House Passes STSAC Authorization and ICS Security Bills

Yesterday the House passed two bills that have been covered in this blog; HR 5081, the Surface Transportation Security and Technology Accountability Act of 2018, and HR 5733, the DHS Industrial Control Systems Capabilities Enhancement Act of 2018. Both bills were considered under the suspension of the rules process and were approved by voice votes.

I do not often mention the ‘floor debate’ about bills considered under the suspension of the rule process because that debate is normally congratulations about the bipartisan effort to develop the bill in committee. While we certainly saw a good measure of this in the debate on ICS cybersecurity bill, we also saw a potentially important mention of the DHS ICS-CERT.

In his brief speech supporting the bill, Rep. Langevin (D,RI) talked at some length about the important work being done by ICS-CERT. He started by explaining his amendment adopted by the House Homeland Security Committee on vulnerability disclosures (pg H5631):

“During the committee consideration, I was also proud to offer an amendment to codify ICS-CERT’s coordinated vulnerability disclosure program [emphasis added] that ensures ICS vulnerabilities can be reported securely, promptly, and responsibly.”

He goes on to note (pg H5632):

“The coordinated vulnerability [disclosure] program does just that by helping critical infrastructure owners and operators who receive notices from ICS-CERT about discovered vulnerabilities and effective patches before malicious actors have a chance to exploit any flaws. Mr. Speaker, this bill would empower ICS-CERT to carry out this mission fully and effectively [emphasis added].”

While I have been critical of the bill’s failure to mention both ICS-CERT and US-CERT as the organizations that carry out the specified work of the National Cybersecurity and Communications Integration Center (NCCIC), the specific mention of the role of ICS-CERT in the congressional debate on this bill will go a long way is preserving the existence of, and defining the role of, that organization.