HR 3699 Reported in House – Pipeline Security Act

Earlier this week the House Homeland Security Committee published their report on HR 3699, the Pipeline Security Act. The report reflects the changes made by the Committee to the language of the bill during a markup hearing held on July 17^th, 2019. The changes and adoption were done under unanimous consent process. A revised version of the bill has also been published.

Changes to Bill

Most of the changes to the bill were to the wording of the new 6 USC 1209(d) proposed in the bill. Paragraph (1) was amended to specifically include the NIST Framework for Improvement of Critical Infrastructure Cybersecurity (CSF) as one of the consultative works to be used in developing the “guidelines for improving the security of pipeline transportation and [protecting?] pipeline facilities against cybersecurity threats”.

The paragraph (4) opening phrase was changed to read “Conducting voluntary security assessments”.

Paragraph (5) was completely rewritten to read:

“(5) Carrying out a program to inspect pipeline transportation and pipeline facilities, including inspections of pipeline facilities determined critical by the Administrator based on a risk assessment conducted in consultation with relevant Federal, State, local, Tribal, and territorial entities and public and private sector stakeholders. through which the Administrator identifies and ranks the relative risk of pipelines and inspects pipeline facilities designated by owners and operators of such facilities as critical based on the guidelines developed pursuant to paragraph (1).”

A new §6 was added to the bill that would require TSA to “convene not less than two industry days to engage with relevant pipeline transportation and pipeline facilities stakeholders on matters related to the security of pipeline transportation and pipeline facilities”.

The Report

The report notes that (pg 2):

“This bill cements that both the physical and cyber security of pipelines fall within TSA’s jurisdiction at the Federal level. The bill also requires TSA to bolster its pipeline security activities and develop a strategy for staffing such efforts appropriately.”

With regards to the cost of the legislation, the report notes:

“Because TSA is already pursuing activities similar to those called for in the bill, CBO estimates that implementing H.R. 3699 would have no significant effect on spending subject to appropriation.”

Moving Forward

The strong bipartisan support seen in the Committee for this bill means that the bill will probably move forward to the full House under the suspension of the rules process. This means that there will be limited debate, no floor amendments and the bill will require a supermajority to pass.

Commentary

I was not really happy with the level of authority provided to the TSA in the original bill for pipeline security. Unfortunately, what little authority was in the original language has been significantly reduced by the changes made by the Committee. First the revised bill makes it even clearer that the security program developed under the new §1209 is voluntary. Next facility owners are now the ones that determine what facilities would be subject to the ‘voluntary’ inspections.

These changes were almost certainly made in response to concerns my industry that they might be required to incur additional costs to comply with a new security program. That the revised language was adopted by unanimous consent means that those concerns have been adequately addressed. This now begs the question of the adequacy of the security program. It would seem that the Committee’s Report is correct, this bill will not really change anything.

What will be interesting to see is that if this is passed, will Congress next year provide enough funds to support the new ‘Pipeline Security Section’ established by this bill. Probably not as we are almost certainly going to see another spending fiasco where we will have essentially a full year continuing resolution. This bill would have been more impressive (even with the new ‘voluntary’ compliance language) if it had established a minimum manning level for the Section and had authorized monies for the program. Of course, that would have killed any prospects for passing the bill.

One other sad commentary in this bill is that the Cybersecurity and Infrastructure Security Agency (CISA) has been tasked to provide the personnel to support the cybersecurity aspects of the proposed program. This probably reflects the unfortunate reality that there are too few control system security experts in the federal government to stand up a new cybersecurity program in DHS. This will mean, of course, that the ability of CISA to respond to its own mission requirements will be diminished by the reduction in its manpower resources.