HR 5667 Introduced – CISA Information Clearinghouse

Last week Rep Underwood (D,IL) introduced HR 5667, the Safe Communities Act. The bill would amend 6 USC 652(c), adding requirements for the DHS Cybersecurity and Infrastructure Security Agency (CISA) to “maintain a clearinghouse for owners and operators of critical infrastructure and other relevant stakeholders to access security guidance, best practices, and other voluntary content developed by the Agency” {new §652(c)(6)}.

Outreach Strategy

Section 3 of the bill would require CISA to develop and publish a “strategy to improve stakeholder outreach and operational engagement that includes the Agency’s strategic and operational goals and priorities for carrying out the stakeholder engagement activities” {§3(a)} as well as a plan to implement that strategy. The strategy would include {§3(b)}:

• A catalogue of the stakeholder engagement activities and services delivered by protective security advisors and cybersecurity advisors of CISA;

• An assessment of the capacity of programs of the Agency to deploy protective security advisors and cybersecurity advisors, including the adequacy of such advisors to meet service requests and the ability of such advisors to engage with and deliver services to stakeholders in urban, suburban, and rural areas;

• Long-term objectives of the protective security advisor and cybersecurity advisor programs, including cross-training of the protective security advisor and cybersecurity advisor workforce to optimize the capabilities of such programs and capacity goals;

• A description of programs, policies, and activities used to carry out such stakeholder engagement activities and services;

• Resources and personnel necessary to effectively support critical infrastructure owners and operators and other entities, as appropriate, based on current and projected demand for Agency services.

• Guidance on how outreach to critical infrastructure owners and operators in a region should be prioritized;

• Plans to ensure that stakeholder engagement field personnel of the Agency have a clear understanding of expectations for engagement within each critical infrastructure sector and subsector, whether during steady state or surge capacity;

• Metrics for measuring the effectiveness of stakeholder engagement activities and services;

• Plans for awareness campaigns to familiarize owners and operators of critical infrastructure with security resources and support offered by CISA.

Section 5 of the bill provides for establishing a one-year pilot program for protective security advisors to provide training for State and local enforcement agencies in “carrying out security vulnerability or terrorism risk assessments of facilities” {§5(a)}.

Moving Forward

Both Underwood and her cosponsor {Rep Katko (R,NY)} are members of the House Homeland Security Committee, one of the two committees to which this bill was assigned for consideration. This means that there is a good chance that this bill will be considered in Committee. It is odd, however, that the Committee did not take up this bill in their markup hearing yesterday.

There is nothing in this bill that should engender any significant opposition and I suspect that it will garner significant bipartisan support when considered by the Committee. The lack of a sponsor on the House Energy and Commerce Committee could easily mean that this bill would fail to move beyond the Homeland Security Committee because of inter-committee politics. If this bill does make it to the floor of the House it will be considered under the suspension of the rules process and should pass with bipartisan support.

Commentary

The main import of this bill is that it would require CISA to undertake a review of its use of both the Protective Security Advisor (PSA) and Cyber Security Advisor (CSA) programs. The PSA program is fairly well established and quite active. The same cannot be said for the CSA program. The latest information that I can find (from a now defunct Coast Guard web page from October 2018) would seem to show that there were only nine CSA deployed across eight regional offices with a similar number of open vacancies. I think that part of the strategy to be developed by CISA should include an evaluation of both programs to determine what resources should be made available to the two programs to assure an effective implementation of the strategy. To that end I would suggest adding the following to the end of §3(b)

(10) Determine the resources necessary for full implementation of the strategy, including the manpower needs for both protective security advisors and cyber security advisors.

There is another resource within CISA that could be utilized for this outreach strategy, the chemical security inspectors of the Chemical Facility Anti-Terrorism Standards (CFATS) program under the Infrastructure Security Compliance Division of CISA. Their unique perspective and training on assessing chemical facility risk and evaluating chemical facility security programs could be used to address the much larger chemical community beyond the 3,000+ facilities currently covered under the CFATS program. I would suggest a further addition to§3(b):

(11) Determine how the chemical security inspectors from the Chemical Facility Anti-Terrorism Standards (CFATS) program could be integrated into the outreach program.