HR 2500 Reported in House – FY 2020 NDAA

Last month the House Armed Services Committee published their report on HR 2500, the FY 2020 National Defense Authorization Act (NDAA) along with a copy of the marked up version of the bill. There is one interesting TWIC bit in the actual bill and an entire subtitle of cyber-operations provisions (§1621 thru §1632 starting on page 884), but nothing specific to control system security. There is, however, and interesting discussion about ICS security in the Committee Report in a section dealing with facility electrical utility security.

TWIC Use

Section 2832 clarifies the use of the Transportation Workers Identification Credential (TWIC) for access to military facilities. This section amends §1050 of the National Defense Authorization Act for Fiscal Year 2017 (PL 114–328, 130 STAT. 2396). That earlier legislation directed DOD to consider allowing the use of TWICS for unescorted access to military facilities. The actual language allowed some wiggle room; “the Secretary shall, to the maximum extent practicable, ensure that the Transportation Worker Identification Credential (TWIC) shall be accepted as a valid credential for unescorted access to Department of Defense installations by transportation workers.” {§1050(a)}

In this bill the entire first paragraph was replaced with stricter language providing that the TWIC “is accepted as a valid credential for unescorted access to a work site at a maritime terminal of the Department of Defense” {new §1050(a)(1)} and allowing DOD to consider authorizing the use of TWIC for access to other DOD facilities.

ICS Security

The Committee Report (pgs 284-5) notes that in 2015 (2016?) the “Department subsequently directed the services and other Defense agencies to develop plans for identifying the goals, milestones, and resources needed to identify, register, and implement cybersecurity controls on facility-related ICS.” Apparently DOD has not provided adequate feedback to the Committee on how that work has progresses, so the Committee is directing the Government Accountability Office (GAO) to evaluate:

• The extent to which the military departments have developed and implemented plans and associated guidance to enhance the cybersecurity of ICS and what, if anything, remains incomplete;

• The challenges the military departments have encountered in implementing relevant guidance to enhance the cybersecurity of ICS and how effectively the challenges have been overcome;

• How effectively the military departments implemented industry leading practices to enhance cybersecurity for ICS; and

• How effectively the military departments conduct tests of the cybersecurity of ICS and implement improvements to security to counter any weaknesses identified.

Moving Forward

The House Rules Committee has closed the period for submitting possible amendments to HR 2500. As of today, 652 amendments have been submitted. I am currently keeping an eye on five of those amendments for possible coverage in future blog posts; #160, #244, #395, #415, and #457.

The Committee has not yet established a date for hearing on the rule for consideration of HR 2500. There has been some talk of adding a DHS spending bill (not yet published by the Appropriations Committee) to HR 2500, but that would be an unusual combination of bills. I do expect that some form of this bill will be considered before the House takes their summer recess.