Friday, June 11, 2021

Review - HR 2928 Introduced – Cyber Sense Program

Back in March Rep Latta (R,OH) introduced HR 2928, the Cyber Sense Act of 2021. The bill would require DOE to establish “a voluntary Cyber Sense program to identify and promote cyber-secure products intended for use in the bulk-power system” {§2(a)}. Similar bills have passed in the House in the last three sessions of congress, most recently HR 360 in the 116th.

Moving Forward

On Thursday of this week the House Energy and Commerce Committee held a markup hearing where this bill was considered. The Committee considered HR 2928 without amendments and ordered it favorably reported to the House by a voice vote. The bill will be considered by the full House, likely before the Summer Recess. The bill will be considered under the suspension of the rules process. This means limited debate, no floor amendments and a super majority will be required for passage. The bill will almost certainly pass (yet again) with strong bipartisan support.

Commentary

I would like to propose a value-added feature that should be made part of the Cyber Sense Program, a software bill of materials {SBOM, as defined in §10(j) of EO 14028} requirement for all product. This would help DOE notify other vendors of potential vulnerabilities in their systems due to new vulnerabilities being reported to DOE in other affected products. This will be especially critical while there is a CEII restriction on publication of the vulnerability. To make this happen, we could revise §2(b)(2):

(2) for products and technologies tested under the Cyber Sense program, the Secretary would establish:

(i) a requirement to submit a software bill of materials (SBOM), as that term is defined in §10(j) of EO 14028 for each product or technology submitted for evaluation;

(ii) and maintain cybersecurity vulnerability reporting processes and a related database; and

(iii) provide notification to affected vendors when a vulnerability reported to the Cyber Sense program potentially affects their product, based upon their SBOM listing on file with the program.

For a more detailed analysis of this legislation see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-2928-introduced (subscription required).

Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 
/* Use this with templates/template-twocol.html */