HR 2922 Introduced – PREPARE Act

Earlier this month Rep. Donovan (R,NY) introduced HR 2922, the Promoting Resilience and Efficiency in Preparing for Attacks and Responding to Emergencies (Prepare) Act. The bill authorizes and modifies a number of DHS emergency planning, preparation and training programs.

Readers of this blog will probably be most interested in the following sections of the bill:

• §106. Allowable uses.

• §114. Port security grant program.

• §120. Cyber preparedness.

• §302. Medical Countermeasures Program.

Allowable Uses

Section 106 amends 6 USC 609 adding two new uses of funds to a number grant programs for States and high-risk urban areas. The two new uses are {new §609(a)(6) and (7)}:

Enhancing medical preparedness, medical surge capacity, and mass prophylaxis capabilities, including the development and maintenance of an initial pharmaceutical stockpile, including medical kits and diagnostics sufficient to protect first responders, their families, immediate victims, and vulnerable populations from a chemical or biological event;

Enhancing cybersecurity, including preparing for and responding to cybersecurity risks and incidents (as such terms are defined in section 227 [6 USC 148(1) and (3]) and developing statewide cyber threat information analysis and dissemination activities;

Port Security Program

Section 114 authorizes the port security grant program under 46 USC 70107. The section would authorize $200 Million dollars per year for the grants through 2022.

Cyber preparedness

Section 120 amends 6 USC 124h making cybersecurity additions to the support requirements set upon DHS for State, local and regional fusion centers. It requires DHS to provide fusion centers {new §124h(b)(10)}:

“…with expertise on Department resources and operations, including, in coordination with the national cybersecurity and communications integration center [(NCCIC)] under section 227 [6 USC 148], access to timely technical assistance, risk management support, and incident response capabilities with respect to cyber threat indicators, defensive measures, cybersecurity risks, and incidents (as such terms are defined in such section), which may include attribution, mitigation, and remediation, and the provision of information and recommendations on security and resilience, including implications of cybersecurity risks to equipment and technology related to the electoral process;”

It would also require the DHS NCCIC to review cybersecurity information developed by fusion centers, incorporate that information (where appropriate) into NCCIC information shared with fusion centers and other government agencies. It also adds the NCCIC as a potential personnel resource for fusion centers.

Medical Countermeasures Program

Section 302 adds a new §528 to the Homeland Security Act of 2002 that would add a requirement for DHS to {new §528(a)}:

“… establish a medical countermeasures program to facilitate personnel readiness, and protection for the Department’s employees and working animals and individuals in the Department’s care and custody, in the event of a chemical, biological, radiological, nuclear, or explosives attack, naturally occurring disease outbreak, or pandemic, and to support Department mission continuity.”

Moving Forward

Donovan is the Chair of the Emergency Preparedness, Response, and Communications Subcommittee of the House Homeland Security Committee; one of the three committees to which this bill was referred for consideration. Neither Donovan nor this three cosponsors are members of the other two committees (Transportation and Infrastructure Committee and Energy and Commerce Committee). This bill will certainly be considered in the Homeland Security Committee in the near future.

The bill does not currently have any Democratic cosponsors. This would seem to indicate that there is some opposition to at least some of current provisions (or missing provisions) of the bill. We will have to watch the markup of this bill to see how much bipartisan support there is for the bill. Bipartisan support is not really necessary in the House, but for the bill to make it to the floor of the Senate there cannot be serious Democratic opposition to the bill.

Commentary

The cybersecurity provisions of this bill all refer to 6 USC 148 with its IT-centric definitions of cybersecurity. Again, this would restrict the grant programs and fusion center support provisions limited to information system security, ignoring potential risks to critical infrastructure from attacks on industrial control systems (ICS) or the energy systems in this country.

Fortunately, the bill does include some modifications to definitions in §148, so it could be possible to clear up the multiple areas where we see similar problems with ignoring the ICS cybersecurity threat. The definition of ‘information system’ could be changed from its current reference to 44 USC 3502(8) to 6 USC 1501(9).

The medical countermeasures program is certainly important to providing support to DHS. I am glad to see that it specifically includes language about chemical incidents instead of just biological and radiological incidents; just see my post about the use of Cyanokits in response to an acrylonitrile spill. It would be nice to see some language in this authorization bill requiring the managers of the program to coordinate with local agencies when such countermeasures are not required by the Department, but could provide support to communities.