Last month, Sen Peters (D,MI) introduced S 2439, the DHS Industrial Control Systems Capabilities Enhancement Act. The bill is nearly identical to the version of HR 1833 which passed in the House on July 20th, 2021. The bill is currently scheduled to be considered by the Senate Homeland Security and Governmental Affairs Committee on Wednesday.
I made the following point in my post on HR 1833 that is also applicable to this bill:
“First off, it should be obvious to those that follow the control system security activities of CISA that this bill does not actually cause the Agency to undertake any new actions. It merely codifies the authority of CISA to do what it has been doing for quite some time. That could, however, be important in any period of budget constraint; agencies would be more likely to cut back programs and processes that have not been specifically authorized by Congress.”
I also made comment about my favorite topic definition of terms:
“As I was with HR 5733 [version of this bill in the 116th Congress, link added], I am concerned that the bill did not modify the subsection (c), Functions, portion of §659 to specifically address the industrial control system support outlined in the new subsection (p). While there are numerous mentions of similar cybersecurity responsibilities, all of the mentions include using terms defined in §659(a) that rely on the IT restrictive definition of information systems. If Congress is not going to address those definitional issues (and that is probably considered by the crafters of this bill as being beyond the scope of the legislation) then they should have included adding a subsection to §659(c) like this:
“(12) supporting the cybersecurity
operations of industrial control systems as outlined in (p).”
No comments:
Post a Comment