Wednesday, November 16, 2022

Review - HR 9262 Introduced – DOD Cybersecurity Acquisition

Earlier this month, Rep Bice (R,OK) introduced HR 9262, a bill to make improvements to cybersecurity acquisition policies of the Department of Defense, and for other purposes. The bill would require the Defense Acquisition University to develop a “training curricula related to software acquisitions and cybersecurity software or hardware acquisitions and offer such curricula to covered individuals to increase digital literacy related to such acquisitions”. DOD would also be required to prepare a plan to streamline the software acquisition process. No funds are authorized by the legislation.

Moving Forward

Bice, and her sole cosponsor {Rep Larson (D,WA)} are both members of the House Armed Services Committee to which this bill was assigned for consideration. This means that there should be sufficient influence to see the bill considered in Committee, if there is time available. The Armed Services Committee staff is concentrating on their negotiations with their Senate counterparts, which makes it unlikely that this bill will be considered.

I do not see anything in the bill that would engender organized opposition to the legislation. I suspect that it would receive bipartisan support, both in Committee and on the floor of the House, if it were considered.

Commentary

Since this bill does not specifically amend any existing statute, it cannot depend on existing definitions of terms. This makes the absence of any mention of operational technology, SCADA or industrial control systems in the bill a problem. As written, there is no requirement to provide acquisition personnel with any information about the inherent differences between OT and IT cybersecurity needs. This could adversely impact cybersecurity of weapons systems, building control systems and security systems. This could be rectified by modifying §1(b)(1):

“(1) cybersecurity, information technology systems, operations technology systems (including SCADA systems, distributed control systems and other industrial control systems), computer networks, cloud computing, artificial intelligence, machine learning, and quantum technologies;”

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-9262-introduced - subscription required.

No comments:

 
/* Use this with templates/template-twocol.html */