HR 5952 Introduced – FY 2019 CJS Spending Bill

Last week Rep. Culberson (R,TX) introduced HR 5952, the Commerce, Justice, Science, and Related Agencies (CJS) Appropriations Act, 2019. There is one cybersecurity provision in the bill that may be of interest to readers of this blog and a couple of related comments in the Committee Report on the bill that bear review.

Cybersecurity

Section 513 of the bill provides binding guidance to all of the agencies funded by this bill on the supply chain security requirements for all “high-impact or moderate impact information system” {§513(a)} as defined by NIST FIPS SP 199. The requirements include:

• Reviewing the supply chain risk for the information systems against criteria developed by NIST and the Federal Bureau of Investigation (FBI);

• Reviewing the supply chain risk from the presumptive awardee against available and relevant threat information provided by the FBI and other appropriate agencies; and

• Conducting an assessment of any risk of cyber-espionage or sabotage associated with the acquisition of such system, including any risk associated with such system being produced, manufactured, or assembled by one or more entities identified by the United States Government as posing a cyber threat, specifically including those that may be owned, directed, or subsidized by the People’s Republic of China, the Islamic Republic of Iran, the Democratic People’s Republic of Korea, or the Russian Federation.

SP 199 used the IT-centric definition of ‘information system’ from 44 USC 3502(8).

Committee Comments

In its discussion of spending for the National Institute of Standards and Technology (NIST) the Committee addresses internet of things (IOT) (pg 12):

“The Committee recognizes the importance of United States’ leadership in addressing security concerns for users and data within the Internet of Things and appreciates NIST’s ongoing work in this area. The Committee encourages NIST to continue strengthening its cybersecurity standard-setting efforts related to the Internet of Things.”

Later (on pg 80) the Committee briefly addresses cybersecurity research:

“The Committee encourages NSF to form partnerships with Hispanic Serving Institutions and Historically Black Colleges and Universities with respect to cybersecurity research.”

Moving Forward

Most of my comments about HR 5895 moving forward apply to this bill as well. There is one big difference, however, there is not bipartisan support for HR 5952 in the Appropriations Committee (and I apparently overstated the bipartisan support that could be expected on HR 5895 as well). Comments by Ranking Member Lowey (D,NY) and Subcommittee Ranking Member Serrano (D,NY) in the ‘Minority Views’ (pgs 136-42) portion of the report outline the problems that the Democrats have with the bill. They close those comments by noting (pg 142):

“Inviting partisanship back into the appropriations process by shortchanging critical domestic and international priorities will endanger the good work in this and other bills.”

The lack of bipartisan support will not stop these bills from passing in the House (unless there is significant conservative opposition as well). But, if the Senate has similar problems with the lack of bipartisan support for their version of this bill (yet to be published) or the EWR bill, these stand-alone spending bills will not move to the Senate floor, killing chances of getting 12 spending bills to the President before the November elections, much less before the end of the fiscal year.

Commentary

The §513 provisions on supply chain security could end up being the next big thing in cybersecurity protections and the supply-chain issues would certainly apply to control systems as well. Interestingly, the SP 199 definitions of “high-impact or moderate impact information system” (Table 1, pg 6) could be directly applicable to control system evaluations if the ICS-friendly definition of ‘information systems’ used in 6 USC 1501 were applied in FIPS.

To make this section work to include control system supply-chain security issues we would just have to add a new paragraph (c) to §513:

(c) In determining which information systems meet the requirements of high-impact and medium impact for the purposes of (a), the definition of ‘information system’ used in 6 USC 1501 will be used.