Thursday, March 31, 2022

Senate HSGA Committee Amends and Approves 2 Cybersecurity Bills

Yesterday, the Senate Homeland Security and Governmental Affairs Committee held a business meeting looking at eight nominations, eleven postal naming bills, and eleven other bills. Two of those ‘other bills’ dealt with cybersecurity issues:

S 3511, Satellite Cybersecurity Act, and

S 3904, Healthcare Cybersecurity Act of 2022.

Sen Peters (D,MI) offered substitute language for the S 3511. That substitute language was subsequently modified and Sen Ossoff offered another amendment that was also adopted.

Similar actions were taken with respect to S 3904. The substitute language, subsequent modification, and new amendment were all proposed by Sen Rosen (D,NV).

All of the above actions were approved by an en bloc voice vote. Unfortunately, the Committee does not provide copies of substitute language or amendments, so we have no way of knowing what changes were actually made. We will have to wait for the Committee Report.

Review – 7 Advisories and 2 Updates Published – 3-31-22

Today, CISA’s NCCIC-ICS published seven control system security advisories for products from Rockwell Automation (2), General Electric Renewables, Mitsubishi Electric, Fuji Electric, Hitachi Energy, and Schneider Electric. They also updated to advisories for products from Mitsubishi and PTC.

Rockwell Advisory #1 - This advisory describes a code injection vulnerability in the Rockwell Studio 5000 Logix Designer.

Rockwell Advisory #2 - This advisory describes an inclusion of functionality from an untrusted control sphere vulnerability in the Rockwell Logix Controllers.

Commentary: Claroty’s report on both of these vulnerabilities makes an important point about these (and previously-reported similar vulnerabilities in other vendor PLCs):

“Successful stealthy exploits of programmable logic controllers (PLCs) are among the rarest, most time-consuming, and investment-heavy attacks. Stuxnet’s authors established the playbook for hacking PLCs by figuring out how to conceal malicious bytecode running on a PLC while the engineer programming the controller sees only normalcy on their engineering workstation. Without advanced forensics utilities, the execution of such malicious code cannot be discovered. [emphasis added]”

General Electric Advisory - This advisory describes six vulnerabilities (one third-party vulnerability with known exploit) in the General Electric MDS iNET/iNETII/SD/TD220/ TD220MAX Radios.

Mitsubishi Advisory - This advisory describes six vulnerabilities in the Mitsubishi FA CPU module products.

Fuji Advisory - This advisory describes five vulnerabilities in the Fuji Alpha5 servo drive system.

NOTE: I reported on four of the five ZDI advisories that form the basis for this advisory back in October, 2021. Those advisories were recently updated (March 23, 2022) to include the CVE numbers.

Hitachi Energy Advisory - This advisory describes four vulnerabilities in the Hitachi Energy e-mesh EMS optimizer software for energy resources.

NOTE: I briefly reported on the underlying Hitachi Energy advisory on January 15th, 2022. This advisory is based on the recent update that revised the CVSS Base Score and Vector.

Schneider Advisory - This advisory describes an improper restriction of XML external entity reference in the Schneider SCADAPack Workbench software.

Mitsubishi Update - This update provides additional information on an advisory that was originally published on October 29th, 2020 and most recently updated on January 13th, 2022.

PTC Update - This update provides additional information on an advisory that was originally published on March 8th, 2022 and most recently updated on March 15th, 2022.

 

For more details on these advisories, including links to researcher reports, third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/7-advisories-and-2-updates-published - subscription required.

Review - HR 7174 Introduced – NCFI Reauthorization

Earlier this month, Rep Slotkin (D,MI) introduced HR 7174, the National Computer Forensics Institute Reauthorization Act of 2022. The bill would reauthorize the Secret Service’s NCFI through 2032 and expand the scope of responsibilities for the Institute. It would make several changes to 6 USC 383, including adding a list of definitions of key terms. The bill does not include authorization for expenditures to support these changes.

Moving Forward

Slotkin and a number of her 14 cosponsors {including Chairman Thompson (D,MS) and Rep McCaul (R,TX)} are members of the House Homeland Security Committee to which this bill was assigned for consideration. This means that there is certainly sufficient influence to see this bill considered in Committee. This bill will certainly be approved in Committee by a substantial bipartisan majority. The bill will likely be considered in the full House under the suspension of the rules process.

Commentary

The addition the three definitions to the bill ensures that the control system security issues fall within the scope of the NCFI. But it does point out once again that there is a disconnect in cybersecurity definitions in the US Code. Here, for example, the bill uses the control system inclusive definition of the term information system while also defining the term ‘incident’ by reference to a section of 6 USC that uses the IT restrictive definition of that term. Technically, that means that in this section wherever the term ‘information system’ is used it includes control systems, but where the term ‘incident’ is used control systems are excluded. I have discussed this problem many times before, but most explicitly here.

For more details on the provisions of this bill, including a look at the expanded responsibilities for NCFI, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7174-introduced - subscription required.

Bills Introduced – 3-30-22

Yesterday, with both the House and Senate in session, there were 52 bills introduced. One of those bills will receive additional attention in this blog:

HR 7302 To impose sanctions with respect to designated critical cyber threat actors, and for other purposes. Rep. Pfluger, August [R-TX-11]

Wednesday, March 30, 2022

House Disagrees with Senate Amendment to HR 4521 – Competes Act

The House considered the Senate’s Amendment to H.R. 4521, the America COMPETES Act, that was passed earlier this week. Under the unanimous consent process, the House disagreed with the Senate amendment and requested a conference with the Senate to work out the differences between the two versions of the bill.

HR 6865 Passed in House – FY 2022 CG Authorization

Yesterday, the House took up HR 6865, the Don Young Coast Guard Authorization Act of 2022, under the suspension of the rules process. The bill passed by a reasonably bipartisan vote of 378 to 46. The version of the bill published in the Congressional Record as part of the record (pgs H3901-19) of yesterday’s debate was not the same version as was reported yesterday by the House Transportation and Infrastructure Committee. The most obvious difference is the insertion a new TITLE IV—Federal Maritime Commission. I will be able to tell better what other changes were made to the bill before the vote when Congress.gov publishes the engrossed version of the bill.

The debate was interesting as there was actually some opposition voiced to some of the provisions of the bill. Represenatatives Auchincloss (D,MA), Rouzer (D,MA) and Keating (D,MA) objected (pgs H3921-2) to provisions that would interfere with access to wind turbine installation vessels for current and future development of offshore wind projects. Specifically, they asked to have those provisions revised during conference with the Senate. Rep DeFazio (D,OR) assured them (pg H3922) that he would work with them to see their concerns addressed in Conference.

The one pipeline protection measure that I discussed earlier remains in the bill, but it is now found at §502. Providing requirements for vessels anchored in established Anchorage grounds.

Review - S 3904 Introduced – Healthcare Cybersecurity

Last week, Sen Rosen (D,NV) introduced S 3904, the Healthcare Cybersecurity Act of 2022. The bill would task the Cybersecurity and Infrastructure Security Agency (CISA) with specific responsibilities for supporting the Department of Health and Human Services (HHS) efforts to improve cybersecurity practices within the Healthcare and Public Health Sector. No funding is authorized in this bill.

Moving Forward

Rosen and one of her two cosponsors {Sen Hassan (D,NH)} are members of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This means that there should be sufficient influence to see this bill considered in Committee. I see nothing in this bill that would engender any organized opposition. I suspect that this bill would receive bipartisan support in Committee.

The bill is unlikely to make it to the floor of the Senate under regular order. There is a remote possibility that the bill could be taken up by the Senate under the unanimous consent process. The most likely way the bill would move forward would be for it to be included as part of a larger piece of legislation, perhaps as an amendment.

Commentary

In many ways this is just another feel good cybersecurity bill that would make it look like Congress was taking action on a very real problem. The study required in the bill would be the most helpful component of the legislation, but CISA is not required to present it to Congress who would be required to take legislative action to approve additional funding or program authorizations to allow HHS to take significant actions to improve healthcare cybersecurity. And the bill only ‘allows’ HHS to consider the provisions in the report when updating the Healthcare and Public Health Sector Specific Plan. It does not require an update or mandate that the recommendations made be considered when an update is completed. There is not even a requirement for a follow-up GAO report.

The biggest ‘feel good without doing anything of significance’ actions in the bill have to do with the two requirements dealing with Cyber Security Advisors; training and incident response. CSAs are a very limited resource within CISA, with only four or five available per region. At most they are only going to be able to provide corporate level cybersecurity-overview training or ‘report back to CISA’ incident response reviews. And even that will be limited as they are also required to support all of the other critical infrastructure sectors as well.

For more details about the requirements of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3904-introduced - subscription required.

Tuesday, March 29, 2022

S 2629 Passed in House – Cybercrime Metrics

This evening, the House completed their consideration of S 2629, the Better Cybercrime Metrics Act by a moderately bipartisan vote of 37 to 48. They held their debate on the bill yesterday under the House suspension of the rules process.

Normally, the debate on a bill being considered under the suspension of the rules process is mainly congratulating the Committee leadership on the bipartisan process that led to successful development and adoption of the legislation. While there was a certain amount of that in this debate, there was some actual opposition voiced in yesterday’s debate. Rep Bentz (R,OR) complained about the lack of hearings on either this bill or it’s companion legislation HR 4977 in the House. Both bills were considered in their respective committee’s and reported favorably without written report. This means that there is no record of investigational hearings on the record for either bill.

In response, Rep Jackson-Lee added four articles to the record:

Cybercrime Predictions for 2022: Deepfakes, Cryptocurrencies, and Misinformation - by Maya Horowitz,

HO, HO, HO, HOLIDAY SCAMS! - by Beth Anne Steele,

Without Major Changes, More Americans Could be Victims of Online Crime - by Rep. Abigail Spanberger (D–VA),

U.S. Military Has Acted Against Ransomware Groups, General Acknowledges - by Julian E. Barnes

The bill now goes to the President, who will almost certainly sign the bill.

Review – 5 Advisories and 1 Update Published – 3-29-22

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Modbus, Hitachi Energy, Omron and Rockwell Automation. They also published a medical device security advisory for products from Philips. Finally, they updated an advisory for products from Delta Electronics.

Modbus Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Modbus Tools Modbus Slave.

Hitachi Energy - This advisory describes four vulnerabilities in the Hitachi Energy LinkOne WebView  enterprise graphical parts catalog.

NOTE: I briefly reported on these vulnerabilities in December 2021.

Omron Advisory - This advisory describes four vulnerabilities in the Omron CX-Position position control software.

Rockwell Advisory - This advisory describes an improper restriction of XML external entity reference vulnerability in the Rockwell ISaGRAF workbench products.

Philips Advisory - This advisory describes a missing authentication for critical function vulnerability in the Philips e-Alert MRI system monitoring platform.

Delta Update - This update provides additional information on an advisory that was originally published on March 22nd, 2022.

 

For more details on these advisories, including links to researcher advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-1-update-published-559 - subscription required.

Review - EPA’s Worst-Case Discharge NPRM – Affected Facilities

As I reported on Sunday, the EPA has published a notice of proposed rulemaking (NPRM) for “Clean Water Act Hazardous Substance Worst Case Discharge Planning Regulations”. This is the initial post in providing a detailed look at the provisions of that NPRM. These posts will provide the basis for comments that I will be submitting as part of the public comment process for this rulemaking.

Facility Coverage

As I reported on Sunday, a facility would subject to the planning requirements of this proposed rule if it met three requirements:

Threshold quantity,

Proximity to navigable waters, and

Substantial harm criteria,

Hazardous Substance Threshold

In this rulemaking, the amount of a hazardous substance that triggers the possibility of the applicability of the planning requirements (threshold quantity) outlined in the rule is a ‘maximum capacity on site’ for each hazardous substance of 10,000 times it’s RQ. Thus, if a chemical has an RQ of 1-lb (ethylene dibromide for example), the threshold quantity would be a maximum capacity on site of 10,000-lbs. If the RQ were 5,000-lbs (formic acid for instance) the threshold quantity would be 50,000,000-lbs of maximum capacity on site.

Proximity to Navigable Waters

For facilities that meet the threshold quantity standards, the next requirement that needs to be looked at is the proximity to navigable waters. Most facilities that are on the waterfront of navigable waters are going to be marine transportation-related facilities, and thus subject to the Coast Guard regulations, not EPA’s. In this rulemaking, the EPA is targeting facilities meeting threshold quantity requirements that are within ½ mile of a navigable waterway or a “conveyance to navigable water”.

Substantial Harm Criteria

A facility that meets both the threshold and proximity criteria would be required to perform the worst-case planning requirements of this rulemaking if they meet any one of the four ‘substantial harm’ criteria outlined in the new 33 CFR 118.3. Those criteria are:

• Ability to cause injury to fish, wildlife, and sensitive environments,

• Ability to adversely impact a public water system,

• Ability to cause injury to public receptors, or

• Reportable discharge history

A more detailed discussion of the ‘substantial harm’ criteria will be found in the next post in this series.

For more details on the above discussion, including background material, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/epas-worst-case-discharge-nprm - subscription required.

HR 4521 Passed in Senate – COMPETES Act

Yesterday, the Senate completed their consideration of H.R. 4521, the America COMPETES Act. The Senate closed debate on the substitute language based on S 1260 and passed the bill by identical votes of 68 to 28. The bill goes back to the House for consideration of the Senate’s changes to the bill. The House is likely to insist on their language, which would send the bill to a conference committee to work out the differences.

Monday, March 28, 2022

S 3885 Introduced – Non-Public Information

Last week, Sen Hagerty (R,TN) introduced S 3885, the No Government Contracts for Known Leakers Act of 2022. The bill would prohibit the letting of government contracts with persons or entities that had previously released ‘non-public’ information to unauthorized personnel.

The bill only defines three terms (‘entity’, ‘person’, and ‘unauthorized person’). The most important term in the bill, ‘non-public information’ is left undefined. Presumably the term refers to classified and sensitive but unclassified information, but it could interpreted to include any information that was not specifically made public.

While the bill is supposed to punish ‘leakers’ by disallowing their access to Federal contracts, the only actual punishment specifically mentioned in the bill is the $50,000 fine for the natural person who lets a federal contract to an entity that previously released ‘non-public’ information. The language in §2(b) even forgoes the typical legal waffle language of ‘knowingly violates’ or ‘willfully violates’. Nor is there any requirement for the leaker to have been convicted of releasing the ‘non-public’, or even to be aware that the information was ‘non-public’.

Hagerty is not a member (nor are his two Republican cosponsors) of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This means that there is unlikely to be sufficient influence to see the bill considered in Committee. I do not expect that there would be sufficient support in Committee to adopt the bill because of the obvious problems discussed above. The bill will have no chance of making it to the floor of the Senate in anything approaching its current form.

I suspect that this is just another of those bills crafted by Staff to satisfy financial supporters of the sponsoring congresscritters.

Committee Hearings – Week of 3-27-22

This week with both the House and Senate in session, there is a nearly normal hearing schedule. The FY 2023 spending process starts with the presentation of the President’s budget. There will be one markup hearing that includes cybersecurity legislation. There will also be two hearings of interest here, one on critical infrastructure cybersecurity and one on DHS counter-drone operations.

FY 2023 Budget Hearings

• Tuesday – House Budget Committee

• Wednesday – Senate Budget Committee

Cybersecurity Markup

On Wednesday, the Senate Homeland Security and Governmental Affairs Committee will hold a business meeting. In addition to eight nominations to consider, the Committee will take up eleven postal naming bills and eleven ‘normal’ pieces of legislation. One of the later is S 3511, the Satellite Cybersecurity Act. Do not expect much discussion, whatever issues exist in this Committee are normally dealt with behind closed doors, but amendments are possible.

Cyber Threat Hearing

On Wednesday, The House Homeland Security Committee will hold a hearing on “Mobilizing Our Cyber Defenses: Securing Critical Infrastructure Against Russian Cyber Threats”. The witness list includes:

• Adam Meyers, Crowdstrike,

• Mr. Steve Silberstein, CEO, Financial Services-ISAC 

• Kevin Morley, American Water Works Association

It will be interesting to here the private sector point of view on this topic after all of the warnings from various Federal agencies over the last couple of weeks.

Counter-Drone Operations

On Thursday, there will be a joint hearing of two Subcommittees of the House Homeland Security Committee looking at “Assessing the Department of Homeland Security's Efforts to Counter Unmanned Aircraft Systems”. The witness list includes:

• Samantha Vinograd, Office of Strategy, Policy, and Plans,

• Rear Admiral Scott W. Clendenin, USCG,

• Austin Gould, TSA,

• Dennis J. Michelini, U.S. Customs and Border Protection

The last witness was added by the Republicans. They will be using Michelini’s testimony to attack the President’s ‘lack of action on the Southern Border’. Just a reminder, DHS has very limited authority to conduct counter-drone operations.

On the Floor

The major bill in the House this week will be HR 3617, the Marijuana Opportunity Reinvestment and Expungement (MORE) Act. It will come to the floor later in the week, so the House will have time to consider a total of 17 bills under their suspension of the rules process. Those bills include:

S 2629 – the Better Cybercrime Metrics Act, and

HR 6865 – the Don Young Coast Guard Authorization Act of 2022,

The Senate is scheduled to finish up action on HR 4521 this evening. While many things could happen to delay the final vote, I suspect that the Senate will adopt the substitute language this evening. Then the conference process will begin to iron out the major differences in the two bills. The final bill will be larger than either of the two alternatives and will almost certainly contain both sets of cybersecurity provisions.

Sunday, March 27, 2022

Review - S 3830 Introduced – Right-to-Repair

Earlier this month, Sen Lujan (D,NM) introduced S 3830, the Fair Repair Act. The bill would establish a requirement for original equipment manufacturers to make available “documentation, parts, and tools, inclusive of any updates to information or embedded software” for the purpose of diagnosis, maintenance or repair of equipment sold or used in the United States. It would also make the Federal Trade Commission the agency responsible for enforcement of the requirement. The bill is very similar to HR 4006 that was introduced in June. No action has been taken on that bill.

Moving Forward

Lujan is an influential member, as is one of his two cosponsors {Sen Lummis (R,WY)} of the Senate Commerce, Science, and Transportation Committee to which this bill was assigned for consideration. This means that there should be sufficient influence to see this bill considered in Committee. There will be some opposition to this bill from many manufacturers, but I suspect that there will be sufficient bipartisan support for this bill to be adopted in Committee.

The bill is unlikely to make it to the floor of the Senate under regular order, it is just not important enough. The bill would draw sufficient opposition to ensure that the bill would not be considered under the unanimous consent process. The only way this bill would make it to the floor is as an amendment to some more important bill.

Commentary

The comments that I made about the ‘security-related function’ provisions of the House bill apply equally well to this version of the bill.

While this bill (and the House version) does make an effort to provide support for repairs of digital equipment by owners and independent repair providers, the lack of definition of the terms ‘diagnosis, maintenance, or repair’ means that making changes to software not approved by the OEM will still be able to be restricted as copywrite infringement.

For more details about the provisions of this legislation, and its differences from HR 4006, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3830-introduced - subscription required.

Review - EPA Publishes Worst Case Discharge NPRM

The EPA published a notice of proposed regulations (NPRM) in Monday’s (available online yesterday) Federal Register (87 FR 17890-17935) for “Clean Water Act Hazardous Substance Worst Case Discharge Planning Regulations”. The proposed rule would implement the mandate in 33 USC 1321(j)(5)(A)(i) for regulations that would require “an owner or operator of a tank vessel or facility… to prepare and submit to the President a plan for responding, to the maximum extent practicable, to a worst case discharge, and to a substantial threat of such a discharge, of oil or a hazardous substance.” The EPA would be required to appove plans.

This NPRM is being published in accordance with a Consent Decree between the Trump Administration’s EPA and the Environmental Justice Health Alliance for Chemical Policy Reform. According to that agreement (pg 3), this NPRM was to be published by April 4th, 2022, and the final rule is to be published by October 18th, 2024. The draft of this NPRM was sent to the OMB for review on January 24th, 2022.

Soliciting Comments

The EPA is soliciting public comments on this rulemaking. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # EPA-HQ-OLEM-2021-0585). Comments should be submitted by May 27th, 2022.

For more information on the outline of the proposed regulatory requirements, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/epa-publishes-worst-case-discharge  - subscription required. There are lot of details in this rulemaking. I will be addressing many of those in future posts.

Saturday, March 26, 2022

CRS Reports – Cyber Supply Chain Risk Management

This week the Congressional Research Service (CRS) published a report on “Cyber Supply Chain Risk Management: An Introduction”. This is an overview type report without links or footnotes to the associated reference material.

The report does note that there are two different components to supply chain security for cyber related products. Traditional supply chain concerns relate to the uninterrupted access to products and services. That remains a concern when discussing supply chain for cyber products. An additional concern is that vendors (or actors making changes to products after manufacturing) could adulterate a cyber product with vulnerabilities that could pose a cyber threat to end users. This report does not discuss a third component to cyber supply chain risk, the existence of unrecognized vulnerabilities in third-party components of the products.

This report focuses on information technology and communications technology products, but the same supply chain risks exist in operational technology products.

The report closes with a discussion about potential items of interest to Congress:

• Clarity of Responsibility,

• Increased Awareness,

• Oversight,

• Prohibition on Specific Companies, and

• Single Evaluator

Review – Public ICS Disclosures – Week of 3-19-22

This week we have fourteen vendor disclosures from Baxter, Bosch, Endress+Hauser, HP (2), Moxa, Philips, Phoenix Contact (2), SonicWall, Splunk, VMware, and Western Digital (2). We also have five vendor updates from HP (2), Mitsubishi, Spacelabs, and Yokogawa. Finally, we have two researcher reports for vulnerabilities in products from Integrated Control Technology (2).

Baxter Advisory - Baxter published an advisory discussing the Access:7 vulnerabilities.

Bosch Advisory - Bosch published an advisory discussing an improper restriction of XML external entity reference vulnerability in their Fire Monitoring System products.

Endress+Hauser Advisory - CERT VDE published an advisory discussing an out-of-bounds write vulnerability in a number of Endress+Hauser products.

HP Advisory #1 - HP published an advisory discussing a denial-of-service/RCE vulnerability in a number of their corporate printer products.

HP Advisory #2 - HP published an advisory describing a buffer overflow vulnerability in a number of their corporate printer products.

Moxa Advisory - Moxa published an advisory discussing a default password vulnerability in unnamed products.

Philips Advisory - Philips published an advisory discussing a Windows® IKE Extension vulnerability.

Phoenix Contact Advisory #1 - Phoenix Contact published an advisory discussing two vulnerabilities with publicly available exploits in their PLCnext Technology Toolchain and FL Network Manager products.

Phoenix Contact Advisory #2 - Phoenix Contact published an advisory discussing fifteen vulnerabilities with publicly available exploits in their PROFINET software development kit (SDK).

SonicWall Advisory - SonicWall published an advisory describing a stack-based buffer overflow vulnerability in their SonicOS.

Splunk Advisory - Splunk published an advisory describing an out-of-bounds read vulnerability in their Enterprise products.

Commentary – It seems like Claroty is going to continue to look at vulnerabilities in the cybertools used by security researchers. Their first report in this area was on vulnerabilities in Wireshark products though they did not publicly report on those vulnerabilities. It seems that the folks developing security tools are subject to the same software development problems that researchers find in industrial control systems.

VMware Advisory - VMware published an advisory describing two vulnerabilities in their Carbon Black App Control.

Western Digital Advisory #1 - Western Digital published an advisory discussing an out-of-bounds read/write vulnerability with publicly available exploits in their My Cloud OS 5 devices.

Western Digital Advisory #2 - Western Digital published an advisory discussing seven vulnerabilities (including 1 publicly available exploit) in their My Cloud products.

HP Update #1 - HP published an update for their UEFI firmware advisory that was originally published on February 2nd, 2022.

HP Update #2 - HP published an update for the PC BIOS advisory that was originally published on March 8th, 2022.

Mitsubishi Update - Mitsubishi published an update for their FragAttacks advisory that was originally published on September 2nd, 2021.

Spacelabs Update - Spacelabs published an update for their Access:7 advisory that was originally published on March 15th, 2021.

Yokogawa Update - Yokogawa published an update for their license function advisory that was originally published on January 14th, 2022.

ICT Reports - Zero Science published two reports about vulnerabilities (with publicly available exploits) in the ICT Protege GX integrated access control, intrusion detection and building automation solution.

 

For more details about these disclosures, including links to 3rd party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-db0 - subscription required.

Friday, March 25, 2022

Review - HR 7138 Introduced – IoT Supply Chain Security

Last week, Rep Obernolte (R,CA) introduced HR 7138, the Protecting Against Compromised Internet of Things Technology Act. The bill would require the DOC’s Bureau of Industry and Security to submit (and periodically update) to the End-User Review Committee a list of foreign persons that “pose a threat to the security of supply chains of Internet of Things devices”.

Moving Forward

While Obernolte is not a member of either the House Foreign Affairs or Oversight and Reform Committee, the two committees to which this bill was assigned for consideration, his sole cosponsor {Rep Jacobs (D,CA)} is a member of the Foreign Affairs Committee. This means that there may be enough influence to see the bill considered in Committee. I see nothing in the bill that would engender any organized opposition. If the bill were introduced in Committee, I would expect that there would be significant revisions made to make the bill more effective (see ‘Commentary’), that could change the potential for support.

Commentary

This bill does not actually appear to accomplish anything. The definition of the term ‘covered foreign person’ limits the people that could be affected by suggested listing by BIS to overseas vendors of IoT devices. These are not typically the people that we are concerned with when it comes to endangering the security of IoT supply chains. If, for some reason, they do endanger that supply chain security, we prohibit people in this country from selling items to the affected vendors. Which means that the federal government is adversely impacting the supply chain of those IoT vendors, which further threatens the supply chain that started the whole thing into motion.

I do not see any simple fix for this problem without defining ‘security of supply chains’ and then describing what actions might endanger that security. I would like to suggest that the definition should specifically address software security requirements.

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - - subscription required.

Senate Continues Debate on HR 4521 – 3-24-22

Yesterday, the Senate continued their consideration of HR 4521, the America Competes Act. No votes were taken. A unanimous consent agreement (pg S1767) was reached to allow the cloture vote on the substitute language amendment to proceed on Monday evening. If that vote succeeds, the Senate will immediately proceed to an actual vote on the amendment and then on the amended bill. No new amendments have been offered.

Thursday, March 24, 2022

Review – 2 Advisories Published – 3-24-22

Today, CISA’s NCCIC-ICS published two control system security advisories for products from mySCADA and Yokogawa.

mySCADA Advisory - This advisory describes a command injection vulnerability in the mySCADA myPRO HMI /SCADA products.

Yokogawa Advisory - This advisory describes ten vulnerabilities in the Yokogawa CENTUM and Exaopc products.

NOTE: This advisory is based upon an advisory that was originally published by Yokogawa on January 7th, 2022 and subsequently updated on February 9th, 2022.

 

For more details on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-published-3-24-22 - subscription required.


Senate Continues Debate on HR 4521 – 3-24-22

Yesterday, the Senate continued their consideration of HR 4521, the America Competes Act. The Senate agreed to the motion to proceed to debate HR 4521 by a vote of 66 to 31. The Senate is considering the substitute language introduced earlier this week. A cloture motion to close debate on that amendment was filed yesterday with a vote scheduled for Friday. If agreed to, the Senate will immediately vote on a cloture motion for the full bill.

There were seven amendments (SA 5003 to SA 5009) to the substitute language filed yesterday. None of them are substantive; they were submitted by Sen Schumer (D,NY) to ‘fill the amendment tree’, limiting the amendments that could be offered on substitute language.

A final vote on the bill is not likely this week. It would need a unanimous consent agreement to avoid having to wait for the post-cloture time to runout before voting on the substitute language and the final bill. There is enough opposition to the bill to ensure that someone would object to such an agreement.

Bills Introduced – 3-23-22

Yesterday, with just the Senate in session, there were seven bills introduced. One of those bills may receive additional coverage in this blog:

S 3904 A bill to enhance the cybersecurity of the Healthcare and Public Health Sector. Sen. Rosen, Jacky [D-NV]

I will be watching this bill for language and definitions that would include the cybersecurity of medical devices within the scope of the bill.

Wednesday, March 23, 2022

Review - HR 2471, Division B, CJS Provisions – FY 2022 Spending

In this post, I am looking at Division B of HR 4241, the Consolidated Appropriations Act, 2022. Division B is the Commerce, Justice, Science, and Related Agencies Appropriations Act, 2022. This equates with HR 4505 that was introduced in July of last year, but was never considered in the House.

As with most spending bills, the details of interest about the spending levels and program instructions from the House and Senate Appropriations Committees are found in the Joint Explanatory Statement (JES) for the Division. The JES acknowledges the program requirements of the Committee Report on HR 4505, and continues most of those requirements while adding some new instructions.

Spending

The table below shows the spending for FY 2022 for four agencies covered by Division B that are frequently mentioned in this blog. Each agency received more funding than they did in FY 2021, but less than the House proposed in HR 4505. There was no Senate bill introduced for this fiscal year to compare against.

Spending in 1,000s

HR 2471

Δ from 2021

Δ from HR 4505

BIS

$141,000

+$8,000

-$2,410

NTIA

$50,000

+$4,500

-$29,000

NIST

$1,230,063

+$195,563

-$139,007

NSF

$8,838,000

+$351,241

-$796,036

For more details on Division B cybersecurity issues, including new program instructions from the House and Senate appropriators, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-2471-division-b-cjs-provisions - subscription required.

Senate Continues Consideration of HR 4521 – COMPETES Act

Yesterday, the Senate continued their debate on HR 4521, the America COMPTES Act. A vote will be held this morning on proceeding to vote on amendments to the bill. To date, only one amendment has been offered, SA 5002. That amendment would provide substitute language for the bill that would essentially be substituting the language from S 1260 that had previously been adopted by the Senate, but not taken up by the House.

The Senate is likely to finish work on the bill late this week. The House would then have to decide if it would accept the revised Senate language or go to conference to work out the differences in the bill. I expect that the House will demand a conference, otherwise they would just have taken up S 1260. This could delay the completion of action on this bill for weeks.

Bills Introduced – 3-22-22

Yesterday, with just the Senate in session, there were 18 bills introduced. One of those bills may receive additional coverage in this blog:

S 3894 A bill to amend the Homeland Security Act of 2002 to authorize the Secretary of Homeland Security to establish a continuous diagnostics and mitigation program in the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, and for other purposes. Sen. Cornyn, John [R-TX]

I will be watching for language and definition that would allow CISA to include non-governmental entities in the scope of the program. I suspect that this will only apply to Federal government agencies.

Tuesday, March 22, 2022

Review - PHMSA to Establish FAQs for HMR

Today, DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a notice in the Federal Register (87 FR 16308-16310) requesting comments on “Hazardous Materials: Frequently Asked Questions--Applicability of the Hazardous Material Regulations.” It announces the intention of PHMSA to establish “an initiative to convert historical letters of interpretation (LOI) applicable to the Hazardous Materials Regulations that have been issued to specific stakeholders into broadly applicable frequently asked questions on its website.”

Initial FAQs

In this Notice, PHMSA is proposing to publish the following FAQs related to 49 CFR 171.1, Applicability of Hazardous Materials Regulations to Persons and Functions (the responses follow the question in the Notice):

(1) Question: Is a Federal, state, or local government agency subject to the HMR?

(2) Question: Are state universities subject to the HMR when transporting hazardous materials?

(3) Question: Is a hazardous material transported on private roads subject to the HMR?

(4) Question: Is a hazardous material subject to the HMR that only crosses a public road?

(5) Question: Are hazardous materials installed or used in or on a motor vehicle ( e.g., gasoline in the motor vehicle's fuel tank) subject to the HMR?

(6) Question: Is the filling of a package with a hazardous material subject to the HMR if it is not being offered for transportation in commerce?

(7) Question: Are stationary (storage) tanks containing a hazardous material such as propane subject to the HMR?

(8) Question: Are hazardous materials being transported for personal use subject to the HMR?

(9) Question: Are privately-owned SCUBA tanks that are used for diving and marked as DOT specification cylinders subject to the HMR?

(10) Question: Are government-owned hazardous materials transported for government purposes by contractor personnel subject to the HMR?

(11) Question: Are gasoline cans transported by a landscaping company by motor vehicle subject to the HMR?

(12) Question: Are household hazardous wastes that are transported by a private person to a county drop-off facility subject to the HMR?

Solicitation of Public Comments

PHMSA is soliciting public comments on this initiative. They are looking for comments on potential benefits that could be seen as a result of this program, and suggestions for future FAQ topics.

Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # PHMSA-2021-0109). Comments should be submitted by May 23rd, 2022.

For more information on the LOI process and new FAQ initiative, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/phmsa-to-establish-faqs-for-hmr - subscription required.

Review – 1 Advisory and 1 Update Published – 3-22-22

Today, CISA’s NCCIC-ICS published both a control system security advisory and an update for a previously published advisory for products from Delta Electronics.

Delta Advisory - This advisory describes 17 vulnerabilities in the Delta DIAEnergie.

NOTE: Heinzl’s advisories (see here for example) provide a description of an extremely long coordination exercise with NCCIC-ICS to get Delta to complete work on the fix for these vulnerabilities.

Delta Update - This update provides additional information on an advisory that was originally published on August 26th, 2021 and most recently updated on December 16th, 2021.

For more details on these advisories, including links to researcher reports and reports on 12 additional SQL injection vulnerabilities in the products covered by today’s new advisory, see my article at CFSN Detailed Analysis - - subscription required.

Senate Votes to Proceed to Consideration of HR 4521 – COMPETES Act

Yesterday, the Senate voted to close debate on the motion to begin consideration of HR 4521, the America COMPETES Act of 2022. The vote was a moderately bipartisan 66 to 35. There have not yet been any amendments submitted for the bill.

The House passed the bill last month with a nearly party-line vote of vote of 222 to 210. This level of Republican opposition would normally mean that there would be little chance of a successful cloture vote in the Senate. Seventeen Republican votes in the Senate yesterday versus 1 Republican vote in the House would seem to show that there is a much larger appetite in the Senate to consider support for technology (this bill is touted as a biotechnology bill, but there is support for other technology as well, including cybersecurity) in the Senate than in the House. Of course, the Senate did pass a similar bill last year (S 1260), but that bill contained significant anti-China provisions that would be expected to draw support from Republicans.

It will be interesting to see if any amendments to this bill are considered. That would require the bill to go back to the House for further consideration or would require a conference committee to work out the differences. I had suspected that the Senate would substitute language from S 1260 for the House language in this bill, and that is still a possibility.

BIS Sends Marine Toxins List to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a request for information from the DOC’s Bureau of Industry and Security (BIS) on “Commerce Control List: Proposed Controls on Certain Marine Toxins; Request for Comments”. According to the Fall 2021 Unified Agenda listing for this rulemaking:

“The Bureau of Industry and Security (BIS) is publishing this final rule to amend certain Export Control Classification Numbers (ECCNs) on the Commerce Control List (CCL) to reflect recent updates to the Australia Group (AG) Common Control Lists.”

That direct final rule is ‘forecast’ (Unified Agenda action dates are aspirational at best) to be published in October of this year. So, I would presume that this ‘request for comments’ is an attempt to find potential problem areas before the final rule is published. BIS has run into problems with more than one of their control list rulemakings because of unexpected issues being raised at the last minute because of the direct to final rule process used for implementing international agreements.

Bills Introduced – 3-21-22

Yesterday, with the Senate in Washington and the House meeting in pro forma session, there were 26 bills introduced. One of those bills will receive additional attention in this blog:

S 3885 A bill to prohibit contracts with persons who have disclosed non-public United States Government information to unauthorized persons.  Sen. Hagerty, Bill [R-TN] 

I will be watching this one for definitions and language that might include this blog within the scope of the legislation. Yep, this may be personal (okay, not directed specifically against me, I am not that paranoid).

I have shared disclosures of a variety of sensitive but unclassified documents (For Official Use Only, Law Enforcement Sensitive Information, etc) over the years. Under current rules that is not illegal, only the persons charged with protecting that data are prohibited from sharing it. To date, I have not been the initial public source for any of that information, but that has mainly been because I prefer to be able to provide links to source documents that I quote/discuss.

Sunday, March 20, 2022

S 3845 Introduced – Fire Investigations

Last week, Sen Gillibrand (D,NY) introduced S 3845, the Empowering the U.S. Fire Administration Act. The bill would amend the Federal Fire Prevention and Control Act of 1974 to authorize the United States Fire Administration to conduct investigations of major fires. No funding is authorized for this program. This is a companion (identical wording) bill to HR 7077 which was also introduced last week.

Moving Forward

Neither Gillibrand nor her sole cosponsor {Sen Schumer (D,NY)} are members of the House Homeland Security Committee to which this bill was assigned for consideration. This typically means that there is no enough influence to see this bill considered in Committee (yes, Schumer is the Majority Leader, but he typically does not exert that influence to see bills considered in Committees in which he is not a member). If the bill were considered in Committee I suspect that it would receive significant bipartisan support.

There is a possibility that this bill could move to the floor of the Senate (particularly because of Schumer’s interest) under the unanimous consent process, but that could be blocked by a single Senator objecting to the bill. That objection would not need to be directly tied to concerns about the content of the bill, it is frequently used to pressure the Leadership to take action (or stop action) on other bills.

Review - HR 7077 Introduced – Fire Investigations

Earlier this week, Rep Torres (D,NY) introduced HR 7077, the Empowering the U.S. Fire Administration Act. The bill would amend the Federal Fire Prevention and Control Act of 1974 to authorize the United States Fire Administration to conduct investigations of major fires. No funding is authorized for this program.

Moving Forward

While Torres is not a member of the House Science, Space, and, Technology Committee to which this bill was assigned consideration, three of his nine cosponsors {Rep Stevens (D,MI), Rep Meijer (R,MI), Rep Gonzalez (R,OH),} are members. This means that there could be sufficient influence to see this bill considered in Committee. I see nothing in this bill that would engender any organized opposition to the bill. I suspect that the bill would receive significant bipartisan support in Committee and could move to the floor of the House under the suspension of the rules process.

Commentary

There is nothing in the language of the bill that would specifically require investigation of fires at chemical facilities, or in which stored chemicals at a facility were substantially involved in a fire. The way this bill is set up, that language would have to be included in the regulations established by the Fire Administration.

While one might think that the Chemical Safety Board (CSB) would be the primary investigative agency for fires at a chemical facility, their focus is on the process and chemical issues that lead to the incident, not necessarily the affects of fires caused by the incident or the process of fighting the fires subsequent to an incident. In fact, the crafters of this legislation seemed to specifically have the CSB and their safety agency relative, the National Transportation Safety Board (NTSB), in mind when they included in the coordination language of both §35(b)(1) and §35(d), the phrase: “including Federal agencies that are authorized to investigate a major fire or an incident of which the major fire is a part.”

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7077-introduced – subscription required.

Saturday, March 19, 2022

OMB Approves PHMSA Pipeline Safety Final Rule

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the DOT’s Pipeline and Hazardous Material Safety Administration (PHSA) for “Pipeline Safety: Amendments to Parts 192 and 195 to require Valve installation and Minimum Rupture Detection Standards.” The final rule was sent to OIRA for review on December 17th, 2021.

This rulemaking first showed up in the Spring 2014 Unified Agenda. The notice of proposed rulemaking (NPRM) was published on February 6th, 2020. I expect that we will see the final rule published this coming week.

GAO Reports – Counter Drone Technology

This week the Government Accountability Office published a report on “Counter Drone Technologies”. This is a very broad, non-technical look at the potential risks to critical infrastructure posed by unmanned aircraft and the potential technologies that could be used to counteract those risks. There is no real discussion about the legal implications of counter-drone technologies.

CRS Reports – Cybersecurity – Week of 3-12-22

This week the Congressional Research Service published a report on “Critical Infrastructure Security and Resilience: Countering Russian and Other Nation-State Cyber Threats”. The report provides an overview of federal and private sector activities related to cybersecurity. One odd point about this report is that there are no links or footnotes to the references used to prepare the report. This reduces the utility of the report.

Review - Public ICS Disclosures – Week of 3-12-22

A relatively slow week. This week we have nine vendor disclosures from Belden, Bosch, Draeger, Eaton, GE Healthcare, Johnson Controls, QNAP, Spacelabs, and Xylem. There are also four vendor updates from Carestream, FANUC, VMware, and Yokogawa. We also have two researcher reports for products from Leadtools and Broadcom. Finally we have an exploit published for products from Hikvision.

Belden Advisory - Belden published an advisory discussing the FragAttacks WiFi vulnerabilities.

Bosch Advisory - Bosch published an advisory discussing an improper restriction of XML external entity reference in their Bosch Video Management Software (BVMS) products.

Draeger Advisory - Draeger published an advisory discussing the DirtyPipe vulnerability.

Eaton Advisory - Eaton published an advisory discussing the TLStorm vulnerabilities.

GE Healthcare Advisory - GE Health care published an advisory discussing the Dirty Pipe vulnerability.

Johnson Controls Advisory - Johnson Controls published an advisory describing a code injection vulnerability in their Metasys ADS/ADX/OAS Servers.

QNAP Advisory - QNAP published an advisory discussing the Dirty Pipe vulnerability. QNAP lists affected and non-affected products.

Spacelabs Advisory - Spacelabs published an advisory discussing the Access:7 vulnerabilities.

Xylem Advisory - Xylem published an advisory discussing two vulnerabilities in their Aquaview product.

Carestream Update - Carestream published an update for their Access:7 advisory that was originally published on March 8th, 2022.

FANUC Update - FANUC published an update for their Robot Controllers advisory that was originally published on December 16th, 2021.

VMware Update - VMware published an update for their NSX Data Center advisory that was originally published on February 15th, 2022.

Yokogawa Update - Yokogawa published an update for their CENTUM advisory that was originally published on March 10th, 2022.

Leadtools Report - Talos published a report describing an integer overflow or wraparound vulnerability in Leadtools 22.

Broadcom Report - Black Lantern Security published a report about two vulnerabilities in the Broadcom Brocade Fabric OS.

Hikvision Exploit - Sobhan Mahmoodi published an exploit for an authentication bypass vulnerability in Hikvision IP Cameras.

 

For more details about these disclosures, including links to 3rd party advisories and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-d15 - subscription required.

Bills Introduced – 3-18-22

Yesterday, with just the House in session, there were 36 bills introduced. One of those bills may receive additional attention in this blog:

HR 7174 To amend the Homeland Security Act of 2002 to reauthorize the National Computer Forensics Institute of the United States Secret Service, and for other purposes. Rep. Slotkin, Elissa [D-MI-8]

I will be watching this bill for language and definitions that would include industrial control systems within the scope of Institute.

Friday, March 18, 2022

Senate Begins Consideration of HR 4521 – COMPETES Act

Yesterday, the Senate began consideration of HR 4521, the America COMPETES Act of 2022. A cloture vote was ordered for Monday evening on the motion to proceed to debate on the bill. There were no amendments offered which is typically a sign on bills like this that no one expects the debate to begin. The bill passed in the House on a very nearly party-line vote so there is unlikely to be 60 votes to begin debate.

This ‘biotechnology bill’ quickly morphed to a major technology spending/regulation package similar in scope to S 1260 that was passed in the Senate. It does contain some interesting cybersecurity provisions.

Bills Introduced – 3-17-22

Yesterday, with the House and Senate both in session (and the Senate preparing to leave for the weekend), there were 73 bills introduced. Four of those bills may receive additional coverage in this blog:

HR 7138 To establish procedures to include certain foreign persons that pose a threat to the security of supply chains of Internet of Things devices on the Department of Commerce's Entity List, and for other purposes. Rep. Obernolte, Jay [R-CA-8]

S 3859 A bill to control the export of electronic waste in order to ensure that such waste does not become the source of counterfeit goods that may reenter military and civilian electronics supply chains in the United States, and for other purposes. Sen. Whitehouse, Sheldon [D-RI]

S 3863 A bill to require the Secretary of Veterans Affairs to obtain an independent cybersecurity assessment of information systems of the Department of Veterans Affairs, and for other purposes. Sen. Rosen, Jacky [D-NV]

S 3875 A bill to require the President to develop and maintain products that show the risk of natural hazards across the United States, and for other purposes. Sen. Peters, Gary C. [D-MI] 

HR 7138 will be covered in this blog.

I probably will not be covering S 3859, but there just may be something here worth looking at.

I am not really interested in VA cybersecurity (other than personally, since they maintain information on me), so S 3863 will probably not be covered here, but it raises an interesting mode of cybersecurity regulation that could be used to get around the resistance of many folks to regulations.

I will be watching S 3875 for language and definitions that would include chemical manufacturing facilities and transportation systems in the items that could be at risk of natural hazards.

Thursday, March 17, 2022

Review – 1 Update and 1 3rd Party Advisory Published

Today CISA’s NCCIC-ICS published an update for an advisory for products from Treck. CISA (separately from NCCIC-ICS) published an advisory for products from OpenSSL that is very likely to show up as a third-party advisory for products from various vendors.

Treck Update - This update provides additional information on an advisory that was originally published on June 16th, 2020 and most recently updated on August 20th, 2020.

NOTE #1: I discussed the ‘new’ PEPPERL+FUCHS advisory on August 21st, 2021

OpenSSL Advisory - CISA briefly reports the OpenSSL advisory which describes an infinite loop vulnerability in the BN_mod_sqrt() function when parsing certificates.

NOTE: With so many industrial control systems using OpenSSL for a variety of security functions, I expect that we will be seeing this vulnerability being reported by multiple vendors as a third-party vulnerability.

 

For more details on these two advisories, including discussion about Ripple20 exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-update-and-1-3rd-party-advisory - subscription required.

Wednesday, March 16, 2022

Bills Introduced – 3-15-22

Yesterday, with both the House and Senate in session, there were 42 bills introduced. Three of those bills may receive additional attention in this blog:

HR 7077 To require the United States Fire Administration to conduct on-site investigations of major fires, and for other purposes. Rep. Torres, Ritchie [D-NY-15]

HR 7084 To amend the Federal Food, Drug, and Cosmetic Act to require, for purposes of ensuring cybersecurity, the inclusion in any premarket submission for a cyber device of information to demonstrate a reasonable assurance of safety and effectiveness throughout the lifecycle of the cyber device, and for other purposes. ep. Burgess, Michael C. [R-TX-26]

S 3845 A bill to require the United States Fire Administration to conduct on-site investigations of major fires, and for other purposes. Sen. Gillibrand, Kirsten E. [D-NY] 

I will be watching HR 7077 and S 3845 (which are probably companion bills) for language and definitions that would specifically include chemical facilities in the definition of ‘major fires’.

Tuesday, March 15, 2022

Review – 1 Advisory and 1 Update Published – 3-15-22

Today CISA’s NCCIC-ICS published a control system security advisory for products from ABB. They also updated an advisory for products from PTC.

ABB Advisory - This advisory describes an execution with unnecessary privileges vulnerability in the ABB OPC Server for AC 800M.

NOTE: I briefly discussed this vulnerability back on February 5th, 2022.

PTC Update - This update provides additional information on an advisory (Access:7) that was originally published on March 8th, 2022 and most recently updated on March 10th, 2022.

 

For more details on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-and-1-update-published-ded - subscription required.

Review - HR 2471, Division F – CISA Provisions – FY 2022 Spending

Division F of HR 2471, the Consolidated Appropriations Act, 2022, is the Department of Homeland Security Appropriations Act, 2022. As with most annual spending bills, the language is very formulaic and changes little (other than the actual financial numbers) from year to year. The meat of the spending bill is found in the Joint Explanatory Statement (JES) provided by the negotiators (essentially a conference committee) of the final language of the bill. The JES for Division F can be found here. The JES also reaffirms the provisions of the House Appropriations Committee report on HR 4431, the DHS spending bill introduced earlier this year.

The table below shows the spending for CISA in FY 2022. The ‘FY 2021’ numbers are the final approved numbers for last year. The ‘HR 4431’ numbers were those proposed in the standalone House spending bill. And the ‘Division F’ are those included in the final HR 2471 spending bill

($ in thousands)

FY 2021

HR 4431

Division F

CISA Total

$2,024,976

$2,422,348

$2,593,656

Operations

$1,662,066

$1,927,750

$1,992,527

Procurement, Construction

$353,479

$467,167

$590,698

Research and Development

$9,431

$7,431

$10,431

In addition to providing more details about the spending allocations, the JES provides additional congressional reporting requirements over those found in the Committee Report on HR 4431 and one new program is outlined.

For more details about the spending increase allocations and the reporting requirements for Division F, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-2471-division-f-cisa-provisions - subscription required.

 
/* Use this with templates/template-twocol.html */