Saturday, June 29, 2019

Public ICS Disclosures – Week of 06-22-19


CERT-VDE published an advisory describing an authentication issues vulnerability in the Phoenix Contact Classic Line industrial controllers. The vulnerability was reported by Sergiu Sechel. Phoenix Contact has provided generic workarounds to mitigate the vulnerability.

Friday, June 28, 2019

Bills Introduced – 06-27-19


Yesterday with the House and Senate preparing to leave for a long 4th of July weekend there were 132 bills introduced. One of those bills may receive additional coverage in this blog:

S 2034 A bill to authorize small business development centers to provide cybersecurity assistance to small business concerns, and for other purposes. Sen. Peters, Gary C. [D-MI]

I will be watching this bill for language supporting control system security issues.

Senate Passes S 1790 – FY 2020 NDAA


Yesterday the Senate amended and passed S 1790, the National Defense Authorization Act (NDAA) for Fiscal Year 2020, by a strongly bipartisan vote of 86 to 8. Only two amendments were adopted, the most important being SA 764 [pgs S 3856- 4093]; substitute language for the bill. That amendment did not make any changes to the cybersecurity portions of the bill that I previously discussed.

The House has not yet taken up HR 2500, the House version of the NDAA. That will probably happen after the extended 4th of July weekend. I will have more on that bill next week.

Ultimately, the House will take up the language of HR 2500 (either directly as that bill or as substitute language for S 1790). A conference committee will then iron out the differences before the bill is again voted upon in the House and Senate. As has become the new normal, we will have to watch out for last minute presidential tweets to see if the final bill will be able to be passed.

6 Advisories Published – 06-27-19


Yesterday the DHS NCCIC-ICS published five control system security advisories for products from Advantech, SICK AG, and ABB (3). They also published a medical device security advisory for products from Medtronic.

Advantech Advisory


This advisory describes six vulnerabilities in the Advantech WebAccess/SCADA software platform. The vulnerabilities were reported by Mat Powell, Natnael Samson (@NattiSamson) and EljahLG via the Zero Day Initiative. Advantech has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

Path traversal - CVE-2019-10985;
Stack-based buffer overflow - CVE-2019-10991;
Heap-based buffer overflow - CVE-2019-10989;
Out-of-bounds read - CVE-2019-10983;
Out-of-bounds write - CVE-2019-10987; and
Untrusted pointer dereference - CVE-2019-10993

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow information disclosure, deletion of files, and remote code execution.

SICK Advisory


This advisory describes a use of hard-coded credentials vulnerability in the SICK MSC800 PLC. The vulnerability was reported by Tri Quach of Amazon’s Customer Fulfillment Technology Security (CFTS) group. SICK has new firmware that mitigates the vulnerability. There is no indication that Quach has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow a low-skilled remote attacker to reconfigure settings and/or disrupt the functionality of the device.

CP 635 Advisory


This advisory describes a use of hard-coded credentials vulnerability in the ABB CP620 and CP635 HMI products. The vulnerability is self-reported. ABB has an update available that mitigates the vulnerability.

The ABB advisory describes two other vulnerabilities with these products and reports that the vulnerabilities were reported by Xen1thLabs. The individual vulnerability reports from Xen1thLabs (see links below) include proof of concept exploits.

The three reported vulnerabilities are:

Out-dated software components – multiple OpenSSL CVE;
Hard-coded credentials - CVE-2019-7225; and
Absence of signature verification - CVE-2019-7229

NCCIC-ICS reports that a relatively low-skilled attacker on an adjacent network could exploit the (single reported?) vulnerability to allow an attacker to prevent legitimate access to an affected system node, remotely cause an affected system node to stop, take control of an affected system node, or insert and run arbitrary code in an affected system node.

CP 651 Advisory


This advisory describes a use of hard-coded credentials vulnerability in the ABB CP651, CP665 and CP676 HMI products. The vulnerability is self-reported. ABB has an update available that mitigates the vulnerability.

The ABB advisory describes the same two other vulnerabilities with these products and reports that the vulnerabilities were discovered based upon the work of Xen1thLabs on the CP 635 vulnerabilities reported above.

NCCIC-ICS reports that a relatively low-skilled attacker on an adjacent network could exploit the (single reported?) vulnerability to allow an attacker to prevent legitimate access to an affected system node, remotely cause an affected system node to stop, take control of an affected system node, or insert and run arbitrary code in an affected system node.

Panel Builder Advisory


This advisory describes seven vulnerabilities in the ABB PB610 Panel Builder 600 engineering tool. The vulnerability was reported by Xen1thLabs. ABB has new versions available that mitigate the vulnerabilities. There is no indication that Xen1thLabs has been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities (with links to the Xen1thLabs reports; reports which contain proof of concept exploit code) are:

Use of hard-coded credentials - CVE-2019-7225;
Improper authentication - CVE-2019-7226;
Relative path traversal - CVE-2019-7227;
Improper input validation (2) - CVE-2019-7228 and CVE-2019-7230; and
Stack-based buffer overflow - CVE-2019-7231

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to prevent legitimate access to an affected system node, remotely cause an affected system node to stop, take control of an affected system node, or insert and run arbitrary code in an affected system node.

Medtronic Advisory


This advisory describes an improper access control vulnerability in the Medtronic MiniMed 508 and Paradigm Series Insulin Pumps. The vulnerability is self-reported, but NCCIC-ICS notes that the internal investigation by Medtronic was guided by previous work from outside researchers on other Medtronic products. Medtronic suggests upgrading to a newer product. The FDA advisory on this product notes that Medtronic is recalling the affected insulin pumps.

NCCIC-ICS reports that an uncharacterized attacker with adjacent access (radio frequency access according to the Medtronic advisory) could exploit this vulnerability to intercept, modify, or interfere with the wireless RF (radio frequency) communications to or from the product. This may allow attackers to read sensitive data, change pump settings, or control insulin delivery.

Thursday, June 27, 2019

Bills Introduced – 06-26-19


Yesterday with both the House and Senate ins session there were 63 bills introduced. Of these, one will probably see additional coverage in this blog:

HR 3494 To authorize appropriations for fiscal year 2020 for intelligence and intelligence-related activities of the United States Government, the Community Management Account, and the Central Intelligence Agency Retirement and Disability System, and for other purposes. Rep. Schiff, Adam B. [D-CA-28]

I will be watching this bill for cybersecurity language. The House Permanent Select Committee on Intelligence will be meeting today to markup this bill.

Wednesday, June 26, 2019

House Amends and Passes HR 3055 – 2nd FY 2020 Minibus


Yesterday, after dealing with well over 200 amendments, the House passed HR 3055, the second FY2020 spending minibus, by a near perfect (1 Democrat votes Nay) party line vote of 227 to 194. Both of the proposed amendments that I discussed earlier were adopted earlier this week.

Amendment Actions


The Maloney amendment (#264) was passed on Monday afternoon as part of amendment en bloc #7 by a voice vote. The amendment would encourage DOT to conduct research implementing connected vehicle and autonomous vehicle technologies at Highway-Rail Grade Crossings. There was no debate on this amendment.

The DeFazio amendment (#233) was passed later Monday afternoon after almost 10 minutes of debate. A recorded vote was requested and the amendment subsequently passed by a near party line vote (ten Democrats voted Nay and four Republicans voted Aye) of 221 to 195.

The debate was contentious, and more than a little hyperbole was used in attempts to sway the vote. At one point, Rep. DeFazio (D,OR) describes the potential results of a terrorist attack on a unit train of 100 LNG railcars, saying “It is likely it will cause a chain reaction and explosion. It is going to be about as powerful as Hiroshima if it goes off.” (pg H5053).

Rep. Price (D,NC) noted (pg H5054) that: “I want to note that the underlying bill provides $1 million for the  natural gas in rail tank cars, and it requires the Department to incorporate findings and recommendations from this study into any rulemaking on the transportation of LNG in rail tank cars before issuing a final rule authorizing such shipments.”

This requirement is outlined on page 75 of the Appropriations Committee Report (H Rept 116-106) on HR 3163, the original DOT spending bill that was incorporated into HR 3055 as Division E. That section in the Report on “LNG by Rail” concludes by stating:

“The Committee provides up to $1,000,000 for PHMSA to initiate this study within 30 days of enactment of this Act, and to complete this study no later than 18 months after enactment of this Act. Further, the Committee directs PHMSA to incorporate the findings and recommendations from this study into any potential rulemaking on the transportation of LNG in rail tank cars and prior to issuing a final rule authorizing such shipments [emphasis added].”

The DeFazio amendment would have no affect on the LNG by rail rulemaking, it specifically addresses the issuance of a Special Permit by PHMSA. That ‘special permit’ would be an interim authorization to ship liquified natural gas by rail pending the completion of the rulemaking. The inclusion of the DeFazio amenement in the bill could be a moot point; there is a chance that the special permit could be approved in this fiscal year.

Moving Forward


It still is not clear if the Senate will be taking up spending bills under regular order this year. If they take up HR 3055, they will certainly substitute language from the Senate versions of the underlying spending bills. It is very unlikely that a Senate version of this bill would include the DeFazio LNG by rail language. If/when the Senate passes their version of HR 3055, a conference committee will have to work out the differences between the two versions of the bill. There is a remote possibility that the DeFazio language could make it into an agreed upon conference version of this bill because it would only affect the approval of a Special Permit, and would not have a direct effect on the rulemaking on the mater.

PHMSA Pipeline Safety Rule to OMB


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking (NPRM) from DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) on “Amendments to Parts 192 and 195 to Require Valve Installation and Minimum Rupture Detection Standards” (RIN 2137-AF06). This rulemaking first appeared on the Unified Agenda in Spring 2014.

According to the current entry in the Unified Agenda:

“PHMSA is proposing to revise the Pipeline Safety Regulations applicable to newly constructed or entirely replaced natural gas transmission and hazardous liquid pipelines to improve rupture mitigation and shorten pipeline segment isolation times in high consequence and select non-high consequence areas. The proposed rule defines certain pipeline events as "ruptures" and outlines certain performance standards related to rupture identification and pipeline segment isolation. PHMSA also proposes specific valve maintenance and inspection requirements, and 9-1-1 notification requirements to help operators achieve better rupture response and mitigation. The rule addresses congressional mandates, incorporate recommendations from the National Transportation Safety Board, and are necessary to reduce the serious consequences of large-volume, uncontrolled releases of natural gas and hazardous liquids.”

Bills Introduced – 06-25-19



Yesterday with both the House and Senate in session there were 66 bills introduce. Two of these may receive further attention in this blog:

HR 3462 To amend the Internal Revenue Code of 1986 to provide a credit against tax for disaster mitigation expenditures. Rep. Bilirakis, Gus M. [R-FL-12] 

HR 3484 To amend the Homeland Security Act of 2002 to authorize the Secretary of Homeland Security to establish a rotational cybersecurity research program, and for other purposes. Rep. Richmond, Cedric L. [D-LA-2]

I will watch HR 3462 for language that includes emergency response planning and/or exercises in the costs that could be covered by the tax credit.

Hopefully, HR 3484 will include language that includes control system security issues in the research program.

NCCIC Revamps ICS Web Site


Yesterday the DHS NCCIC redid their US-CERT and ICS-CERT web sites. According to a blurb on the site: “On June 25, us-cert.gov and ics-cert.us-cert.gov were consolidated into a single us-cert.gov site—a comprehensive, easy-to-navigate website with an updated look and feel.”

Actually, there are still two separate pages for IT and ICS activities. The main page for cybersecurity activity is https://www.us-cert.gov/. This page includes current US-CERT alerts, advisories and reports. It also contains links to a set of ICS pages on the site header, including the new ICS landing page: https://www.us-cert.gov/ics. That landing page looks to contain all of the information and services found on the old ICS-CERT site.

I liked the old format better, but then again, I have been using it for the last ten+ years. Nothing is constant except change.


Maybe more to come as I dig into this over the weekend.

Tuesday, June 25, 2019

Subcommittee Markup of HR 3432 – Pipeline Safety


The Energy Subcommittee of the House Energy and Commerce Committee will hold a markup hearing on HR 3432, the Safer Pipelines Act of 2019, tomorrow. The bill was introduced earlier this week and an official copy of the bill has not yet been published. A Committee print of the bill is available.

A quick review of that print indicates that this is an authorization bill for the pipeline safety activities of DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA). I have not yet had a chance to do an in depth review of the bill but it does include provisions making modification to current requirements for:

Integrity management programs;
Pipeline hazard communication requirements;
Emergency preparedness planning; and
The adjustment of civil and criminal penalties for violations of pipeline safety rules and regulations.

Additionally, §6 of the bill includes the same mandamus provisions found in HR 3290.

The markup notice indicates that at least one amendment will be considered to HR 3432. That amendment proposed by Rep. Kennedy (D,MA) would add six new sections to the bill. Again, I have not yet had a chance to do an in depth review of the amendment, but it looks very similar to HR 2139 that was cosponsored by Kennedy. HR 2139 has not yet been referred to the Energy Subcommittee and no action has been taken on that bill.

President Nominates Lemos to CSB


Yesterday the Senate received the nomination of Katherine Andrea Lemos of California, to be a Member of the Chemical Safety and Hazard Investigation Board for a five-year term. Lemos would serve to replace Mark Griffon who resigned from the CSB

According to the White House:

“Katherine A. Lemos, Ph.D., has previously served in the Federal Aviation Administration and on the National Transportation Safety Board.  Dr. Lemos is currently the Director of Programs for Northrop Grumman Corporation’s Aerospace Sector.  Dr. Lemos has a distinguished background in system safety, accident investigation, human factors, and advanced technology research and integration.  Dr. Lemos has broad experience across the product lifecycle in analyzing and promoting product, process, and operational performance.”

President Trump has twice proposed defunding the CSB in EPA budget documents. This appointment may signal an end to his attempt to kill the Board.

If Lemos is confirmed by the Senate, there will still be one vacancy remaining on the Board. The 5-year term of two of the three existing Board Members (Manny Ehrlich and Richard Engler) will expire in December.

HR 3261 Introduced – Smart Signals Grants


Earlier this month Rep. Cardenas (D,CA) introduced HR 3261, the Less Traffic with Smart Stop Lights Act of 2019. The bill would require DOT to establish the Smart Technology Traffic Signals Grant Program. Funding would come from existing DOT grant programs.

Grant Program


The new grant program would provide monies to State, local and Tribal governments to improve the functioning of traffic signal in a way that would {§2(a)}:

Reduce traffic congestion;
Improve the safety and effectiveness of roadways;
Reduce fuel costs for drivers; and
Reduce air pollution.

The monies would be used to improve traffic signals through the implementation of innovative technology, including {§2(c)}:

Adaptive signal control technology; and
Real-time data measurement technology

Funding would come from two existing DOT grant programs; the surface transportation block grant program (23 USC 133) and the congestion mitigation and air quality improvement program (23 USC 149).

Moving Forward


Cardenas is a member of the House Energy and Commerce Committee, one of the two committees to which this bill was assigned for consideration. Rep. Espaillat (D,CA), a cosponsor of the bill is a member of the House Transportation and Infrastructure Committee, the other committee to which the bill was assigned. This means that the bill could be considered by both relevant committees.

There is nothing in the bill that would drive any ideological opposition to its passage. The funding provisions help to overcome the added spending issue, but it will effectively reduce the funding available for grants in the other programs by some undetermined amount.

Commentary


The biggest shortfall in the language in the bill is that it contains no provisions for requiring grantees to address cybersecurity issues with these innovative technology solutions. With that lack of cybersecurity language in mind, I would like to suggest the following two modifications to the language in the bill.

First, I would add a new clause to §2(c) that would specifically allow grants to be used for improving cybersecurity of existing traffic control systems:

(3) defensive measures (as defined in 6 USC 1501) to protect new or existing traffic control systems from cybersecurity threats (as defined in 6 USC 1501).

Second, I would rewrite §2(f) to read:

(f) APPLICATIONS.—To be eligible for a grant under the Program, a State, local, or Tribal government entity shall submit to the Secretary an application at such time, in such form, and containing:
(1) An analysis of the cybersecurity threats (as defined in 6 USC 1501) that would affect the traffic control systems to be funded by the grant being requested;
(2) A description of the defensive measures that would be used to address the potential threats described in (1); and
(3) Any other information as the Secretary determines appropriate.

NOTE: The definitions in §1501 use the control system inclusive definition of ‘information system’.

Bills Introduced – 06-24-19


Yesterday with both the House and Senate back in Washington from the weekend there were 43 bills introduced. One of those bills will probably receive additional coverage in this blog:

HR 3432 To amend title 49, United States Code, to improve the safety of the Nation's natural gas and hazardous liquid pipeline systems, and for other purposes. Rep. Rush, Bobby L. [D-IL-1]

Monday, June 24, 2019

HR 3290 Introduced – Pipeline Mandamus


Earlier this month Rep. Speier (D,CA) introduced HR 3290, the PHMSA Accountability Act. The bill would allow civil suits against DOT to compel performance of a non-discretionary duty under pipeline safety laws. The bill is identical to HR 5443 that Speier introduced in the 114th Congress; no congressional action was taken on that bill.

Application


In my blog post I generically addressed how this change could affect the rulemaking process at DOT’s Pipeline and Hazardous Material Safety Administration. Today, I will look at one of the 12 rulemakings currently listed in the DOT’s Spring 2019 Unified Agenda that are listed as being pipeline safety related. This rulemaking could be considered for mandamus law suits if this bill was current law.

RIN: 2137-AF31 – Pipeline Safety: Coastal Ecological Unusually Sensitive Areas.

Section 19(b) of the PIPES Act of 2016 (PL 114-183) required DOT to “revise section
195.6(b) of title 49, Code of Federal Regulations, to explicitly state that the Great Lakes, coastal beaches, and marine coastal waters are USA ecological resources for purposes of determining whether a pipeline is in a high consequence area (as defined in section 195.450 of such title).”

Instead of reading this requirement as a directed rulemaking to add a sub-paragraph (6) to §195.6(b) that reads “An area on or adjacent to the Great Lakes, coastal beaches, and marine coastal waters.” The current Unified Agenda indicates that the Administration intends to offer an Advanced Notice of Proposed Rulemaking (ANPRM) later this year. In that rulemaking abstract it mentions that “PHMSA must change the definition of USA and further define what is included in "coastal beaches" and "marine coastal waters." In this rulemaking, PHMSA will solicit broad input from the pipeline industry and other stakeholders, propose definitions and geographic extents for the new terms to be included in the revised USA definition, and understand industry implications and concerns with the proposed revisions.”

A mandamus suit by an environmental activist organization might be expected to try to compel DOT to issue a directed final rule on the more limited reading of the intent of §19(b).

Moving Forward


While Speier is not a member of any of the three committees to which this bill was assigned for consideration, one of her cosponsors {Rep. Eshoo (D,CA)} is a member of the House Energy and Commerce Committee. Her influence on that Committee would be enough for Committee consideration of the bill, but the bill would not move to the floor without the active support of the Chair of the House Transportation and Infrastructure Committee.

This bill would draw significant opposition from the Republicans in the House, preventing the bill from being passed under the House suspension of the rules process which requires a super-majority for bill passage. Consideration of the bill under a rule is unlikely. The only other hope for passage of this bill would be to include it as language in an authorization bill.

S 1867 Introduced – UAS Coordinator


Earlier this month Sen. Johnson (R,WI) introduced S 1867, the DHS Countering Unmanned Aircraft Systems Coordinator Act. The bill would require DHS to establish within the Office of Strategy, Policy, and Plans the position of Countering Unmanned Aircraft Systems (UAS) Coordinator. The provisions of the bill are similar to HR 6438 that was introduced, and subsequently passed in the House in the 115th Congress.

Coordinator


The bill would add a new section 321 to the Homeland Security Act of 2002. It would establish the position of Coordinator who would be responsible for overseeing and coordinating with relevant Department offices and components, including the Office of Civil Rights and Civil Liberties and the Privacy Office, on the development of guidance and regulations to counter threats associated with unmanned aircraft systems as described in 6 USC 124n.

In addition to the promoting research and development in coordination with the Office of Science and Technology, the coordinator would be required to work with “with the relevant components and offices of the Department, including the Office of Intelligence and Analysis, to ensure the sharing of information, guidance, and intelligence relating to countering UAS threats, counter UAS threat assessments, and counter UAS technology” {new §321(a)(2)(C)}.

The Coordinator would also “serve as the principal Department official responsible for sharing to the private sector information regarding counter UAS technology, particularly information regarding instances in which counter UAS technology may impact lawful private sector services or systems” {new §321(c)}.

The position of Coordinator would terminate at the same time as the provisions of §124(n).

Moving Forward


Johnson is the Chair of the Senate Homeland Security and Governmental Affairs Committee so it is very likely that this bill would move forward in Committee. If the bill were to make it to the floor of the Senate, it would likely be considered under the Senate’s unanimous consent process.

If this bill passes in the Senate, it is close enough to the HR 6438 language that it would likely pass in the House with bipartisan support.

Commentary


This bill, like the provisions of §124(n), still fail to resolve the problems that critical infrastructure facilities have with protecting themselves from attack by UAS. The most important of those problems are the legal prohibitions against attacking aircraft in US airspace. Until that problem is adequately resolved, facilities are going to be extremely limited in actions that they can take.

Sunday, June 23, 2019

LNG By Rail Special Permit Comments – 6-23-19


Over the last week there have been eight new comments posted to the docket for the liquified natural gas by rail special permit being proposed by DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA). This week’s comments were all provided by private citizens and all opposed the issuance of the special permit based upon their expressed concerns about the safety of shipping LNG by rail.

When we see early multiple comments from private citizens on a rulemaking docket, it is easy to suggest that there is an organized letter writing campaign involved. Many environmental or chemical safety advocacy groups have employed these types of campaigns in the past. It does not appear that this is a typical organized campaign; there is no commonality of language or phrases and there is no reference to a prepared statement or counter proposal.

Saturday, June 22, 2019

OMB Approval of CFATS PSM to Tier III and IV


Earlier this week I ran into a blog post at Aradc.org (Agriculture Retailers Organization) by Andrea Mowers about the OMB’s approval of the information collection request to add Tier III and IV facilities in the Chemical Facilities Anti-Terrorism Standards (CFATS) program to the Personnel Surety Program (PSP) vetting of employees against the Terrorist Screening Data Base (TSDB). I missed the May 23rd announcement by OMB’s Office of Information and Regulatory Affairs (OIRA), but the ICR certainly was approved.

We can expect to see the DHS Infrastructure Security Compliance Division (ISCD) publish a notice in the Federal Register about the implementation of the expansion of the PSP submission requirements. I will review the details of that process when the document is issued, but we can look at the Tier I and Tier II implementation and the documentation ISCD submitted to OIRA to get a general idea of what those requirements will be.

First off, ISCD will establish some sort of internal process to spread out the requirement to first modify approved site security plans (SSP) to explain how the facility will implement the process. That implementation plan would include which of the four options (or combination of options) that the facility plans to use to screen employees, contractors and visitors (the last two with unaccompanied access to critical areas of the facility) for potential terrorist ties. Finally, once that SSP revision is approved, ISCD will provide a deadline for the implementation of the plan. Facilities can probably expect that assistance will be available from Chemical Security Inspectors (CSI) during the process.

The general plan for the phased implementation of the Tier III and IV implementation of the PSP requirements was outlined in a response (.DOCX download) to industry comments submitted to OIRA. Response 4.1.1 notes:

“The Department agrees that a flexible approach is appropriate for the rollout of the Personnel Surety Program to Tier 3 and Tier 4 covered chemical facilities. If approved, the Department plans to implement the CFATS Personnel Surety Program in a phased manner to Tier 3 and Tier 4 covered chemical facilities over a three year period.  Similar to the successful and recent retiering effort, the Department plans to consider the number of facilities assigned to a single Authorizer when notifying facilities to implement the Personnel Surety Program, as not to overwhelm a single Authorizer. The Department will also allow the flexibility for Authorizers, if desired, to complete the process for their facilities before notification by the Department.”

While ISCD will certainly be providing individual facilities with notification of the deadline by which they will have to revise their SSP, I expect that ISCD will allow facilities to begin the process before that notification is given. I do suspect, however, that they would prefer that facilities not try to begin the process before the Federal Register Notice is published. Facilities could contact their CSI or the regional office to confirm this.

One final point, questions have been raised throughout the PSP development and implementation process about DHS’s reluctance to guarantee that facilities would receive timely notification if a person is identified in the TSDB vetting process as having potential terrorist ties. If this were totally up to ISCD, I am sure that timely notifications would be made. Unfortunately, intelligence and law enforcement entities outside of the Cybersecurity and Infrastructure Security Agency (CISA), the controlling agency under which ISCD resides, will be involved in making that decision. The comment response document again addresses this issue in response 5.62:

“The Department’s design of the CFATS Program is intended to promote and enhance the security of high-risk chemical facilities; the Personnel Surety Program is one element of the larger CFATS Program. To prevent a significant threat to a facility or loss of life, a high-risk chemical facility will be contacted where appropriate and in accordance with federal law and policy, and per law enforcement and intelligence requirements.”

Friday, June 21, 2019

HR 2740 Passes in House – First FY 2020 Minibus


On Wednesday the House passed HR 2740, the first FY 2020 minibus spending bill by a vote of 226 to 203; a near party-line vote with seven Democrats voting Nay. A large number of amendments were adopted in two en bloc votes, including the Walberg amendment that I discussed earlier. That amendment would add $7 million to the Cybersecurity, Energy Security, And Emergency Response (CESER) spending account in the Department of Energy.

When (if?) the Senate takes up HR 2740, it will substitute language from the appropriate Senate spending bills for the language in the House bill. To move the bill to the President a conference committee would have to work out compromise language that would subsequently be passed by both the House and Senate. The ‘(if?)’ is because the Republicans in the Senate are still trying to work out a budget deal with the House and President that would set the spending caps for FY 2020. The Senate might not take up spending bills until that deal is reached.

Thursday, June 20, 2019

1 Advisory Published – 06-20-19


Today the DHS NCCIC-ICS published a control system security advisory for products from Phoenix Contact.

Phoenix Contact Advisory

This advisory describes three vulnerabilities in the Phoenix Contact Automation Worx Software Suite. The vulnerabilities were reported by 9sg Security Team via the Zero Day Initiative. Phoenix Contact is working on an update to mitigate the vulnerabilities.

The three reported vulnerabilities are:

Access of an uninitialized pointer - CVE-2019-12870;
Out-of-bounds read - CVE-2019-12869; and
Use after free - CVE-2019-12871

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker, with access to an original PC Worx or Config+ project file, to perform remote code execution.

HR 3256 Amended and Adopted in Homeland Security Committee

Yesterday the House Homeland Security Committee amended and subsequently adopted HR 3256, Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2019. The alternate language was adopted by a voice vote (pretty much along party lines by the sound of it) and the final action was taken by a recorded vote of 14 to 12; strictly along party lines.

The Republican opposition to the bill was voiced by Ranking Member Rogers (R,AL) and addressed predictable issues. One notable portion of that opposition narrative was voiced at 17:25 into the video when Rogers stated: “The bill enlarges the whistleblower protection program in an agency that does not have the capacity or skills to administer such a program.” Comment: This is perhaps why the Democrats felt that changes in the current whistleblower provisions were needed.

All three statements on the bill {Chairman Thompson (D,MS), Rogers, and Subcommittee Chair (and author of the bill) Richmond (D,LA)} all emphasized how important reauthorization of the CFATS program was and how hard everyone was working together to get this done. They all agreed that additional work needs to be done to bill to get it to the point where there can be strong bipartisan support for the bill when it gets to the floor of the House.

The next venue for consideration of the bill will be the House Energy and Commerce Committee. Further amendments of the bill are sure to be seen there.

Watching this hearing it was clear that it was a closely scripted proceeding with every remark read from the script to ensure that nothing was said that was out of line. Even so, there was some minor drama when it came to the final vote on the adoption of the bill due to the number of Democrats that were not able to make it to the hearing. This made the vote much closer than it would have been.

Wednesday, June 19, 2019

Bills Introduced – 06-18-19


Yesterday with both the House and Senate in session, there were 54 bills introduced. Three of the bills will likely see future coverage in this blog:

HR 3310 To direct the Secretary of Homeland Security to conduct a study on how to improve training and support for local emergency response providers in areas with high concentrations of covered chemical facilities in how to respond to a terrorist attack on a chemical facility. Rep. Jackson Lee, Sheila [D-TX-18]

HR 3318 To require the Transportation Security Administration to establish a task force to conduct an analysis of emerging and potential future threats to transportation security, and for other purposes. Rep. Joyce, John [R-PA-13]

HR 3320 To amend the Homeland Security Act of 2002 to authorize the Secretary of Homeland Security to implement certain requirements for information relating to supply chain risk, and for other purposes. Rep. King, Peter T. [R-NY-2]

HR 3310 looks like an interesting approach to figuring out how to deal with outside response to a terrorist attack on a chemical facility. Limiting the area of coverage to ‘areas with high concentrations of covered [CFATS?] chemical facilities’ could be a way out of federal funding (local funding would be more likely to be available). This bill will definitely require some study.

HR 3318 will only be of interest here if it specifically addresses surface transportation security issues.

‘Supply chain risk’ covers a wide variety of problems; if it cyber issues are addressed, HR 3320 should get coverage here.

Rules Committee Approves Rule for Consideration of HR 3055 – 2nd FY2020 Minibus

Yesterday the House Rules Committee approved the rule for the consideration of HR 3055, the 2nd FY2020 minibus. The rule provides for the initial debate and offering of 290 amendments. The House is scheduled to start consideration of the bill today after completion of its work on HR 2740, the 1st FY2020 minibus.

Amendments


Of the four amendments that I mentioned in my earlier post, only two were included in the list of amendments allowed to be offered on the floor during the consideration of this bill. Those were:

233 DeFazio (D,OR) Prohibits authorizing the transportation of liquefied natural gas by rail tank car and prohibits the Secretary of Transportation from using funds to authorize transportation of liquefied natural gas by rail tank car by issuance of a special permit or approval.

264 Maloney (D,NY) Decreases and then increases funding for Transportation Planning, Research, and Development by $1 million for the purposes of encouraging the Department of Transportation to research implementing connected vehicle and autonomous vehicle technologies at Highway-Rail Grade Crossings.

Comment: Both amendments will probably be adopted. The DeFazio amendment vote will most likely be a party-line vote; the Maloney amendment may receive some Republican support.

Other Provisions


There is a provision in this rule that addresses the remaining consideration of HR 2740. Section 7(b) of H. Res. 445 provides that during the further consideration of HR 2740 [starting this morning] “the question of the adoption of further sundry amendments reported from the Committee of the Whole shall be put to the House en gros and without division of the question.” At this point, I am not sure exactly what amendments that includes. It would probably not include amendments that were debated yesterday, but scheduled for votes today, but that is not certain.

Comment: I suspect that this is the Democrats retaliating for the Republicans forcing votes on each amendment proposed for HR 2740. More importantly, it is a warning that the same measure may be applied to this bill’s consideration if the Republicans continue the tactic to slow down consideration of HR 3055. The Democrats apparently intend to complete consideration of the bill this week.

The rule also provides for the administrative measures necessary for the long 4th of July weekend that would start when Congress adjourns on Friday; Friday could be a long day.

OMB Approves NIST SP 800-171 Update


On Monday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced the approval of the National Institute of Standards and Technology’s (NIST) Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. This update was sent to OMB for approval back in February. Guidance documents are not typically listed in the Unified Agenda and there is nothing on the SP800-171 web site that indicates what types of changes are being made.

This document could be published this week, but the Trump Administration is notoriously slow to publish regulatory documents so there is no telling when this will be published.

This document establishes cybersecurity requirements for electronic systems that store, receive or send Controlled Unclassified Information (CUI). It mainly covers contractors, but facilities covered under the Chemical Facility Anti-Terrorism Standards (CFATS) program would be required to comply with these standards on systems containing Chemical-Terrorism Vulnerability Information (CVI).

Tuesday, June 18, 2019

HR 3256 Introduced – CFATS Reauthorization – Part 2


This is the second installment of a look at HR 3256 (note: an official copy of the bill is now available), the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2019. The initial post was made on Sunday. The House Homeland Security Committee will markup this bill tomorrow and substitute language for the bill will be considered. Things are moving fast here.

New Sections Added


The substitute language is adding the following new sections:

§11. Review of tiering methodology.
§15. Voluntary program.
§16. Study on local emergency response capacity to respond to chemical security incidents.
§17. Previously approved facilities.

Changes to Previously Reported Provisions


The substitute language does change some of the provisions that I reported upon in my last post.

Section 4 of the bill is substantially changed. The new version removes the rewrite of paragraph (a) that I previously described. It also rewrites paragraph (b), but the new version (along with a small format change) revises the language on State and local government officials by clarifying that the information sharing will take place only “with respect to information on any chemical facility of interest within the jurisdiction of the official, but only if such information may not be disclosed pursuant to any State or local law” {new §623(b)(1)}. It also clarifies the information sharing with the new Chemical Security Advisory Committee will only be for the purposes of “conducting official duties and responsibilities as described in such section” {§623(b)(3)}.

Comment: These changes clearly protect the current Chemical-Terrorism Vulnerability Information (CVI) program.

No significant changes were made to the other two sections which I discussed. The remainder of this post will only deal with the provisions found in the substitute language that the Committee will markup tomorrow.

Chemical Security Advisory Committee


Section 7 of the bill would add a new section (§2110) to the Homeland Security Act of 2002 which would become (probably) 6 USC 630. The new section would require DHS to form the Chemical Security Advisory Committee. The new CSAC would consist of 12 members representing {new §630(b)(1)}:

Industry;
Academia;
Labor;
Emergency response providers;
Local emergency planners;
Environmental, community, or public health advocates, particularly for communities with high concentrations of covered chemical facilities; and
Cybersecurity and information policy.

The purpose of the CSAC is broadly written; to “advise the Secretary on the implementation of this title” {§630(a)}. The only other operational guidance provided is the recommendation that the Committee “may establish subcommittees to assesses and recommend improvements to the risk tiering methodology for chemical facilities, the risk-based performance standards for chemical facilities, risk reduction strategies, and other aspects of the program under this title as the Secretary determines appropriate” {§630(c)}.

Comment: Other advisory committees have been very helpful to their Federal Agency in providing insight and technical support for policy development. One provision that is sometimes seen (particularly for DOT advisory committees) is a requirement for the Secretary to seek advice from the committee on all proposed rulemakings under the committee’s charter. That might be a useful addendum to this section.

Review of Tiering Methodology


I generally do not worry too much about mandated studies and reports to Congress in authorization bills, but I do want to briefly mention the provisions of §11 of this bill because of one of the requirement. This section would require the DHS Cybersecurity and Infrastructure Security Agency (CISA) to conduct a review of the current tiering methodology used by the Infrastructure Security Compliance Division (ISCD) to assess the relative risk of terrorist attack at a facility covered by the CFATS program. One of the items that the review is supposed to take into account is {§11(a)(1)(c)}:

The vulnerabilities of chemical facilities to cybersecurity threats, including the vulnerabilities of facilities’ information technology and operational technology and the implications on the potential for penetration of both the physical security and cybersecurity of facilities.

Comment: I generally applaud this idea, but it would pose some significant challenges to expand the Top Screen submission to provide adequate information for ISCD to properly asses this risk. What might be need to implement this would be to go back to the requirement to submit a security vulnerability assessment report to DHS prior to ISCD making a tiering decision. That is not, however, something that the lawmakers would necessarily want to consider in requiring this review and report.

COI Mixture Appeals


Section 14 of the revised bill would require DHS to establish “a process through which the Secretary can be petitioned to exclude a product or mixture” from consideration in the risk assessment process used to establish that a facility is a covered facility or to tier the facility. The only guidance provided on this process is that the information collected will not be subject to the requirements of 44 USC Chapter 35 (presumably the information collection requirements of §3507) or the Freedom of Information Act requirements.

This requirement supports a change made to §622 {a new paragraph (f)} by §3 of the bill. That new paragraph would authorize DHS to exclude a product or mixture from the Top Screen reporting requirements if DHS determines “determines that the product or mixture does not present a terrorism risk for which the chemical of interest contained within the product or mixture was included on Appendix A [COI list for 6 CFR 27]”.

Comment: The current mixture rules used by ISCD are very broadly written and almost certainly cause reporting of mixtures that do not pose the hazards associated with the underlying DHS Chemical of Interest. I am thinking primarily of flammable liquids; a mixture containing 2% of a flammable COI may not itself be flammable. The problem is that the way (f) is written this would affect Top Screen submissions. This would require additional access to the Chemical Security Assessment Tool prior to CVI training.

Moving Forward


This bill will probably amended further tomorrow, but it will certainly be adopted by the Committee. The only question is how much support it will receive from the Republicans. It looks to me that the Democrats have moderated their changes enough that there could be some support, or at least acquiescence by the part of the business community. This would allow some of the Republicans to vote in favor of the bill.

The main problem will be in the Senate. This bill will almost certainly not be considered in the Senate Homeland Security and Governmental Affairs Committee. Sen. Johnson (R,WI) will almost certainly introduce his own legislation and the Committee will consider that instead of this bill. The question will then be how the Senate leadership decides (if it decides) to proceed; it could bring Johnson’s bill to the floor and send it to the House for consideration, consider the House bill as passed, or (more likely) consider the House bill by substituting Johnson’s language.

I do not expect the Senate to take any action of CFATS authorization until just before the current expiration next year. And that may just take the form of another extension.

Monday, June 17, 2019

Rules Committee to Meet on HR 3055 – The Second FY 2020 Minibus


Tomorrow the House Rules Committee will meet to formulate the rule for the consideration of HR 3055, the Second FY 2020 Minibus. The new version of HR 3055 will include language from HR 3055 (CSJ), HR 3164 (ARD), HR 3052 (IER), HR 2745 (MCVA), and HR 3163 (THUD). The meeting Tuesday and a second meeting on Wednesday will set the list of amendments that will be allowed to be considered on the floor. The HR 3055 web page currently lists 553 separate (and often duplicative) amendments that have been proposed.

The following amendments have caught my interest:

Division A (CSJ), #108, Rep. Langevin (D,RI), Increases funding for CyberCorps: Scholarship for Service, the nation’s premiere cybersecurity workforce recruitment and curriculum development initiative by $7.35 million; the money coming from the NSF account for reimbursing DHS for security guard services.

Division B (ARD), #55, Rep. Langevin, Increases funding for the FDA's Transform Medical Device Safety, Cybersecurity, Review, and Innovation initiative by $5 million in order to increase the FDA's capacity to protect consumers from cyber threats both pre- and post-market; the money coming from the account of the Office of the Chief Information Security Officer, US Department of Agriculture.

Division E (THUD), #9, Rep. DeFazio (D,OR), Prohibits authorizing the transportation of liquefied natural gas by rail tank car and prohibits the Secretary of Transportation from using funds to authorize transportation of liquefied natural gas by rail tank car by issuance of a special permit or approval.

Division E (THUD), #107, Rep. Maloney (D,NY), Decreases and then increases funding for Transportation Planning, Research, and Development by $1 million for the purposes of encouraging the Department of Transportation to research implementing connected vehicle and autonomous vehicle technologies at Highway-Rail Grade Crossings.

ISCD Publishes New FAQ and Updates a FAQ Response


Today the folks at the DHS Infrastructure Security Compliance Division (ISCD) updated a response to a frequently asked question (FAQ) and published a new FAQ on their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. Both FAQ’s deal with the submission of Top Screen reports.

Actually, what ISCD did was to separate the response to the original FAQ #641 into two cases. The first case deals with initial Top Screen submissions; that remained in #641. The requirements for facilities already in the CFATS program to resubmit a Top Screen were put into the new FAQ #1793.

Interestingly, there is one Top Screen submission situation that has not been addressed in any of the FAQ’s to date. If a facility submits a Top Screen and is notified by DHS that it is not a covered facility, does the facility have to submit another Top Screen when it acquires a new DHS chemical of interest (COI) in quantities above the Screening Threshold Quantity, or the originally reported COI at a higher inventory level?

S 1589 Report Printed in Senate – Intel Authorization Act


Last week the Senate Select Committee on Intelligence printed their Report to accompany S 1589, the Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018, 2019, and 2020. As I reported earlier, the Committee favorably reported the bill last month without a report.

There was one interesting bit on control system security in the report on page 31:

National Security Threats to Critical Infrastructure
The Committees are aware of significant threats to our critical infrastructure and industrial control systems posed by foreign adversaries. The sensitive nature of the information related to these threats make the role of the IC of vital importance to United States defensive efforts. The Committees have grave concerns that current IC resources dedicated to analyzing and countering these threats are neither sufficient nor closely coordinated. The Committees include provisions within this legislation to address these concerns.

Unfortunately, I could find nothing in the bill that covered this topic. If it is in there, and congresscritters would never fib, it is buried in a section titled with something that does not deal with cybersecurity.

S 1790 Introduced – FY 2020 NDAA


Last week Sen. Inhofe (R,OK) introduced S 1790, the National Defense Authorization Act (NDAA) for Fiscal Year 2020. The bill was reported favorably by the Senate Armed Services Committee which Inhofe chairs. The Senate is scheduled to take up the bill this week. The bill includes an entire sub-title that addresses cyber operations; including one section that addresses the development of a set of cybersecurity standards for the defense industrial base.

Defense Industrial Base Cybersecurity


Section 1634 requires DOD to “develop a consistent, comprehensive framework to enhance cybersecurity for the United States defense industrial base” {§1634(a)}. The framework would be developed by February 1st, 2020. The framework would include {§1634(b)}:

Identification of unified cybersecurity standards, regulations, metrics, ratings, third-party certifications, or requirements to be imposed on the defense industrial base for the purpose of assessing the cybersecurity of individual contractors.
The roles and responsibilities of various activities within the Department of Defense, across the entire acquisition process, beginning with market research, including responsibility determination, solicitation, and award, and continuing with contractor management and oversight on matters relating to cybersecurity.
The responsibilities of the prime contractors, and all subcontractors in the supply chain, for implementing the required cybersecurity standards, regulations, metrics, ratings, third-party certifications, and requirements identified under paragraph (1).
A plan to provide implementation guidance, education, manuals, and, as necessary, direct technical support or assistance to such contractors on matters relating to cybersecurity.
Methods and programs for defining and managing controlled unclassified information, and for limiting the presence of unnecessary sensitive information on contractor networks.
Quantitative metrics for assessing the effectiveness of the overall framework over time, with respect to the exfiltration of controlled unclassified information from the defense industrial base.

While the language in the bill does not specify whether the cybersecurity concerns cover both the information technology and control system technology used in the industrial base, the Committee Report does address the matter. It notes (pg 306):

“The committee is concerned that contractors within the defense industrial base are an inviting target for our adversaries, who have been conducting cyberattacks to steal critical military technologies.”

Control System Cybersecurity


The Report does address control system cybersecurity research being conducted by DOD. On pages 325-6 the Committee “commends the Department of Defense for its efforts to address the cybersecurity of installation industrial control systems (ICSs).” It goes on to discuss a National Security Agency research program, Integrated Adaptive Cyber Defense (IACD).  It notes that “IACD technologies include sensing and automated orchestration and interoperability among cybersecurity tools and systems to defend both operational technology (such as ICSs) and information technology”. There is additional discussion of this technology under the “Software defined networking and network and cybersecurity orchestration” heading on pages 333-4.

Cybersecurity Research


The Report notes (pgs 97-8) that the Committee is recommending funding Defense-wide cybersecurity research (line item # PE 62668D8Z) at $25.1 million, an increase of $10.0 million above the Administration’s request.

Moving Forward


This bill will start to be considered on the floor of the Senate sometime this week (a number of nominations have to be completed first). Amendments have already started to be proposed to this bill, over 200 were submitted on Thursday alone. How many of those (and yet to be submitted) amendments will make it to the floor of the Senate remains to be seen.

Sunday, June 16, 2019

HR 3256 Introduced – CFATS Reauthorization - Part I


Earlier this week Rep. Richmond (D,LA) introduced HR 3256, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2019. Normally, I wait for the official print of the bill before I review it, but the House Homeland Security Committee has a committee print available and have scheduled a mark-up hearing of the bill on Wednesday, so I will be reviewing the committee print today.

HR 3256 would reauthorize the Chemical Facility Anti-Terrorism Standards (CFATS) program for an additional five plus years (until May 1st, 2025; §16). The bill also provide a number of amendments to the current authorization language (6 USC Subchapter XVI).

Major Additions


The following sections of the bill show the areas where significant changes would be made to the existing program:

§4. Protection and sharing of information.
§5. Civil enforcement.
§6. Whistleblower protection.
§7. Chemical Security Advisory Committee.
§12. Voluntary mechanism for reporting drones and other emerging threats.
§13. Regulations regarding specific products and mixtures containing chemicals of interest.

The following sections provide information on the studies and reports required by the bill:

§8. Implementation plan and report to Congress.
§9. Study on risks posed by excluded facilities.
§10. Study on feasibility of waiver program.
§11. Comptroller General reports.

Information Protection and Sharing


Section 4 of the bill would make a number of changes to 6 USC 623, Protection and Sharing of Information. The first change would be to rewrite paragraph (a) to read:

(a) In general - Notwithstanding any other provision of law, with respect to information in the possession of the Department, the Secretary shall protect information developed under this subchapter, including vulnerability assessments, site security plans, and other security related information, records, and documents shall be given protections from public disclosure consistent with the protection of similar information under section 70103(d) of title 46 [link added].

Additionally, a complete rewrite of paragraph (b) includes:

(2) NONDEPARTMENTAL INFORMATION. — Information is not protected pursuant to subsection (a) if it is—
(A) not in the possession of the Department;
(B) developed under this title but has been previously produced or developed for other purposes; and
(C) is already publicly available, readily discoverable, or otherwise lawfully disclosed.

Comment: It looks like this is intended to change the Chemical-Terrorism Vulnerability Information (CVI) program to make it more like other sensitive but unclassified (SBU) information protection programs. Currently the CVI program has strict information protection rules for information held at each covered facility. Other SBU only protect information in the hands of the Federal government, its contractors, and such information shared with State, Tribal, and local governments. If that was the intent, it looks to me like the terminal ‘and’ in (2)(B) nullifies that attempt as it does not remove protections already provided in the program. DHS would not be required to change the CVI rules under these changes. If the terminal ‘and’ were changed to ‘or’ then (2)(A) would be the controlling factor for removing CVI protections for information held at facilities.

As noted above §4 also rewrites (b), changing the information sharing requirements of §623(b) to require DHS to provide information (upon request) to {new §623(b)(1)}:

State, local, and regional fusion centers (as that term is defined in section 210A(j)(i) of this Act) and State and local government officials, including law enforcement and emergency response providers;
Members of Congress;
Members of the Chemical Security Advisory Committee under [new] section 2010 of this Act; and
The Comptroller General of the United States.

The addition of fusion centers and members of Congress in this paragraph allows the bill to delete the current paragraphs (c) and (f) from §623.

Comment: This is a proforma change to appease supporters who want ‘better’ information sharing about the hazards associated with covered facilities. This really provides no new requirements for the CFATS program beyond the addition of the new Advisory Committee which will be covered in more detail later in the bill.

Civil Enforcement


Section 5 of the bill would amend §624, Civil Enforcement. The first set of amendments deals with changes to paragraph (a), Notice of noncompliance. The first change the time limits for DHS to provide a written notice of non-compliance from 14-days to 3-days. And the second changes the time limit a facility would have to comply with a DHS order to comply, from 180 days to 30 days.

The next set of changes address paragraph (b)(2) civil penalties for non-reporting chemical facilities of interest. The change clarifies that the subparagraph applies to Top Screen submission requirements or supplemental information thereto.

The third set of changes paragraph (c)(1), expanding the DHS authority for issuing emergency orders due to violations of CFATS program requirements or the risk of terrorist incidents. It now adds a vague “or other malicious act” that may affect a chemical facility of interest to the list of potential causes of “an imminent threat of death, serious illness or severe personal injury that the Secretary could attempt to prevent by requiring facility action.

Comment: This is ‘other malicious act’ is vague enough to provide authority to order cybersecurity measures or even the development of active shooter programs. The current management would be unlikely to use this authority; their emphasis is on cooperative enforcement. Who knows what could happen in the future?

Whistleblower Protections


Section 6 of the bill modifies the existing whistleblower protections found in §625. The bill expands on the existing requirements for:

• Confidentiality;
• Response to reports; and
• Opportunity for review

The bill also adds a new paragraph (c) to the section; Procedure and Remedy. It provides requirements for DHS to “establish a procedure for the review and investigation of complaints of reprisals” {new §625(c)(i)} as well as establishing remedies for violations of the same.

NOTE: I am about half-way through the major CFATS changes proposed by this new bill and we are already at about 1000 words. It is getting a bit long for a blog post; even by me. I will try to finish up by tomorrow.

 
/* Use this with templates/template-twocol.html */