Saturday, July 10, 2021

S 2199 Introduced - Cyber Sense Act

Last month, Sen Rosen (D,NV) introduced S 2199, the Cyber Sense Act of 2020 (yep, it says 2020). The bill would require DOE to “establish a voluntary Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system”. The bill is similar to HR 2928 which was adopted by the House Energy and Commerce Committee without amendment.

Definitions

Section 2(a) of the bill provides the definitions for four critical terms used in the bill (these definitions are not laid out in HR 2928, the terms are defined in passing), two by reference to existing definitions. There are no cybersecurity related definitions provided.

Program Established

Sections 2(b) and 2(c) in this bill are essentially identical to §2(a) and §2(b) respectively in the House bill. The only difference is that the House bill keeps referring to the ‘Cyber Sense Program’ where the Senate bill uses the term ‘Program’ after defining that in §2(a)(3) as meaning the ‘Cyber Sense Program’ established in §2(b).

Moving Forward

While Rosen is not a member of the Senate Energy and Natural Resources Committee, the committee to which this bill was assigned for consideration, three of her four cosponsors {Sen Hoeven (R,ND), Sen King (I,ME), and Risch (R,ID), are members and Hoeven is the Ranking Member of the Energy Subcommittee. This means that there is probably sufficient influence to see this bill considered in Committee.

The House version of this bill received bipartisan support and I would expect to see the same in Committee in the Senate. The problem remains moving the bill to the floor of the Senate. The bill is not important enough to be considered under regular order (debate, amendments, and, of course, two separate cloture votes) and I suspect that there would be sufficient opposition to stop consideration under the unanimous consent process.

The only way this bill is moving forward in the Senate is attached to some other, must pass piece of legislation.

Commentary

In my Substack post on HR 2928 I addressed my concerns about the information sharing restrictions in what is §2(d) in this bill. Many pieces of control system equipment are used outside of the bulk power system and restricting those outside that system from being notified of vulnerabilities is just not fair.

In my post on this blog I talked about adding a software bill of materials requirement to the House version of this bill. My interest in seeing that done remains.

No comments:

 
/* Use this with templates/template-twocol.html */