Monday, July 20, 2020

HR 7609 Reported in House – FY 2021 VA Spending

Last week Rep Wasserman-Schultz introduced HR 7609, the Military Construction, Veterans Affairs, and Related Agencies Appropriations Act, 2021. There is nothing in this bill that addresses control system, or even medical device security. There were, however, two comments in the House Appropriations Committee Report on this bill that provide some interesting insight into how Congress still misperceives cybersecurity.

On their discussion about the VA’s implementation of electronic health records, the Committee expresses concern about the VA’s implementation of cybersecurity best practices. They then state (pg 95):

“The Committee directs the Department to identify for the Committee steps it has taken to protect data and patient records across physical, virtual, and mobile networks and the devices and systems attached to these networks. If such review warrants [emphasis added], the Department should consider a layered defensive strategy that includes perimeter security, segmentation within the data center to increase lateral security, and data and application protections.”

It seems to me that these recommended ‘layered defensive strategy’ measures are the minimum-security requirements for any information system and should not depend on whether or not a security review warrants their implementation.

On the next page, the discussion continues, and the Committee recommends that “the Department consider emerging technologies, such as blockchain technology [emphasis added], if future requirements drive a need to modify VA’s security architecture and technical solutions”.

I am surprised that there was not also a reference to the other solve-all-problems cyber-solution, artificial intelligence.

Moving Forward

This bill will be lumped into the first FY 2021 minibus that the House will take up later this week.

No comments:

/* Use this with templates/template-twocol.html */