Short Takes – 7-31-23

Harvesting Mechanical Energy From Falling Rain. HackADay.com article. Pull quote: “The hope is for all of these improvements to be combined into a system which could do things like augment existing solar panels, allowing them to additionally gather energy from falling rain drops. We’d expect that the cost of this technology would need to come down considerably in order to be cost-competitive, and be able to scale from a manufacturing point-of-view before we’d see much of this in the real world, but for now at least the research seems fairly promising. But if you’re looking for something you can theoretically use right now, there are all kinds of other ways to generate energy from fairly mundane daily activities.”

CDC detects coronavirus, HIV, hepatitis and herpes at unlicensed California lab. NBCNews.com article. Pull quote: “The Centers for Disease Control and Prevention tested the substances and detected at least 20 potentially infectious agents, including coronavirus, HIV, hepatitis and herpes, according to a Health and Human Services letter dated June 6.”

Frustration emerges among GOP spending ‘cardinals’ as conservatives push for cuts. TheHill.com article. Pull quote: “Adding to the August workload, House Majority Leader Steve Scalise (R-La.) suggested earlier this week that bicameral negotiations could take place over the weeks-long recess as lawmakers stare down the shutdown deadline.” But any negotiations with Senate Democrats will have to result in spending levels higher than those demanded by Republican 11.

Leprosy cases surging in Central Florida: CDC. TheHill.com article. Pull quote: “In a news release Monday, the Centers for Disease Control and Prevention (CDC) said that Central Florida has accounted for 81 percent of reported cases in the state and almost one-fifth of reported cases nationwide.”

Trump attempt to derail Georgia election investigation rejected by judge. ABCNEws.go.com article. Pull quote: “In a caustic footnote, seemingly nodding to Trump's status as the dominant frontrunner for the 2024 Republican nomination for president despite having been indicted twice already, the judge added, “And for some, being the subject of a criminal investigation can, à la Rumpelstiltskin, be turned into golden political capital, making it seem more providential than problematic.””

CFATS and Industry

One of the interesting aspects of much of the public reporting (see here, here, and here for instance) on the termination of the CFATS program is the number of comments from industry organizations supporting the Chemical Facility Anti-Terrorism Standards (CFATS) program. In fact, two major chemical organizations (the American Chemistry Council and the National Association of Chemical Distributors) published press releases calling for Congress to quickly reinstate the program.

Those of us who have been following the CFATS program for some time (since its inception here) are not surprised, chemical manufacturing associations have been long time supporters of the program. Nobody has looked at the apparent contradiction of their support for a costly regulatory program. One of the reasons is that DHS/CISA have always attempted to work with industry to make sure that the regulatory scheme works in the field, even where industry opposed extensions of the program (most memorable is the implementation of the personnel surety vetting program).

Another reason is that the program works with covered facilities to develop security measures that make sense for that particular facility. Every chemical facility is a unique entity and trying to force facilities into cookie-cutter security programs would either make them so costly as to be unsupportable or ineffective in many cases. While facility site security plans were required fulfill requirements set forth in the program’s Risk Based Performance Standards, facility management had a great deal of leeway in how they accomplished those requirements.

Both of these factors have been discussed here multiple times, nothing new. There are two other factors that have not been discussed in public. The first of these is that while many companies came to recognize after 9/11 that there were potential security risks many of these companies had concerns that their competitors did not recognize the same level of risk in their facilities. Failure to spend money on costly security measures (and CFATS compliant security measures can be very costly) would give them a cost advantage over their security concerned competitors. With a security regulatory scheme in place, companies were competing on a more level playing field.

Finally, security expenses to meet regulatory requirements are clearly legitimate business expenses and with the CFATS program, the government was the determiner of security risk and the level of security that was required to meet that threat. Lacking this program, facilities will be required to justify their internal risk assessment and the security requirements to meet that level of risk. Preparing for that justification would be an added cost of security which could still be questioned by tax agencies.

Review - HR 3935 Received in Senate – FAA Reauthorization

Last week, HR 3935, the Securing Growth and Robust Leadership in American Aviation Act (informally the FAA reauthorization act) officially arrived in the Senate. The delay was due to incorporating amendments that were adopted during the debate on the bill the previous week. Several new provisions were added to the bill before it passed in the House by a strongly bipartisan vote of 351 to 69.

New Sections

There were a large number of new sections added, both during the debate and in the House Rules Committee which added language from H 3559, FAA Research and Development Act of 2023, and HR 3796, To provide for the extension of taxes funding the Airport and Airway Trust Fund and to require the designation of certain airports as ports of entry. Newly added sections of potential interest here include:

§635. Protection of public gatherings

§853. Sense of Congress encouraging the FAA to welcome the use of unmanned aerial vehicles.

§858. Assessment by Inspector General of the Department of Transportation of counter-UAS system operations.

§871. Prohibition on procurement of foreign-made unmanned aircraft systems

§1146. Report on aviation cybersecurity directives.

Moving Forward

This is one of the perennial, ‘must pass’ bills for Congress. The Senate’s Commerce, Science, and Transportation Committee will craft their own version of the legislation. They will typically then take up the House bill, with one of the first amendments being considered being substitute language taken from the Senate version of the bill. The House will then have a chance to take up the revised language, but generally, the House will demand their version of the language. To resolve the differences, a conference committee will be formed to develop a consensus version of the bill, which will then go back to the two bodies for a final vote in each house of Congress.

The bipartisan vote for HR 3935 in the House bodes well for its eventual passage.

 

For more details about the changes made in the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-3935-received-in-senate - subscription required.

CFATS and I

The death of the Chemical Facility Anti-Terrorism Standards (CFATS) program this last week was the jarring end of a 15+ year program. Everyone expected Congress to come through at the last minute and continue the program as it had done so many times before. But Congress, as always, is a fickle and less than faithful organization, so tied up in its political machinations that it frequently looses site of its job. The fact is that if it had come to an up and down vote in the Senate, HR 4470 would almost certainly passed with substantial bipartisan support. But a looming vacation, and the ‘necessary’ political statements to be made in a piece of ‘must pass’ legislation, were more important than continuing a relatively small program in DHS.

The people most obviously affected by the program’s death are the folks in CISA that were responsible for managing the program and overseeing its implementation in the field. The Office of Chemical Security will almost certainly carry on, but probably at a reduced level. They still have the ChemLock program to oversee and the Ammonium Nitrate Security Program still needs to be stood up. Even so, there are almost certainly positions within OCS that will not survive the end of the fiscal year. Hopefully, those employees, faithful civil servants all, will find continued employment in other portions of the federal government if they want them. The chemical security inspectors in CISA’s Integrated Operations Division, face a more uncertain future. Note technically tied to the CFATS program, they could continue to support ChemLock and provide assistance to the Protective Security Advisor operation. But this year and next the budget cutting knife is extremely sharp and is being wielded with little thought of consequences or personnel. My heart goes out to these folks.

Another, less easily recognized group affected by the programmatic death of CFATS, is a small contingent of advisors, contractors and consultants that have been supporting industry’s implantation of the CFATS program at the facility level. For smaller companies covered by CFATS, these hardworking folks provide the expertise and vision that allowed many companies to successfully standup security programs and compliance efforts. For many, the end of federal security requirements will mean that facilities will drastically cut back their security spending and these outsiders will be the first to feel that pinch.

And, of course, the 3200+ facilities that saw their coverage under the CFATS program evaporate on Thursday are going to be impacted. Their security issues remain, but the spending justification has disappeared. Each facility is going to have to evaluate what they can continue to afford in the way of security measures. Security managers all know that cuts will be dangerous, but the bean counters will have their way and cost savings will prevail over security.

On a personal note, Thursday’s Senate inaction has had a major impact on me. This blog grew up with the start of the CFATS program 16 years ago and has been a driving force in focusing my research and writing over the years. The scope of the coverage of Chemical Facility Security News has expanded over the years, but it has always been chemical facility security and the CFATS program that has been the reason for that expansion, realizing that chemical facility security involves a lot more than just fences and guards.

The CFATS program is dead, but the reason the program was put in place still exists. Many chemical facilities and the chemicals they manufacture, and use are still too tempting a target for a new generation of terrorists and extremists to leave unprotected. I will continue to be a voice advocating for chemical facility security in all of its complexity. I will watch and finagle Congress to live up to its responsibility to provide for the common defense. And, in the short term, I will be an active voice in trying to convince Congress to resurrect the CFATS program.

Short Takes – 7-29-23

New FAA Fact Sheet Clears the Air on Local Drone Regulation. WileyConnect.com article. Pull quote: “The Scope of Federal Authority. The updated guidance goes several steps beyond the 2015 fact sheet, unequivocally recognizing that “authority to regulate aviation safety and the efficient use of the airspace by aircraft [including UAS]” belongs exclusively to the FAA and that “[a]ttempts by state and local governments to regulate in those fields are preempted.” The 2015 fact sheet, in contrast, focused more on the policy rationale for avoiding “fractionalized control of the navigable airspace,” and tended away from definitive statements, instead pointing to areas where prospective state and local laws “should be carefully considered” to ensure consistency with federal law or where “consultation with the FAA is recommended.”

ACC Statement Regarding Expiration of Essential Chemical Security Program Key to Combating Terrorism. AmericanChemistry.com press release. Pull quote: ““The loss of CFATS creates immediate risks and problems by limiting the ability to vet personnel, increasing exposure to cyber threats, and opening the door to a patchwork of federal and state regulations. Congress must get back to work immediately to reinstate CFATS to help keep our industry and America safe.””

The Case for Guerrilla Crosswalks. Bloomberg.com article. Pull quote: ““I'm reticent to say people should just go out and change the streets any way they see fit,” he said. “But our current way of doing things — where we first have to collect enough data points to decide if a street should be revised — isn’t working. Because those data points tend to be people dying or getting hurt. If we’re waiting for that, we’re clearly doing something wrong with our streets.”

Notice of President's National Infrastructure Advisory Council Meeting. Federal Register DHS meeting notice. Agenda: “Agenda: The National Infrastructure Advisory Council will meet virtually in an open session on Monday, August 28, 2023, from 2:30 p.m. to 3:00 p.m. ET with a focus on deliberation and vote on the Water Security Report. The meeting will include (1) remarks from the administration and CISA leadership related to water security (2) a period for public comment and (3) deliberation and vote on NIAC Report to the President on Preparing United States Critical Infrastructure for Today's Evolving Water Crises.”

Regulatory Guide: Cybersecurity Event Notifications. Federal Register NRC guidance issue. Summary: “The U.S. Nuclear Regulatory Commission (NRC) is issuing Revision 1 to Regulatory Guide (RG), 5.83, “Cybersecurity Event Notifications.” This revision describes methods that the staff of the NRC considers acceptable for licensees to meet requirements in NRC regulations to report and record cybersecurity events.”

Conservatives have already written a climate plan for Trump’s second term. Politico.com article. Pull quote: “Instead, the ideas laid out in Project 2025 show that conservative organizations want to achieve a more fundamental shift — moving federal agencies away from public health protections and environmental regulations in order to help the industries they have been tasked with overseeing, said Andrew Rosenberg, who was a senior official at the National Oceanic and Atmospheric Administration during the Clinton administration.”

Review - S 2071 Introduced – Common Carrier Rules

Last month, Sen Baldwin (D,WI) introduced S 2071, the Reliable Rail Service Act. The bill would amend 49 USC 11101, expanding the railroad common carrier requirements to provide transportation upon a reasonable request to include requirements for ‘timely, efficient, and reliable rail service’. There is no funding provided in the legislation.

Moving Forward

Baldwin is a member of the Senate Commerce, Science and Technology Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. Railroads are going to oppose this expansion of their common carrier responsibilities based upon their long-standing assertion that they are the only ones that have enough service situational awareness to establish what delivery schedules are reasonable. How that opposition would break down into votes in Committee and ultimately on the floor of the Senate is difficult to quantify. I suspect that any votes would be somewhat bipartisan and very close.

Commentary

This bill is an outgrowth of the continuing issues that shippers and receivers have had with railroad services. This bill is not going to solve the problem, but it does provide the STB with some additional tools to work out a solution.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2071-introduced - subscription required.

Chemical Incident Reporting – Week of 7-22-23

NOTE: See here for series background.

Bakersfield, CA – 7-18-23

Local news reports – Here, here, here, and here.

Fire at hydrogen refueling station for fuel-cell powered buses. $1.1 million bus destroyed. No injuries, no deaths.

CSB reportable due to the damage costs.

Phoenix, AZ – 7-21-23

Local news reports – Here, here, here, and here.

Fire and explosions at retail propane facility. Facility destroyed, off-site damage. No injuries or deaths reported. Multiple explosions of smaller propane tanks.

May be a CSB reportable when damage costs are totaled.

Little Rock, AR – 7-22-23

Local news report - Here.

Toluene exposure in basement wall sealing incident, 1 dead one hospitalized.

CSB reportable.

Cincinnati, OH – 7-22-23

Local news reports – Here, and here.

Refrigeration coolant leak, no injuries

Not CSB reportable.

Chicago, IL – 7-27-23

Local news reports – Here, here, and here.

Refrigerant coolant leak, no injuries. Interesting comment about urban evacuations: “According to [Fire Commissioner] Nance-Holt, the decision was made to not evacuate the geographic area "based on the amount of people."”

Not CSB reportable.

Review – Public ICS Disclosure – Week of 7-22-23

This week we have 21 vendor disclosures from ABB (2), Aruba Networking, Belden (3), Bosch, Brocade (2), B&R, CODESYS, Fujitsu (3), Hitachi Energy (2), Honeywell, HPE, QNAP (2), and VMware. There is one researcher report for vulnerabilities in products from Advantech. Finally, we have two exploits for products from Western Digital and VMware.

Advisories

ABB Advisory #1 - ABB published an advisory that describes four vulnerabilities in their Ability™ zenon product.

ABB Advisory #2 - ABB published an advisory that describes an unquoted search path vulnerability in their AO-OPC product.

Aruba Advisory - Aruba published an advisory that describes four vulnerabilities in their Access Points products

Belden Advisory #1 - Belden published an advisory that discusses a NULL pointer dereference vulnerability in their Hirschmann HiSecOS.

Belden Advisory #2 - Belden published an advisory that discusses a cross-site scripting vulnerability in their Eagle firewall products.

Belden Advisory #3 - Belden published an advisory that discusses four vulnerabilities in their Hirschmann HiSecOS.

Bosch Advisory - Bosch published an advisory that discusses 30 vulnerabilities in their PRA-ES8P2S Ethernet-Switchs.

Broadcom Advisory #1 - Broadcom published an advisory that discusses a permission validation vulnerability in the BrocadeOS products.

Broadcom Advisory #2 - Broadcom published an advisory that discusses the MoveIT SQL injection vulnerability, which is on the CISA Known Exploited Vulnerabilities Catalog.

B&R Advisory - B&R published an advisory that describes an allocation of resources without limit or throttling vulnerability in the Portmapper service used in their Automation Runtime product.

CODESYS Advisory - CODESYS published an advisory that describes an exposure of resource to wrong sphere vulnerability in their Scripting addon.

Fujitsu Advisory #1 - Fujitsu published a notice about potential vulnerabilities being investigated based upon third-party advisories from Insyde.

Fujitsu Advisory #2 - JP CERT published an advisory that describes an authentication bypass vulnerability in the Fujitsu Si-R series and SR-M series network devices.

Fujitsu Advisory #3 - JP CERT published an advisory that describes a hard-coded credentials vulnerability in the Fujitsu IP Series Real-time Video Transmission Gear.

Hitachi Energy Advisory #1 - Hitachi published an advisory that discusses six vulnerabilities in their AFF66x Products. These are third-party vulnerabilities.

Hitachi Energy Advisory #2 - Hitachi published an advisory that describes two classic buffer overflow vulnerabilities in their RTU500 series product.

Honeywell Advisory - Honeywell published an end-of-life notice for their MAXPRO® VMS R600 and R630 / NVR6.0 & R6.3 products.

HPE Advisory - HPE published an advisory that describes a privilege escalation vulnerability in their Integrated Smart Update Tools (iSUT) for Windows.

QNAP Advisory #1 - QNAP published an advisory that discusses an OS command injection vulnerability in many of their products.

QNAP Advisory #2 - QNAP published an advisory that describes an insecure library loading vulnerability in their QVPN Device Client for Windows.

VMware Advisory - VMware published an advisory that describes an insertion of sensitive information into a log file vulnerability in their Tanzu Application Service for VMs.

Reports

Advantech Report - Tenable published a report that describes an SQL injection vulnerability in the Advantech iView.

Exploits

Western Digital Exploit - Remco Vermeulen published a Metasploit module for two vulnerabilities in the Western Digital MyCloud product.

VMware Exploit - H00die published a Metasploit module for a command injection vulnerability in the VMware Aria Operations for Networks product.

CFATS Expiration Notice

At first glance there is nothing on the Chemical Facility Anti-Terrorism Security (CFATS) program web site that would indicate that the authority for the program had been terminated by lack of action in the Senate. Until, that is, until you click on the link for the CFATS Knowledge Center. Instead of the usual listing of news and updates, there is now just a simple block of text:

July 28, 2023: The statutory authority for the CFATS program has expired. The approximately 3,300 high-risk chemical facilities are no longer bound by the CFATS regulation (6 CFR Part 27). Facilities no longer have a requirement to report their chemicals of interest to CISA. Chemical terrorism continues to pose a threat against national security. CISA encourages chemical facilities to continue to maintain security measures for their dangerous chemicals. The voluntary ChemLock program provides services and tools that facilities with dangerous chemicals can use to enhance their security posture in a way that works for their business model.

There may still be a remote chance that the latest CFATS extension bill, S 2499, could resurrect the program, but no action can be taken on that bill until September because Congress has recessed for the month of August. We will need to see what the actual language of that bill says, but it could be a week or two until the GPO gets around to that bill, they are way behind an unusually prolific bill crafting congress.

The big problem is political inertia, the longer it takes to try to fix this problem the more difficult it is going to be to reach a consensus on restarting the program. First off, spending bills, the NDAA and other must pass bills are going to be taking up the attention of Congress for most of the rest of the year. Added to that, there will be a tendency for members to realize that restarting the CFATS program would be an ideal time to implement their favorite changes to the program. The controversies that will attach to those changes will interfere with the consideration, much less passage of the bill.

I will continue to cover developments.

Bills Introduced – 7-27-23

Yesterday, with the House and Senate preparing to recess until September, there were 305 bills introduced. Eight of those bills may receive additional coverage in this blog:

HR 5017 To direct the Secretary of Homeland Security to issue guidance with respect to space systems, services, and technology as critical infrastructure, and for other purposes. Lieu, Ted [Rep.-D-CA-36] 

HR 5067 To require the Secretary of Energy to establish a task force to study and report on supply chains for local electric distribution grids in the United States, and for other purposes. Wittman, Robert J. [Rep.-R-VA-1]

S 2587 An original bill making appropriations for the Department of Defense for the fiscal year ending September 30, 2024, and for other purposes. Tester, Jon [Sen.-D-MT] 

S 2605 An original bill making appropriations for the Department of the Interior, environment, and related agencies for the fiscal year ending September 30, 2024, and for other purposes. Merkley, Jeff [Sen.-D-OR]

S 2618 A bill to rename the Office of Technology Assessment as the Congressional Office of Technology, to revise the functions and duties of the Office, and for other purposes. Lujan, Ben Ray [Sen.-D-NM]

S 2624 An original bill making appropriations for the Departments of Labor, Health and Human Services, and Education, and related agencies for the fiscal year ending September 30, 2024, and for other purposes. Baldwin, Tammy [Sen.-D-WI]

S 2625 An original bill making appropriations for the Department of Homeland Security for the fiscal year ending September 30, 2024, and for other purposes. Murphy, Christopher [Sen.-D-CT]

S 2715 A bill to authorize the Secretary of Defense to conduct detection, monitoring, and other operations in cyberspace to counter Mexican transnational criminal organizations that are engaged in certain activities that cross the southern border of the United States, and for other purposes. Rounds, Mike [Sen.-R-SD]

I will be covering S 2587, S 2605, S 2624, S 2625, and S 2715,

I will be watching HR 5017, HR 5067, and S 2618 for language and definitions that would include control system cybersecurity within the scope of the coverage of the bill.

Mention in Passing

I would like to mention one bill in passing:

S 2597 A bill to amend the Clayton Act to establish a new Federal commission to regulate digital platforms, including with respect to competition, transparency, privacy, and national security. Warren, Elizabeth [Sen.-D-MA]

The Clayton Act is an outcome based anti-trust statute. It’s use to regulate ‘digital platforms’ looks to be a novel way to control the internet, especially the inclusion of ‘national security’ as one of the areas for potential regulations. With Warren being the sponsor it would be easy to pass this off as a liberal bill with little chance of proceeding, but her sole Cosponsor is Sen Graham (R,SC) who is anything but liberal.

Short Takes – 7-27-23

A nearly 20-year ban on human spaceflight regulations is set to expire. ArsTechnica.com article. Pull quote: ““The challenge is if we start developing that [passenger safety] regulatory environment too soon before we have enough data, before we have enough knowledge of those individual vehicles, there is a long-term safety risk that something could go wrong," Drees told the House Science Committee. "The purpose of continuing to innovate while we develop these standards side by side with the regulator will allow us to have the most safe vehicles on the market in the future.”

TSA directives for oil and natural gas pipeline cybersecurity address evolving, intensified threat of cyberattacks. IndustrialCyber.co article. Pull quote: “Commenting on the latest TSA Security Directive for pipeline operators, Jason Christopher, director of cyber risk at industrial cybersecurity firm Dragos, wrote in an emailed statement that like the last version TSA’s update to its Security Directive for oil and natural gas pipeline cybersecurity focuses on performance-based, rather than prescriptive, measures.”

Renewal with revisions to Security Directive (SD) Pipeline-2021-02 series: Pipeline Cybersecurity Mitigation Actions, Contingency Planning, and Testing. TSA.gov directive update D.

Exclusive: America Is Struggling to Safeguard Water Supply From Hackers, New EPA Data Shows. TheMessenger.com article. Pull quote: “An even more worrying factor: the data obtained by The Messenger may mask the true extent of vulnerabilities in the water sector. According to the EPA official, “the systems that we're most concerned about are not the proactive systems that are signing up for programs like this.” In other words, the very fact that these systems volunteered for assessments may hint that they’re more engaged with cybersecurity than the average water utility.”

The Russians Packed Hundreds Of Vehicles Into A Crimean Repair Depot. The Ukrainians Just Hit It With A Cruise Missile. Forbes.com article. Pull quote: “The Kremlin could disperse its repair bases instead of merely moving them—reducing the overall risk by presenting the Ukrainians with more, and smaller, targets. But inasmuch as logistics benefits from scale, this dispersal would come at the cost of efficiency. Fewer vehicles repaired slower.”

Ukraine sends fresh troops into the battlefield in new push against the Russians. Politico.com article. Pull quote: ““The real test will be when they identify weak spots or create weak spots and generate a breach, how rapidly they’re able to exploit that with the combat power that they have in reserve, and how rapidly the Russians will be able to respond,” Kahl said during a July 7 briefing with reporters.”

SpaceX Dragon spacecraft had a thruster glitch at the International Space Station in June. Space.com article. Pull quote: “A SpaceX Dragon docked with the International Space Station for 23 days in June had a thruster valve stuck open due to a corrosion problem, a SpaceX official said Tuesday (July 25) during a NASA press conference.” Other Dragon craft checked.

Review - S 2226 Considered in Senate – FY 2024 NDAA – 7-26-23

Yesterday, the Senate continued their consideration of S 2226, the FY 2024 National Defense Authorization Act. Four amendments were considered (one passed and three failed), none of which were of particular interest here. An agreement was reached to continue consideration today with a vote scheduled for Warnock Amendment No. 199, again not of particular interest here. Thirteen new amendments were proposed yesterday, SA 1059 thru 1072.

 

For more details about yesterday’s coverage, including links to the amendments of interest, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2226-considered-in-senate-1c7 - subscription required.

HR 4470 Not Considered in Senate 7-26-23 – CFATS Extension Dead?

The Congressional Record for July 26^th, 2023, was just published. HR 4470, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2023, was not passed in the Senate yesterday. There is no indication that it was offered (and objected to) under the unanimous consent process. This leaves just one day (today) before the Chemical Facilities Anti-Terrorism Standards (CFATS) program terminates. According to the posts of @SenateCloakroom (that tweets updates on actions taken on the Senate floor) on TWITTER, HR 4470 has not yet been considered on the floor (and the Senate just finished acting on S 2226, the Senate version of the NDAA) and there is little time left for action until the Senate returns to Washington in September.

The actual termination language for CFATS is found in the Notes (Effective and Termination Dates) portion of 6 USC 621 (as added by PL 116–150, §1(a), July 22, 2020, 134 Stat. 679) reads:

“The authority provided under title XXI of the Homeland Security Act of 2002 [6 U.S.C. 621 et seq.], as added by section 2(a), shall terminate on July 27, 2023."

It does not say when the authority will terminate on that day, I will leave it to lawyers to argue that, but certainly by midnight tonight (at the latest) CISA will no longer have authority to conduct operations under the CFATS program. That means that CISA can no longer conduct inspections, require facilities to report, or evaluate data under the provisions of 6 USC 621 et seq. The currently agreed upon site security plans cease to exist as an enforceable requirement and might have to be renegotiated if/when Congress reauthorizes the program.

The authority to pay salaries and expenses is a separate matter. That should continue through September 30^th. Interestingly, the salaries and expenses of the chemical security inspectors does not come directly through the CFATS program office (Office of Chemical Safety). That funding comes from CISA’s Integrated Operations Division (see a post I did about split and another on the potential problems of that dichotomy). CISA with some careful management could keep the CSI on the job without the CFATS program in the new fiscal year, expanding the ChemLock program or helping out overworked Protective Security Advisors.

If the Senate does not act tonight (increasingly likely), then the language of the newly introduced S 2499 becomes very important. The bill could set the clock back to today and re-establish the program as it existed as of one-minute after midnight on July 27^th, 2023. The deadline for action on that bill is probably September 30^th, unless appropriators keep funding for the CFATS program in the DHS spending bill, which would probably require specific language in the bill or spending tables. But there is a good (I know bad choice of words) chance that that bill will never get passed. But that is a bigger problem than the continuation of the CFATS program.

Chemical Sector Security Summit Update – 7-27-23

Today, I received an interesting email from chemicalsummitreg@hq.dhs.gov about my recent registration for the 2023 Chemical Sector Security Summit. Apparently, some of the automated response emails for registration confirmations have not reached registrants. Lots of good information in the email. If you registered and have not received either this email or the original confirmation email, you should contact them at the above email address.

Bad News for Remote Attendees

The email (and the CSSS website) contain a link to the Preliminary Agenda for the CSSS. The following items on the agenda will not be available to remote attendees:

Day 1 – 8-29-23

Speed Meet the Experts

Day 2 – 8-30-23

Multilayered Approach to Combating the Acquisition of Bomb-Making Materials,

CFATS Tiering Methodology,

CFATS Cyber and Physical Security Best Practices,

ChemLock: On-Site Assessment Case Study,

Cyber Threats Facing the Chemical Sector, and

Federal Expo,

Day 3 – 8-31-23

Cyber Regulations at Chemical Facilities, and

CISA’s Regional Footprint

Most of these are part of ‘breakout sessions’ where two sessions are held at the same time. In person attendees get to choose which sessions they will attend. Those of us who will be attending remotely are having that choice made by the DHS organizers. I would have made different choices (may be, it would depend on who is presenting, and that info is not yet available), but someone at DHS has to make this decision, so I will not argue with them. If you really want to see one of the above presentations, attend in person.

NOTE: As I write this the Congressional Record for yesterday has not yet been printed, so I still do not know if the Senate passed HR 4470, the CFATS extension bill. If the program is not extended, much of the above agenda will obviously change.

Review – 3 Advisories and 2 Updates Published – 7-27-23

Today, CISA’s NCCIC-ICS published three control system security advisories for products from Mitsubishi Electric, PTC and ETIC Telecom. They also updated two advisories for products from Mitsubishi and ETIC.

Advisories

Mitsubishi Advisory - This advisory describes a classic buffer overflow vulnerability in the Mitsubishi CNC Series devices.

PTC Advisory - This advisory describes an uncontrolled resource consumption vulnerability in the PTC KEPServerEX.

ETIC Advisory - This advisory describes an insecure default initialization of resource vulnerability in the ETIC Remote Access Server (RAS).

Updates

Mitsubishi Update - This update provides additional information on an advisory that was originally published on August 9^th, 2022 and most recently updated on August 18^th, 2022 (not 8-16-23).

ETIC Update - This update provides additional information on an advisory that was originally published on November 11^th, 2022.

 

For more details about these advisories, including links to vendor advisories and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-and-2-updates-published-9a3 - subscription required.

FDA Sends Medical Tests as Medical Devices NPRM to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking (NPRM) from the Federal Drug Administration for “Medical Devices; Laboratory Developed Tests”. According to the Spring 2023 Unified Agenda entry for this rulemaking:

“This proposed rule would propose to amend the Food and Drug Administration’s regulations to make explicit that laboratory developed tests (LDTs) are devices under the Federal Food, Drug, and Cosmetic Act.”

It will be interesting to see what portions of the FDA medical device rules will apply to these medical tests. Cybersecurity for testing equipment is one that I would be watching for in these proposed regulations.

Bills Introduced – 7-26-23

Yesterday, with both the House and Senate in session and preparing to depart for their month-long summer recess, there were 134 bills introduced. Two of those bills will receive additional attention in this blog:

HR 4915 To amend title 10, United States Code, to codify the program of the Office of Small Business Programs of the Department of Defense known as Project Spectrum, and for other purposes. Joyce, David P. [Rep.-R-OH-14] 

S 2499 A bill to extend the authorization of the Chemical Facility Anti-Terrorism Standards Program of the Department of Homeland Security. Peters, Gary C. [Sen.-D-MI] 

I am still waiting to see the Congressional Record for yesterday’s meeting to see if HR 4470 was taken up by the Senate. It could be a while as the Senate did not adjourn until after midnight. If HR 4470 did pass, then the introduction of S 2499 does not make much sense. If it did not pass then S 2499 would be a rewrite of S 2178 that would include language to resurrect the CFATS program which will die today if not reauthorized by Congress.

Funding exists for CFATS through September 30^th to keep the staff paid while the program winds down, but authority to take any actions (inspections, approvals, even requiring/accepting Top Screen information) disappeared (will disappear at midnight? I am not sure) if HR 4470 was not passed yesterday. So, a new bill would be required to re-instate the previous authority and provide an extension of the authority through a future date. The chance of S 2178 passing in the Senate and House today or tomorrow are slim (but not impossible) and the current plan is for both bodies to adjourn tomorrow and not return until September 5^th for the Senate and September 12^th for the House. While those plans are always subject to change, it does not look likely at this time.

Short Takes – 7-26-23

Lithium Batteries - Heat Advisory NOTICE. LinkedIn.com post. Pull quote: “This [lithium runaway] chain reaction creates extremely high temperatures. The associated hazards then are fire and explosion. In addition to the super high temperatures generated by a Thermal Runaway incident, the “smoke” emanating from a lithium-ion battery fire is actually a vapor cloud containing a cocktail of highly toxic acids, including hydrogen cyanide, hydrogen fluoride, and hydrogen chloride as well as gases such as methane and ethane and other toxic organic compounds such as benzene, styrene and acrolein.”

McCarthy walks balancing act one more time before long summer. TheHill.com article. Pull quote: “McCarthy risks angering Trump and his allies if he does not schedule a vote on the [Trump impeachment expungement] resolutions; but if he does, they would almost certainly fail amid opposition from moderates.”

Advanced aircraft tracking will come live from space. ESA.int article. Pull quote: “The system, called “Eurialo”, will determine the exact position of a plane by geolocating its radio frequency signals. This will provide an independent assessment of the plane’s location to complement today’s surveillance systems, which often rely on self-reported positions of aircraft derived from the Global Navigation Satellite System.”

World’s heaviest commercial communications satellite will launch tonight. ArsTechnica.com article. Pull quote: ““It is large," said Mark Wymer, a senior vice president at Hughes Network Systems. "The satellite from tip to tip is about 10 stories, so it’s a monster. It’s weighing in right around 9 tons, which is why we need the SpaceX Falcon Heavy to get it up into space. What drives a lot of the size and scale of that is we know that there’s this huge hunger for data, and we knew that we had to put a good bit of bandwidth up in the sky.””

The US government is taking a serious step toward space-based nuclear propulsion. ArsTechnica.com article. Pull quote: “NASA will take the lead on developing the nuclear engine, and DARPA will oversee a host of other issues, from the nuclear regulatory requirements to the mission's operations and all analyses of the vehicle's safety. The nuclear reactor will launch in "cold" mode for safety reasons and will not be turned on until it reaches a sufficiently high orbit.”

Agriculture appropriations bill in jeopardy amid GOP divisions. TheHill.com article. Pull quote: “Moderate Republicans have been vocal in their opposition to the [anti-abortion pill] provision, warning that they will not support the bill unless it is stripped. That posture spells trouble for Speaker Kevin McCarthy (R-Calif.): with all Democrats expected to vote against the legislation, he can only afford to lose a handful of Republicans and still clear the measure.” Will not be considered until September.

Review - S 2226 Considered in Senate – FY 2024 NDAA – 7-25-23

 Yesterday, the Senate continued their consideration of S 2226, the FY 2024 National Defense Authorization Act. Two amendments were considered, neither of particular interest here. An agreement was reached to continue consideration today with a vote scheduled for Warnock Amendment No. 199, again not of particular interest here. Thirty-five new amendments were also proposed.

 

For more details about the activities included in yesterday's consideration, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2226-considered-in-senate-f74 - subscription required.

DOD Sends NISPOM Amendment to OMB

Monday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from DOD on “National Industrial Security Program Operating Manual (NISPOM); Second Amendment”. According to the Spring 2023 Unified Agenda entry for this rulemaking:

“Based on public comments, DoD is proposing additional amendments to a rule last published on December 21, 2020. This amendment addresses comments received on requests for guidance and the cost to implement Security Executive Agent Directive (SEAD) 3, as well as to provide clarification on safeguarding procedures for the protection and reproduction of classified information. It also includes DoD’s response to public comments received regarding controlled unclassified information, National Interest Determination requirements for cleared contractors operating under a Special Security Agreement for Foreign Ownership, Control or Influence, and eligibility determinations for personnel security clearance processes and requirements, among others.”

House Passes HR 1345 – NTIA Cybersecurity

Yesterday, the House took up HR 1345, the NTIA Policy and Cybersecurity Coordination Act, under the suspension of the rules process. After just nine minutes of debate, the bill was passed by voice vote. This vote demonstrates the broad bipartisan support for the bill and indicates an increased probability of the Senate being able to take up the bill under their unanimous consent process.

 

The bill would amend the NTIA Organization Act, adding a new §106, Office of Policy Development and Cybersecurity. The current Associate Administrator for Policy Analysis and Development at the NTIA would be redesignated as the position of Associate Administrator for Policy Development and Cybersecurity. The new organization would be responsible for overseeing and conducting “national communications and information policy analysis and development for the internet and communications technologies.”

Short Takes – 7-25-23

How Ukraine’s New DPICM Cluster Munitions Actually Work. KyivPost.com article. Semi-technical discussion. Pull quote: “As the submunitions fall air resistance on the ribbon attached to them helps stabilize their position as they fall allowing the shaped charge liner cone to face downward so that when it strikes the target it does so at the optimum angle to ensure maximum penetration. The submunitions fall at a very steep, almost vertical, angle which makes them more likely to enter trenches where the fragmentation of their steel bodies acts as an effective anti-personnel weapon.”

Here’s what scientists say about whistleblower claims that Pentagon has evidence of alien crashes. TheHill.com article. Pull quote: “But as an old scientific saying goes, the plural of anecdote isn’t data — and scientists told The Hill that the trouble with all these claims by Grusch and others isn’t that they’re impossible.”

House Freedom Caucus members sounded their concerns about Kevin McCarthy's plans to pass a slew of spending bills starting this week. Politico.com article. Pull quote: “Rep. Ralph Norman (R-S.C.) later told reporters he wants to see all 12 final spending bills, with additional Freedom Caucus demands incorporated, before voting on anything. That appears to jeopardize any votes this week.”

Warming Could Push the Atlantic Past a ‘Tipping Point’ This Century. NYTimes.com article. Pull quote: “In interviews, several researchers who study the overturning applauded the new analysis for using a novel approach to predict when we might cross a tipping point, particularly given how hard it has been to do so using computer models of the global climate. But they voiced reservations about some of its methods, and said more work was still needed to nail down the timing with greater certainty.”

Railworthiness Directive for Tank Cars Owned by Sumitomo Mitsui Banking Corporation Rail Services, LLC and Equipped With Rubber Linings Owned by Sumitomo Mitsui Banking Corporation Rail Services, LLC; RWD No. 2023-01. Federal Register FRA notice. Summary: “FRA issued this Directive, RWD No. 2023–01 [link added], under 49 CFR 180.509(b)(4) to SMBC based on its finding that as a result of non-conforming qualification practices, SMBC-owned DOT–111 tank cars, equipped with SMBC-owned rubber linings, may be in an unsafe operating condition that could result in the release of hazardous materials into the environment. As a result of the identified non-conforming qualification practices, these cars may have substantial rubber lining defects, potentially affecting each tank car's ability to retain its contents during transportation.”

Regulatory Guide: Criteria for Programmable Digital Devices in Safety-Related Systems of Nuclear Power Plants. Federal Register NRC final guide. Summary: “The U.S. Nuclear Regulatory Commission (NRC) is issuing Revision 4 to Regulatory Guide (RG), 1.152, “Criteria for Programmable Digital Devices in Safety-Related Systems of Nuclear Power Plants.” This RG describes an approach that is acceptable to the staff of the NRC to meet regulatory requirements for promoting high functional reliability, design quality, and a secure development and operational environment (SDOE) for the use of programmable digital devices (PDDs) in the safety-related systems of nuclear power generating stations.”

House Approves HR 4470 – CFATS Extension

This evening the House took up HR 4470, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2023, under the suspension of the rules process. There was about 16-minutes of debate and a recorded vote was demanded. The House voted 409 to 1 to pass the bill. The sole no vote came from Rep Massie (R,KY).

To get this bill to President Biden in time to save the Chemical Facility Anti-Terrorism Standards (CFATS) from expiring, the Senate will have to take up the bill tomorrow under their unanimous consent process. A single objection would kill that process.

Review – 4 Advisories Published – 7-25-23

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Johnson Controls, Emerson, Rockwell Automation, and AXIS.

Advisories

Johnson Controls Advisory - The advisory describes an improper restrictions of excessive authentication attempts vulnerability in the Johnson Controls IQ Wifi 6 mesh router.

Emerson Advisory - The advisory describes an authentication bypass by primary weakness vulnerability in the Emerson ROC800-Series RTU and DL8000 Preset Controllers.

Rockwell Advisory - The advisory that describes a relative path traversal vulnerability in the Rockwell ThinManager ThinServer.

AXIS Advisory - The advisory describes a heap-based buffer overflow vulnerability in the AXIS A1001 network door controller.

 

For more details about these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-published-7-25-23 - subscription required.

Committee Hearings – Week of 7-23-23

This week, the last week before the summer recess, is a busy week in Congress with spending bills being the high-profile topic. There are also two markup hearings in the Senate, as well as DHS oversight and self-driving car hearings in the House. A CFATS extension bill is due for action on the floor in the House (and hopefully) in the Senate.

Spending Bills

Today, the House Rules Committee will hold a rule hearing that will include consideration of HR 4666, the Military Construction, Veterans Affairs, and Related Agencies Appropriations Act, 2024. There was nothing in the bill or its accompanying report of specific interest here, but it is the first spending bill of the season and does contain a significant number of social issues of interest to Republicans (and opposed by Democrats). There have been 101 amendments proposed, again none of specific interest here.

On Wednesday, the House Rules Committee will hold a rule hearing that will consider HR 4368, the Agriculture, Rural Development, Food and Drug Administration, and Related Agencies Appropriations Act, 2024. See my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4368-introduced - subscription required for a look at the items of import here with this bill. There have been 178 amendments propose for this bill, none of specific interest here.

See my post: “Coming FY 2024 Spending Bill Logjams” about potential problems in dealing with these spending bills. These two bills are the first of twelve that the House has to (well, should have to) consider before the end of September and August is a vacation month.

Markup Hearings

On Wednesday, the Senate Homeland Security and Governmental Affairs Committee will hold a business meeting that will address an FCC nomination and 21 pieces of legislation. One of those bills is S 2256, the Federal Cybersecurity Workforce Expansion Act. This is a federal cybersecurity workforce development bill, which I have not yet reviewed. I will publish a post on this later this week.

On Thursday, the Senate Appropriations Committee will hold a business meeting to markup the following spending bills; Defense, IER, LHE, and DHS.

DHS Oversight

On Wednesday the House Judiciary Committee will hold an oversight hearing which will “examine the agency's operational failures, the unprecedented border crisis, and the abandonment of immigration enforcement under Secretary Mayorkas.” This may end up being a preliminary to an impeachment process against Sec Mayorkas.

Self-Driving Cars

On Wednesday, the Innovation, Data, and Commerce Subcommittee of the House Energy and Commerce Committee will hold a hearing on: “Self-Driving Vehicle Legislative Framework: Enhancing Safety, Improving Lives and Mobility, and Beating China”. The hearing will be in support of a new (not yet introduced) bill, the SELF DRIVE Act. The witness list includes:

Mark Riccobono, National Federation of the Blind,

John Bozzella, Alliance For Automotive Innovation,

Gary Shapiro, Consumer Technology Association, and

Philip Koopman, Carnegie Mellon University

Congress is still trying to deal with the complexities of self-driving vehicles. It has not been able to reach a consensus on how these vehicles should be regulated.

On the Floor

Today, the House is scheduled to take up 13 pieces of legislation under the suspension of the rules process. This number would not have been unusual last session, but this session’s leadership appears to be less interested in bipartisan legislation. There are two bills of interest here:

HR 1345 – the NTIA Policy and Cybersecurity Coordination Act, and

HR 4470 – Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2023

HR 4470 needs to be signed by the President before (well, on would probably work) Thursday, or the Chemical Facility Anti-Terrorism Standards (CFATS) program will cease to exist. If the bill passes today, the Senate could take up the bill under the unanimous consent process tomorrow, so we may be okay. That is presuming that someone does not want to make a political point at the expense of a successful chemical security program. Those of us who have followed this program over the years, are somewhat used to these last-minute legislative shenanigans, but the uncertainty is not good for the program.

OMB Approves NSF CyberCorps Final Rule

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved, ‘consistent with change’, a final rule form the National Science Foundation on “NSF CyberCorps Scholarship for Service Program”. The notice of proposed rulemaking for this action was published on July 15^th, 2022. This final rule was sent to OMB on April 27^th, 2023.

According to the Spring 2023 Unified Agenda entry for this rulemaking:

“NSF is finalizing amendments to the CyberCorps Scholarship for Service (SFS) Program, which provides scholarships for cybersecurity undergraduate and graduate (MS or PhD) education. In return for the financial support, recipients must agree to work after graduation in the cybersecurity mission of an agency of the U.S. Government or a State, local, or Tribal government or another qualifying entity, for a period equal to the length of the scholarship. These regulations govern the process of converting scholarships to student loans when the scholarship recipients fail to meet their required service obligations.”

DOD Sends CMMC NPRM to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking (NPRM) from the DOD on “Cybersecurity Maturity Model Certification (CMMC) Program”. According to the Spring 2023 Unified Agenda entry for the rulemaking:

“DOD is proposing to implement the Cybersecurity Maturity Model Certification (CMMC) Framework,  to help assess a Defense Industrial Base (DIB) contractor’s compliance with and implementation of cybersecurity requirements to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) transiting non-federal systems and mitigate the threats posed by Advanced Persistent Threats--adversaries with sophisticated levels of expertise and significant resources.”

Bills Introduced – 7-24-23

Yesterday, with the House meeting in pro forma session, there were 22 bills introduced. Two of those bills will receive additional attention in this blog:

HR 4820 Transportation, Housing and Urban Development, and Related Agencies Appropriations Act, 2024 Cole, Tom [Rep.-R-OK-4]

HR 4821 Department of the Interior, Environment, and Related Agencies Appropriations Act, 2024 Simpson, Michael K. [Rep.-R-ID-2]

Short Takes – 7-24-23

Tim Scott Awaits His Moment. But Will It Come? NYTimes.com article. Pull quote: “With just over a month until the first debate and six months until the Iowa caucuses, Mr. Scott’s campaign still sees an opening to refine his message and consolidate more voters. Still, while he tries to surpass Mr. DeSantis, the bigger challenge will be wresting the support of more than half of Republican primary voters from Mr. Trump.”

It’s time to rethink grid reliability. UtilityDive.com opinion. Pull quote: “While the shift to this new paradigm presents challenges, we are gaining confidence in the reliability of a clean grid. Previously there was “trepidation about even adding small amounts of weather-dependent power sources like wind and solar to the grid,” said O’Connell. “Now, large, sophisticated grids in the Midwest, Texas, and California regularly run on a 70% or higher share of wind and solar for hours at a time.” We have proven examples of smaller grids running at even higher percentages of weather dependent resources — the island of Kauai has been able to run on 100% renewable energy for at least nine hours at a time. Multiple studies show that the U.S. grid can run on up to 80% clean electricity with the technology that is available today.”

Code Kept Secret for Years Reveals Its Flaw—a Backdoor. Wired.com article (Kim Zetter). Pull quote: “Critical infrastructure in the US and other countries use TETRA for machine-to-machine communication in SCADA and other industrial control system settings—especially in widely distributed pipelines, railways, and electric grids, where wired and cellular communications may not be available.”

The liquid metals giving catalysis a new phase. ChemistryWorld.com article. Pull quote: “Concrete production cannot be decarbonised because converting limestone into cement forms carbon dioxide as a reaction by-product. ‘We take that carbon dioxide, turn it into graphene oxide flakes, and add these back into the cement and make stronger cement,’ Daeneke says. Other researchers have explored liquid metals for methane pyrolysis, a process that produces hydrogen from natural gas but produces solid carbon, rather than the usual carbon dioxide, as a by-product.”

Categorizing the CISA KEV by Technology Type. NucleusSec.com article. Pull quote: “To offer a comprehensive understanding of CISA KEV, I categorized all entries by technology type and created an interactive data visualization that makes it easy to explore. Data visualization is a powerful tool for quickly interpreting complex information. For this purpose, I designed a zoomable circle packing chart, which effectively represents large datasets visually. This chart allows users to gain insights into the distribution of KEV entries across different technology categories effortlessly.”

House, Senate divides over funding grow as time left for spending bills shrinks. TheHill.com article. Pull quote: “Most spending bills have advanced in the House and Senate appropriations committees. But House conservatives are pushing for even lower spending levels than what were approved in some of those bills in committee, numbers that were already lower than those agreed to in a debt ceiling deal between McCarthy and President Biden.”

FRA wants Class Is to regularly report train-length information. ProgressiveRailroading.com article. Pull quote: “As a next step in that process, the FRA is initiating the ICR [Information Collection Request, comments due September 19^th, 2023] to gather more train length data from Class Is. Specifically, the FRA wants Class Is to report the total number of trains operated, the total number of cars in those trains and the total trailing tonnage in specified train length categories, such as less than or equal to 7,500 feet and greater than 7,500 feet.

Honoré: Chemical plants in hurricane zone a security risk. AmericanPress.com article. Click-bait headline, so security issues discussed. Pull quote: ““Can they withstand another Laura and Delta,” Honoré asked. “Can those LNG plants on the coast withstand the 12-foot tidal wave predicted with Laura that didn’t happen? Most of our plants weren’t built to withstand 144-mile-per-hour winds.””

Review - HR 4502 Introduced – Cybersecurity Hiring

Earlier this month, Rep Mace (R,SC) introduced HR 4502, the Modernizing the Acquisition of Cybersecurity Experts Act. The bill would limit the ability of federal agencies to require minimum educational requirements in the hiring of personnel to fill cybersecurity positions in the competitive service. No funding is authorized in this legislation.

The House Oversight Committee held a business meeting on July 12^th, 2023, which included consideration of HR 4502. The Committee adopted substitute language and ordered the bill reported favorably by a vote of 40 to 0.

Moving Forward

Once the Committee report (along with the revised language) is printed, the House will be cleared to take up the bill. With the Committee voting unanimously to adopt the amended bill points to strong bipartisan support for the bill. This means that it would likely be considered under the House suspension of the rules process. This would limit debate, prohibit floor amendments, and require a super majority for passage.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4502-introduced - subscription required.

 

Review - HR 3855 Introduced – Digital Reserve Corps

Last month, Rep Gonzales (R,TX) introduced HR 3855, the National Digital Reserve Corps Act. The bill would establish within the General Services Administration (GSA) a ‘National Digital Reserve Corps’, to help address the digital and cybersecurity needs of Executive agencies. The bill would add a new Chapter 104 to 5 USC. HR 3555 would authorize $30 million for this new program. This bill is very similar to HR 162 (that post has been removed from the paywall) which Gonzales introduced in January, no action has been taken on that bill.

Moving Forward

Neither Gonzales, nor his six cosponsors are members of the House Oversight and Accountability Committee to which this bill was assigned for primary consideration. This means that it is unlikely that there is sufficient influence to see the bill considered in Committee. Two of the cosponsors {Rep Carbajal (D,CA) and Rep Davis (D,NC)} are members of the House Armed Services Committee to which this bill was assigned for secondary consideration. Thus, there is a better possibility that the bill could be considered there. Unfortunately, to move the House floor a bill generally needs to be reported favorably by the committee of primary assignment.

I suspect that there would be bipartisan support for this bill, but this is not a good year for proposing a new federal spending program in the House. The House leadership is focused on cutting spending so new programs have a number of additional hurdles to overcome. Without strong support in the Oversight Committee, this bill is not going to go anywhere.

 

For more details about the provisions of this bill, including an analysis of differences between it and HR 162, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-3855-introduced - subscription required.

Short Takes – 7-22-23

From Apollo to Artemis: How Axiom Space’s new suits will handle the harsh moon dust. MyNews13.com article. Pull quote: “One of the challenges the designers will be working on for the lunar spacesuit is dust mitigation. Citing the propriety nature of creating the suits, Greeley can only reveal the new suits will have dust mitigation and the suits will somehow “prevent this issue.””

NASA starts building ice-hunting Moon rover. ArsTechnica.com article. Pull quote: “One of those companies is Astrobotic, which NASA selected in 2020 to deliver VIPER to a landing site near Nobile Crater, a 45-mile-wide (73-kilometer) impact basin at the Moon’s south pole. The roughly $200 million commercial delivery arrangement allows Astrobotic to design and build the lander to carry VIPER to the Moon, a system that NASA would have developed—at greater cost—for the original Resource Prospector mission.”

The Fargo Shooter Used a Binary Trigger. Here's What to Know About the Device That's Worrying Police. USNews.com article. Pull quote: “A binary trigger is a modification that allows a weapon to fire one round when the trigger is pulled and another when it is released — in essence doubling the firing capacity, firearms experts and weapons manufacturers say.”

World’s declared stockpiles of chemical weapons destroyed as US finishes the job. ChemistryWorld.com article. Pull quote: “In May, the OPCW opened its new ChemTech Centre, which features state-of-the-art laboratories for investigating alleged uses of chemical weapons. Arias said that the facility will enhance the organisation’s ability to address the threats posed by modern developments, including ‘new dangerous toxic chemicals, more sophisticated equipment and production methods, better means of delivery, and the interaction between chemistry, biology and artificial intelligence’.”

Incorporation by Reference; North American Standard Out-of-Service Criteria; Hazardous Materials Safety Permits. Federal Register FMCSA NPRM. Summary “FMCSA proposes amendments to its Hazardous Materials Safety Permits (HMSPs) regulations to incorporate by reference the updated Commercial Vehicle Safety Alliance (CVSA) handbook containing inspection procedures and Out-of-Service Criteria (OOSC) for inspections of shipments of transuranic waste and highway route-controlled quantities (HRCQs) of radioactive material (RAM). The OOSC provide enforcement personnel nationwide, including FMCSA's State partners, with uniform enforcement tolerances for inspections. Currently, the regulations reference the April 1, 2022, edition of the handbook. Through this notice, FMCSA proposes to incorporate by reference the April 1, 2023, edition.” Comments due August 23^rd, 2023.

Judge Cannon schedules Trump’s classified documents trial for May 2024. WashingtonPost.com article.  Pull quote: “Trump is the early front-runner for the 2024 Republican nomination. By late May, the bulk of the Republican primary contests will be completed — meaning there is a significant possibility that Trump could go to trial in the classified documents case as his party’s presumptive nominee. Postponing the proceedings until after the election, on the other hand, would have raised the possibility that if Trump or another Republican won, they could try to push the Justice Department to drop the case once in office.”

EPA Sends PBT Update NPRM to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs announced that it had received a notice of proposed rulemaking from the EPA on “Revisions to Regulations on Persistent, Bioaccumulative, and Toxic Chemicals Subject to the Toxic Substances Control Act (TSCA)”. According to the Spring 2023 Unified Agenda listing for the is rulemaking:

“The Toxic Substances Control Act (TSCA) directs EPA to take expedited action on certain persistent, bioaccumulative, and toxic (PBT) chemicals to address the risks of injury to health or the environment presented by the chemical substance and reduce exposure to the substance to the extent practicable. Consistent with that mandate, final risk management rules restricting the use of five PBT chemicals were issued in January 2021 and went into effect in February 2021. EPA is considering revisions to all five of the final rules to further reduce exposures, promote environmental justice, and better protect human health and the environment.”

The current PBT’s (and their regulation in 40 CFR) are:

DecaBDE (§751.405),

PIP (3:1) (§751.407),

2,4,6-TTBP (§751.409),

PCTP (§751.411), and

HCBD (§751.413)

CRS Reports – Week of 7-15-23 – TSDB Legal Challenges

This week the Congressional Research Service (CRS) published a report on “Legal Challenges to the Terrorist Screening Database”. The report gives an annotated background for the establishment of the TSDB and many of the legal challenges that have been made against the database. While the report mentions the notorious ‘Do Not Fly’ list, the TSDB is used for vetting by several other programs, including the Transportation Workers Identification Credential (TWIC), the Hazardous Materials Endorsement (HME) for State commercial drivers’ licenses, and the Chemical Facility Anti-Terrorism Standards (CFATS) personnel surety program.