Monday, October 28, 2019

Senate Committee Reports for HR 3055 – First Senate Minibus

The version of HR 3055 that the Senate will resume considering today is based upon four spending bills proposed by the Senate Appropriations Committee. While there may be some slight differences in the language included in Senate Amendment 948 that amendment specifically adopts the four committee reports “for purposes of determining the allocation of funds provided by, and the implementation of,’ each of the four divisions in the proposed bill.

Those reports are:

S Rept 116-127 (Div A - CJS)

S Rept 116-110 (Div B – ARD)

S Rept 116-123 (Div C – IER)

S Rept 116-109 (Div D – THUD)

As is typical for spending bills, the important details are found in these reports, not in the bill language. Below I will discuss some of the more interesting details.


Every division (and most titles) of the proposed amendment contain some sort of cybersecurity language. Mostly though those references and spending allocations pertain to protecting the IT systems of the US government.

Not unexpectedly the NIST section of the Division A report deals with supporting cybersecurity workforce training. While no specific funding is outlined the Committee “directs that no less than the fiscal year 2019 level is provided for cybersecurity research, outreach, industry partnerships, and other activities at NIST, including the National Cybersecurity Center of Excellence” (pg 23). Interestingly the Committee desires to see “a priority being placed on areas with a high concentration of Department of Defense, automotive, and health care related industries”.

NIST is also called upon to address industrial cybersecurity via Industrial Internet of Things (IIoT) cybersecurity research. The report calls for spending ‘no less than’ $2 million “to improve the sustainable security of IIoT devices in industrial settings” (pg 23). The Committee calls for comprehensive strategies that would “couple computer science and engineering, psychology, economics, cryptography, and network research to deliver significant mitigations and options for industrial adoption, as well as guidance to consumers and industry on how to manage and utilize these devices consistent with best security practices” (pg 24).

The National Science Foundation ‘Education and Human Resources’ section of the Division A report also significantly addresses cybersecurity training issues. The Committee provides $55 million (pg 169) for the CyberCorps scholarship program with $7.5 million of that going to support the two year programs at NSA sponsored Center of Academic Excellence in Information Assurance 2–Year Education [CAE2Y] program community colleges.

The DOJ portion of the Division A report addresses another aspect of cybersecurity education; computer forensics and digital investigation. The State and Local Law Enforcement and Cybercrime Prevention section includes a requirement for DOJ to allocate $2 million “for a separate competitive grant program to expand a partnership with an institution for higher learning for the purposes of furthering educational opportunities for students training in computer forensics and digital investigation” (pg 130).

There is an interesting control system cybersecurity provision in the Division D Report. The Federal Railroad Administration (FRA) portion of the DOT Title “urges FRA to prioritize funding to establish enhanced cybersecurity methods, standards, and best practices, especially as it relates to the implementation of PTC [Positive Train Control] technology and future versions of this technology” (pg 73). Specifically, the Committee directs the FRA to “work with industry to identify current vulnerabilities and prepare for threats that could arise from future updates and the migration to future designs.”

Chemical Safety

There is only one mention of chemical safety issues that I can find in the four reports. That deals with the continued funding of the Chemical Safety Board. While the initial Trump Administration budget proposed eliminating the CSB, this year’s budget proposed $10.2 million and the Committee recommends continuing the current funding level of $12 million. The report notes that “The Board has the important responsibility of independently investigating industrial chemical accidents and collaborating with industry and professional organizations to share safety lessons that can prevent catastrophic incidents and the Committee expects this work to continue.”

Moving Forward

It is looking more likely that the Senate will pass HR 3055 later this week. The bill would then have to go back to the House. The House is unlikely to accept the Senate version so the bill would have to go to conference. The conference report would also address the differences in allocations and implementation directions, essentially rewriting the two versions of the Committee Reports.

No comments:

/* Use this with templates/template-twocol.html */