more common than intentional breaches, the DOT pipeline safety folks will have much more practical experience in this field.

The one area that is not specifically identified in the §588 requirements is having the GAO study identify if either PHMSA or TSA have enough people with the requisite skill and background in control system security to deal with cyber-attacks.

Other Amendments

An amendment offered by Rep. Thompson (D,MS) amended the new requirement for surface security awareness training outlined in §584. The Thompson amendment would reiterate that this new requirement would not “replace or affect in any way the security training program requirements” specified in 6 USC sections 1137, 1167, and 1184. Readers of this blog will remember that TSA finally published a notice of proposed rulemaking (NPRM) on those requirement last December. This amendment was adopted by voice vote.

An amendment offered by Rep. Langevin (D,RI) would add a new section to the bill that would require the FEMA Administrator to conduct a study on the use of grant funds awarded pursuant to 6 USC §604 (Urban Area Security Initiative) and §605 (State Homeland Security Grant Program) to support efforts to prepare for and respond to cybersecurity risks and incidents (as such terms are defined in 6 USC 148. Readers should see my discussion on HR 2831 on why the reference to 6 USC 148 ignores control system security issues. This amendment was adopted by voice vote.

Moving Forward

The amended substitute language on this bill passed by a voice vote. Even with the Democrats losing party line votes on six amendments, there is still substantial bipartisan support within the Committee for the amended bill. If McCaul can get buy in from the House leadership (including the chairs of a number of other potentially interested committees) to bring this bill to the floor, it is almost certain to pass. Convincing the Senate leadership to bring the bill to the floor in that body will be another intra-party, political issue.