Committee Marks-Up Homeland Security Bills

Yesterday the House Homeland Security Committee met to mark-up 10 pieces of legislation. Two of those bills deal with topics of specific interest to readers of this blog; industrial control system security (HR 5733) and Transportation Workers Identification Credentials (TWIC; HR 5729). Both bills were amended and then adopted by unanimous consent.

ICS Security

Rep. Langevin (D,RI) proposed the single amendment to HR 5733. It added a new subparagraph to the proposed amendment to 6 USC 148 that outlines the responsibilities of the National Cybersecurity and Communications Integration Center (NCCIC) to address industrial control system security issues. The new sub-paragraph reads:

“(4) collect, coordinate, and provide vulnerability information to the industrial control systems community by, as appropriate, working closely with security researchers, industry end-users, product manufacturers, and other industrial control systems stakeholders; and”

TWIC Reader Rule Delay

Rep. Jackson-Lee (D,TX) proposed the single amendment to HR 5729. The amendment added an ‘every 90-day’ reporting requirement on the status of the continued delays in the DHS implementation requirement to conduct an evaluation of the efficacy of the TWIC program. That delay is the underlying reason for delaying the implementation of the TWIC Reader Rule.

Moving Forward

The ‘unanimous consent’ provided for the adoption of both of these bills (as amended) is a strong measure of the bipartisan support they have in Committee. This means that they will probably be taken up by the whole House under the suspension of rules provision with no further amendments and they will certainly receive the super-majority required to pass bills under those provisions. The only question now is when they will make it to the floor of the House.

Commentary

The new language added to HR 5733 certainly affirms the current activities of the ICS-CERT to coordinate and publish industrial control system security alerts and advisories. The lack of a formal definition of ‘industrial control system’ beyond the vague “including supervisory control and data acquisition systems” {new §148(f)(1)} does nothing to affirm the ICS-CERT responsibility for activity for medical devices or transportation systems which are arguably not ‘industrial’.

As I noted in my post about the introduction of this bill, HR 5733 would have been an ideal place to deal with the IT-centric definition of ‘information systems’ and to provide a proactive definition of ‘industrial control system’ that could be used throughout DHS. Unfortunately, the lack of such action yesterday almost ensures that this bill will not be the vehicle for establishing that definition.