Short Takes – 12-31-24

Payment of Indemnity and Compensation for Highly Pathogenic Avian Influenza. Federal Register APHIS Interim Final Rule. Summary: “We are amending the regulations pertaining to conditions for payment of indemnity for highly pathogenic avian influenza (HPAI). Specifically, we are requiring commercial poultry premises to successfully pass a biosecurity audit prior to restocking if they were previously HPAI-infected and wish to be eligible for indemnity for the restocked poultry. We are also requiring a biosecurity audit for commercial poultry premises in the buffer zone prior to movement of poultry onto the premises, if the premises wishes to be eligible for indemnity for the poultry moved onto the premises. We are also revising the regulations to preclude indemnity payments for poultry moved onto premises in infected zones if the poultry become infected with HPAI within 14 days following the dissolution of the control area in which the infected zone is located. This action is necessary on an immediate basis in order to ensure that commercial poultry producers who receive indemnity payments for HPAI are taking measures to preclude the introduction and spread of HPAI, and avoiding actions that contribute to its spread. This action amends the regulations to condition indemnity for HPAI accordingly.” Nothing to do with compensation for affected cattle/dairy producers.

Preliminary Lists Identifying Manufacturers Subject to Fee Obligations for Five Chemical Substances Undergoing EPA-Initiated Risk Evaluations Under the Toxic Substances Control Act (TSCA); Notice of Availability and Request for Comment. Federal Register EPA notice of proposed rulemaking. Summary: “The Environmental Protection Agency (EPA or Agency) is announcing the availability of and soliciting comment on the preliminary lists of manufacturers (including importers) of five chemical substances that have been designated as High-Priority Substances for risk evaluation under the Toxic Substances Control Act (TSCA) and for which fees will be charged. As required by TSCA, EPA established fees to defray a portion of the costs associated with administering certain provisions of TSCA. The comment period provides an opportunity for the public to provide comments, self-identify, or correct errors on the preliminary lists. In addition, manufacturers (including importers) are required to self-identify as a manufacturer (or importer) of one or more the five identified High-Priority Substances irrespective of whether they are included on the preliminary lists, and may use this period to do so. Where appropriate, entities may also avoid or reduce fee obligations by making certain certifications consistent with the TSCA Fees Rule. EPA expects to publish final lists of manufacturers (including importers) subject to fees no later than concurrently with the publication of the final scope documents for risk evaluations of these five High-Priority Substances. Manufacturers (including importers) identified on the final lists will be subject to the applicable fees.” Comments due: March 3^rd, 2025.

India aims for space milestone with first docking mission. EuropeSays.com article. Pull quote: “Docking technology is critical for space operations that require coordination between multiple launches, enabling components to meet and connect in orbit. Mastery of this capability is essential for complex future endeavors, such as assembling and maintaining space infrastructure.”

2025 CONGRESSIONAL CALENDAR. RollCall.com calendar. Combines both the House and Senate schedule for Washington into one document.

Office for Bombing Prevention Bulletin #13. Content.GovDelivery.com bulletin. Contents:

• Over 400 People Gather for EOD Technology and Bombing Prevention Summit

• CISA OBP, Partners Execute Full-Scale Awareness Exercise

• Air Force Leaders Gain Insights on Bomb Threats, Resources

• Law Enforcement Officers (LEO) Honored During National Police Week

• CISA OBP and Churchill Downs Team Up on Security Before 150th Kentucky Derby

• CISA OBP Shares Overview of Bomb Making Materials Awareness Program (BMAP) at National Association of State Fire Marshals (NASM) Forum

• Diogenes Ayala Receives Outstanding Partnership Award

• CISA Kicks Off Critical Infrastructure Security and Resilience (CISR) Month 2024

Will 2025 be the year of Starship? SpaceX's megarocket is growing up. Space.com article. Pull quote: “Because Starship is fully reusable, the vehicle could eventually deliver such power numbers for just $2 million to $3 million per flight, Musk has said. That would be incredibly cheap; SpaceX currently sells Falcon 9 missions for about $67 million.”

The Speakership Election in the 119th Congress. MattGlassman.Substack.com article. Very detailed look at the possible issues that could arise with the January 3^rd, 2025 House Speaker election. Pull quote: “We may not even have a contested election on the floor Friday. One thing largely overlooked during the runup to the 118th fight is that virtually all would-be Speakers bargain with their caucus/conference over rules, committee slots, agendas, and specific policies. In some sense, that’s what the Speakership election is—a party collectively deciding power and agenda dynamics among its factions. Most of the time, the Speaker-nominee successfully accomplishes this in November/December, People forget, but Pelosi had to explicitly do this in the leadup to the 116th Congress, when a faction of Democrats holding the balance of power wrote a letter threatening not to vote for her. She had to buy them up, but did so long before the voting began. McCarthy wasn’t able to do that in 2023.” 

Review - CISA Publishes 60-day ICR Notice for ChemLock

Today CISA published a 60-day information collection request (ICR) supporting the Infrastructure Protection Division’s ChemLock program. According to the ChemLock home page:

“CISA's ChemLock program is a completely voluntary program that provides facilities that possess dangerous chemicals with no-cost services and tools to help you better understand the risks you face and improve your chemical security posture in a way that works for your business model.”

The ICR would address three separate information collection processes. The table below shows the burden estimate for each of those processes:

Note: The table includes slightly different ‘Burden’ numbers than those found in the text of the notice; I calculated the burden from the response and time information provided in the text. If the time figures are rounded that could account for the differences.

Request for Comments

CISA is soliciting comments on this ICR notice. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov, Docket # CISA-2024-0034). Comments should be submitted by March 3^rd, 2025.

Commentary

CISA has been using a version of the request for services form (and probably the other two forms as well) for a little over three years, so technically they have been in violation of 44 USC 3507(a). Having said that, since the program is voluntary, they have not been requiring anyone to provide the requested information. With the death of the CFATS program, I would bet that the ChemLock program is receiving more attention within the Agency and that has probably lead to the identification of this technical violation within the agency. It would also explain why the information provided in the notice is not up to the standard set by the CFATS program that was run by the same division of CISA.

 

For more information on the forms covered in this ICR, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/publish/post/153860717 - subscription required.

CISA Adds One Vulnerability to KEV Catalog – 12-30-24

Yesterday CISA added [link added 12-31-24 9:38 pm EST] an improper check for unusual or exceptional conditions vulnerability in the Palo Alto Networks PAN-OS software to their Known Exploited Vulnerabilities catalog. This vulnerability was previously disclosed by Palo Alto Networks. The vulnerability was initially reported by CERT-EE (Estonia). Palo Alto Networks has new versions that mitigate the vulnerability. CISA has directed federal agencies utilizing the affected software to apply “mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.” The deadline to complete such actions is January 20^th, 2025.

NOTE: I briefly discussed this vulnerability on Saturday, and suggested on my Substack blog (subscription required) that the vulnerability could show up on the KEV this week.

Short Takes – 12-30-24

After 60 years of spaceflight patches, here are some of our favorites. ArsTechnica.com article. Pull quote: “However, the spy satellite agency cleverly uses its mission patches as an effective communications tool. The patches for the launch of its satellites never give away key details, but they are often humorous, ominous, and suggestive all at the same time. The immediate response I often have to these patches is one of appreciation for the design, followed by a nervous chuckle. I suspect that's intended by the spy agency.”

Fight over spending stopgap foreshadows funding challenges in new Congress. TheHill.com article. Pull quote: ““Pre-15th of March, you still got to finish. You’ve got to finish ‘25 so reconciliation is going to be a piece of that on how you finish ‘25,” Amodei told The Hill, while also saying reconciliation work could have an impact on Congress’s annual funding work.”

Trump on collision course with conservatives over debt limit. TheHill.com article. Pull quote: “Only one or two GOP lawmakers may be able to derail any budget reconciliation package that includes language to raise the debt ceiling if conservatives think the spending cuts don’t go far enough — or if moderates think cuts go too far.”

These Are The Most Exciting Space Missions Coming In 2025. Inverse.com article. Pull quote: “As an aerospace engineer, I’m excited for 2025, when space agencies worldwide are gearing up for even more ambitious goals. Here’s a look at the most exciting missions planned for the coming year, which will expand humanity’s horizons even further, from the Moon and Mars to asteroids and beyond:”

China wants to restore the sea with high-tech marine ranches. TechnologyReview.com article. Pull quote: “So far China’s marine ranching program remains far from any of this, despite the isolated signs of success. But ultimately what matters most is to find a “balance point” between commerce and sustainability, says Cao. Take Genghai No. 1: “It’s very pretty!” she says with a laugh. “And it costs a lot for the initial investment.” If such ranches are going to contribute to China’s coming “ecological civilization,” they’ll have to prove they are delivering real gains and not just sinking more resources into a dying ocean.”

Review - CFATS is Dead – Whither Chemical Security

With the 118^th Congress effectively dead (the House and Senate meet today in pro forma session, and then again on Friday to adjourn sine die), the time has come to officially declare the Chemical Facility Anti-Terrorism Standards (CFATS) program dead. While the program authority expired on July 27^th, 2023 (see note 6 USC 621) the program has been kept on life support by CISA and Congress, hoping that it could be resurrected over the objections of Sen Paul (R,KY). On January 3^rd, 2025, Paul becomes the Chair of the Senate Homeland Security and Governmental Affairs Committee, further increasing his power to block the program. CFATS will not be reauthorized.

Instead of trying to resurrect the CFATS program, chemical security supporters should instead try to expand the ChemLock program. First and foremost, the ChemLock program needs to be specifically authorized by Congress. One of the first things that the Trump Administration will attempt to do to reduce government spending will be to eliminate non-authorized programs. To avoid the death of this chemical security program, legislation needs to be introduced that establishes ChemLock as an official program under CISA’s Infrastructure Security Division.

Since ChemLock will need to continue to be a voluntary program (rather than a regulatory program) to obtain the support (or at least avoid the opposition) of members like Sen Paul, some method will have to included that provides an incentive for companies to actively participate in the program. While financial incentives would work best, they would run afoul of ‘reduce spending’ ethos of the 119^th Congress. A ‘no cost to the government’ incentive would be to apply Safety Act (6 USC 441 et seq) protections to participating organizations.

CISA and the chemical industry need to start discussing the authorization of the ChemLock program with their members of Congress. The quicker this legislation is introduced (and ultimately signed into law) the less likely it will be that this program will fall under the scrutiny of elements of the Trump Administration looking at cutting spending and reducing government.

 

For more details about how the Safety Act may be used in the ChemLock program, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cfats-is-dead - subscription required.

End of Session Housekeeping – 118th Congress – 12-29-24

With the end of the 118th Congress fast approaching, nothing but one pro forma session for each house until they adjourn sine die on January 3^rd, it is time to catch up on legislation files that are dying with the session’s end. Committees are busy publishing reports that no one will read and the GPO is catching up on publishing bills that will have no effect. Instead of trying to complete writeups on each of these housekeeping items, I am simply going to provide a list of each of the bills that I would normally expect to cover in this blog with the appropriate links. If anyone wants me to cover one of these bills in detail in my blog, just drop me a comment on this post; I will see if I can work them into the schedule.

Committee Reports

The following bills were reported by Committees; the reported versions of the bills are available, but the committee reports are not (links are to the published bill):

S 559 Reported in Senate – Fire Grants and Safety Act,

S 4630 Reported in Senate – Streamlining Cybersecurity Regs,

S 4697 Reported in Senate – Healthcare Cybersecurity,

S 5028 Reported in Senate – Contractor Cybersecurity,

S 5321 Reported in Senate – DHS Cybersecurity Interns

Text of Introduced Bills

There were no bills published this week that I am currently following. There are nine House bills that I am still waiting to see published and five Senate bills.

Chemical Incident Reporting – Week of 12-21-24

NOTE: See here for series background.

Hanford, WA – 12-20-24

Local News Report: Here, here, and here.

There was an anhydrous ammonia leak at the Hanford nuclear site. No injuries were reported. There is no report of site damage.

Not CSB reportable.

Port Moody, BC – 12-24-24

Local News Report: Here, here, and here.

There was a traffic accident where a flatbed truck carrying chemical containers overturned. One gas cylinder (originally reported as containing ammonia, but actually holding CO2) leaked. Area residents urged to shelter in place. No injuries were reported (no word on the driver’s condition in any of the reports).

Not CSB reportable, accident was in Canada.

Mentioned this here because of confusion about the chemical released. It is easy to tell the difference between ammonia and CO2; ammonia stinks bad, and CO2 is odorless. I suspect that the initial reports of an ammonia release were due to the placarding on the truck and no visible hazmat labels on the CO2 container involved. The confusion may have delayed the initial response somewhat, but it is generally better to be safe that dead.

Camilla, GA  – 12-27-24

Local News Report: Here, here, here, and here.

There was an apparent boiler explosion and fire at a chicken processing plant. One person was killed. An undisclosed number of people were injured, two or three were transported to the hospital for treatment.

Probable CSB reportable.

Short Takes – 12-28-24

Blue Origin completes its last major test to get ready for first New Glenn rocket launch. GeekWire.com article. Pull quote: “Blue Origin says it has several New Glenn vehicles in production at its Florida factory, and has filled out a “full customer manifest” for launches in the months ahead. High-profile missions include satellite launches to low Earth orbit for Amazon’s Project Kuiper broadband constellation and the launch of twin orbiters for NASA’s ESCAPADE mission to Mars.”

Revisions to [DOT] Civil Penalty Amounts, 2025. Federal Register DOT final rule. Summary: “This final rule provides the statutorily prescribed 2025 adjustment to civil penalty amounts that may be imposed for violations of certain DOT regulations.” Links to new penalty rates below:

• Office of Secretary,

• Federal Aviation Administration,

• National Highway Traffic Safety Administration,

• Federal Motor Carrier Safety Administration,

• Federal Railroad Administration,

• Pipeline and Hazardous Materials Safety Administration,

• Maritime Administration,

• Great Lakes St. Lawrence Seaway Development Corporation

Pipeline Safety: Meeting of the Liquid and Gas Pipeline Advisory Committees. Federal Register PHMSA meeting announcement. Summary: “This notice announces a public meeting of the Technical Hazardous Liquid Pipeline Safety Standards Committee, also known as the Liquid Pipeline Advisory Committee (LPAC), and the Technical Pipeline Safety Standards Committee, also known as the Gas Pipeline Advisory Committee (GPAC), to discuss the notices of proposed rulemaking (NPRMs) titled “Periodic Standards Update II” and “Cost Recovery for Siting Reviews for LNG Facilities.”” Meeting date: January 16^th, 2025. 

Short Takes – 12-28-24 – Cyber Geek Edition

PMKID Attacks: Debunking the 802.11r Myth.  NCCGroup.com blog post. Pull quote: “The PMKID-based attack exploits a weakness in the WPA2 authentication process, specifically in the handling of the Robust Security Network (RSN) handshake. During authentication, the Pairwise Master Key (PMK) is used as the foundation for secure communication. Instead of intercepting a complete 4-way handshake, it is possible to retrieve the PMKID directly from the access point by initiating an RSN request. The PMKID is subsequently used in offline brute-force attacks to recover the Pre-Shared Key (PSK) of the network.”

Heels on fire. Hacking smart ski socks. PenTestPartners.com blog post. Pull quote: “We’ll cover this [hardware crypto mining] in detail in a follow up post in the new year, but initial poking at the hardware and mobile app suggests that arbitrary code execution may be possible on the battery pack controllers. There’s a chance we could get the batteries to mine crypto. More on that when we get time.”

Cybersecurity firm's Chrome extension hijacked to steal users' data. BleepingComputer.com article. Pull quote: “A clean version of the extension, v24.10.5 was published on December 26. Apart from upgrading to the latest version, users of the Cyberhaven Chrome extension are recommended to revoke passwords that aren’t FIDOv2, rotate all API tokens, and review browser logs to evaluate malicious activity.” Cybersecurity is hard, even people whose job is cybersecurity do not get it right all of the time.

Review – Public ICS Disclosures – Week of 12-21-24

This week we have three vendor disclosures from Hitachi, Palo Alto Networks, and Philips. We also have six researcher reports for vulnerabilities in products from ABB (5) and HMS.

Advisories

Hitachi Advisory - Hitachi published an advisory that discusses 29 vulnerabilities in their Disk Array Systems.

Palo Alto Networks Advisory - Palo Alto Networks published an advisory that describes an improper check for unusual or exceptional conditions vulnerability in multiple Palo Alto Networks products.

Philips Advisory - Philips published an advisory that discusses the Apache Struts unrestricted upload of file with dangerous type vulnerability.

Researcher Reports

ABB Reports - Zero Science published five reports about vulnerabilities (all with publicly available exploits) in the ABB Cylon Aspect building energy management product.

HMS Report - CyberDanube published a report that describes a code injection vulnerability (with publicly available exploit) in the HMS Ewon Flexy 205.

 

For more information on these vulnerabilities, including links to exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-12-136 - subscription required.

Short Takes – 12-27-24

GOP rep on backing Johnson as Speaker: ‘I’m going to keep my options open’. TheHill.com article. Pull quote: “Johnson cannot afford more than one Republican defection on the House floor in the Jan. 3 Speakership election, assuming all members are present and voting. Republicans are set to have 219 Republicans taking the oath of office on Jan. 3, and all 215 Democrats are expected to vote for House Minority Leader Hakeem Jeffries (D-N.Y.).”

Bird flu virus in Louisiana patient likely mutated to be more transmissible, CDC says. TheHill.com article. Pull quote: “Former Food and Drug Administration Commissioner Scott Gottlieb said on X that in the “low probability scenario” bird flu develops into a widespread outbreak, the “U.S. will have only itself to blame. Agricultural officials did just about everything wrong over last year, hoping [the] virus would burn out and it didn’t.””

Lindsey Vonn Thinks Her New Titanium Knee Could Start a Trend in Skiing. MedPageToday.com article. Pull quote: “"There was not a lot of research out there with high-level athletes and partial knee replacements," Knight said. "It is a new frontier. But so far everything's working really well... And I would not be surprised if other people do it because the results that Lindsey's had, with no pain and no swelling, have been unbelievable."”

NASA's Parker Solar Probe phones home after surviving historic close sun flyby. It's alive! Space.com article. Pull quote: “The spacecraft is programmed to send home a more detailed status update on New Year's Day, Jan. 1. It's only then that scientists will know whether the spacecraft indeed collected the expected observations of the sun from the flyby, Michael Buckley, a spokesperson at JHUAPL, which oversees the Parker Solar Probe mission, told Space.com in an email. "This gives the team a better picture of overall spacecraft and subsystem/instrument health, including whether Parker's data recorders are full."”

Transportation Chemical Incidents – Week of 11-23-24

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 301 (288 highway, 12 air, 1 rail, 0 water)

• Serious incidents – 3 (3 Bulk release, 0 evacuation, 0 injury, 0 death, 0 major artery closed, 0 fire/explosion, 25 no release)

• Largest container involved – 13,819-gal DOT 11A100W1 Railcar {Sulfur, Molten} All 8 manway swing bolts less than tool tight.

• Largest amount spilled – 350-gal Metal totebin {Flammable Liquids, N.O.S.} Loose camlock fitting.

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: Benzyldimethylamine – A colorless to light yellow liquid with an aromatic odor. Slightly less dense than water and slightly soluble in water. Corrosive to skin, eyes and mucous membranes. Slightly toxic by ingestion, skin absorption and inhalation. Used in the manufacture of adhesives and other chemicals. (Source: CameoChemicals.NOAA.gov).

 

Short Takes – 12-26-24

Editorial: Raw milk for thought. CEN.ACS.org article. Pull quote: “Even though there is no scientific evidence supporting the health benefits of raw milk, some who advocate consuming it believe that it has nutritional benefits. They staunchly believe this erroneous claim perhaps because they generally mistrust big businesses and what they perceive as the submission of doctors, researchers, and governments to the agenda of those businesses.”

Drone detection systems: Addressing a threat to CBRN facilities. ORFOnline.org article. Pull quote: “As mentioned, traditional radar systems struggle to detect drones due to their size and speed, and many CBRN facilities lack advanced surveillance technologies. Therefore, it is imperative to include drone detection systems in the individual security guidelines of these facilities to protect them from attacks by malicious and non-state actors. Including such systems at a granular level will help address the need for regular updates and remove the bureaucracy that may slow the process down.”

House approves security screening legislation. BulkTransporter.com article. Pull quote: ““For far too long, the truck drivers who keep our country running have been subjected to an outdated, inefficient credentialing system that does not respect their time and money,” said Chris Spear, ATA president and CEO. “That begins to change [now]. By taking the final step needed to eliminate unnecessary bureaucratic hurdles, Congress will provide essential supply chain workers with overdue relief from redundant background checks and fees.”

‘Need to do some norm changing’: Granger’s case spurs renewed debate over ailing lawmakers. Politico.com article. Pull quote: “Reporting by a conservative activist on Friday about the 81-year-old Texas Republican — who until last April chaired the powerful Appropriations Committee — prompted her family to reveal that she has been struggling with dementia and residing in an assisted-living facility, despite continuing to hold office. Granger hasn’t cast a vote in Congress since July.”

Unpacking Claims Texas US Rep. Kay Granger Is in Memory Care. Snopes.com article. Pull quote: “The rumor originated with The Dallas Express, a conservative website that was launched in 2021 using the name of an historically Black-run newspaper and that publishes "pink slime" news — news of poor quality. In 2020, the newspaper's CEO, Chris Putnam, unsuccessfully tried to unseat Granger in the Republican primary election.”

Double moon mission! SpaceX to launch 2 private lunar landers in January. Space.com article. Pull quote: “The Japanese company ispace announced on Tuesday night (Dec. 17) that its second-ever moon mission will launch on the same Falcon 9 rocket that will loft Blue Ghost, a lunar lander built by Texas-based Firefly Aerospace.”

GOP facing 'doomsday scenario' of inability to certify Trump win on Jan 6: report. NewsBreak.com article. Not a great news source, but an interesting take. Pull quote: “After sharing a clip of Johnson claiming he has been in constant contact with the president-elect, Pergram pointed out, "But Mr. Trump is said to be frustrated with Johnson. Here is the doomsday scenario: Say the House takes as long as it did two years ago to elect the speaker. That means it cannot certify the Electoral College on Jan 6. That House can't do anything including swearing in the members until it picks a new speaker." The irony of it all….

A Russian Assault Group Riding In Pickup Trucks And Flying The Soviet Flag Got ‘Special Attention’ From Ukrainian Forces. Forbes.com article. Pull quote: “That the pickup-and-sedan assault failed doesn’t mean the overall Russian offensive will fail. The Russians are racing against the coming depletion of their vehicle reserves to capture as much of Ukraine as they can. Time and attrition may save most of Ukraine, but possibly not Pokrovsk.”

OMB Approves APHIS IFR on HPAI Compensation

Yesterday the OMB’s Office of Information and Regulatory Affairs announced that it had approved an interim final rule from the USDA’s Animal and Plant Health Inspection Service (APHIS) on “Revise Conditions for Payment of Indemnity and Compensation for HPAI [Highly Pathogenic Avian Influenza]”. The IFR was sent to OIRA on October 23^rd, 2024.

According to the Fall 2024 Unified Agenda entry for this rulemaking:

“The current HPAI indemnity regulations require producers above de minimis thresholds to have a biosecurity plan as a condition for indemnification. The Animal and Plant Health Inspection Service (APHIS) intends this interim rule to require a successful biosecurity audit for HPAI-infected premises intending to restock and for buffer zone (uninfected) premises that wish to request that poultry be moved onto the premises. Other changes are also being considered.”

OMB Approves CISA Restricted Transactions Notice

Yesterday the OMB’s Office of Information and Regulatory Affairs announced that it had approved a notice from CISA on “Security Requirements for Restricted Transactions Under Executive Order 14117”. The notice was sent to OIRA on December 18^th, 2024.

This action was not listed in the Fall 2024 Unified Agenda. Looking at EO 14117, however, this notice is almost certainly that required by §2(d):

“(d) The Secretary of Homeland Security, acting through the Director of the Cybersecurity and Infrastructure Security Agency, shall, in coordination with the Attorney General and in consultation with the heads of relevant agencies, propose, seek public comment on, and publish security requirements that address the unacceptable risk posed by restricted transactions, as identified by the Attorney General pursuant to this section. These requirements shall be based on the Cybersecurity and Privacy Frameworks developed by the National Institute of Standards and Technology.”

CISA published a request for comments on this rulemaking on security requirements for restricted transactions on October 29^th, 2024.

Short Takes – 12-23-24 - Federal Register Edition

Wireless Telecommunications Bureau Seeks Comment on Licensing and Coordination Procedures for the Space Launch Service. Federal Register notice. Summary: “In this Public Notice, the Wireless Telecommunications Bureau (Bureau) makes proposals and seeks comment on issues related to the Federal Communications Commission's (Commission) Space Launch Service. In particular, it proposes licensing and frequency coordination procedures and data requirements for Space Launch Service licensees seeking Commission authorization to perform non-Federal space launch operations in the 2025-2110 MHz, 2200-2290 MHz, and 2360-2395 MHz bands. Filers responding to this Public Notice should submit comments in ET Docket No. 13-115.” Public comments due: January 22^nd, 2025.

Private Sector Participation in Domestic and International Events on Spaceflight Safety, Sustainability, and Emerging Markets in Outer Space. Federal Register State Department notice. Summary: “The U.S. Department of State seeks private sector participation in a series of domestic and international events promoting the safe and responsible exploration and use of outer space…. Solicitations for private sector participation in specific events, including event dates and locations, will be posted at least 30 days prior to the event on https://www.state.gov/​remarks-and-releases-bureau-of-oceans-and-international-environmental-and-scientific-affairs/​.”

Positive Train Control Systems. Federal Register FRA comment period extension. Summary: “On October 28, 2024, FRA published an NPRM proposing to amend certain regulations governing positive train control (PTC) systems. Through oversight and continued engagement with the industry, FRA has found that its existing PTC regulations do not adequately address temporary situations during which PTC technology is not enabled, including after certain initialization failures or in cases where a PTC system needs to be temporarily disabled to facilitate repair, maintenance, infrastructure upgrades, or capital projects. FRA expects PTC systems to be reliable and robust, further reducing the occurrence of initialization failures and outages. The NPRM proposes to establish strict parameters and operating restrictions under which railroads may continue to operate safely in certain necessary scenarios when PTC technology is temporarily not governing rail operations. By this notice, FRA is extending the NPRM's comment period, which will close on December 27, 2024, by 15 days.” New comment due date: “January 11^th, 2025.

Implementation of Certain Australia Group Decisions. BIS final rule. Summary: “The Bureau of Industry and Security (BIS) is amending the Export Administration Regulations (EAR) to implement changes agreed to by Australia Group (AG) member countries at recent meetings. These include controlling: instruments for the automated chemical synthesis of peptides (automated peptide synthesizers), dipropylamine, and neosaxitoxin; and revising the controls for botulinum toxins, toxic gas monitors, and centrifugal separators. This rule also makes minor conforming changes for the new controls and revisions to existing controls.”

End of Session Housekeeping – 118th Congress – 12-22-24

With the end of the 118th Congress fast approaching, nothing but pro forma sessions until they adjourn sine die on January 3^rd, it is time to catch up on legislation files that are dying with the sessions end. Committees are busy publishing reports that no one will read and the GPO is catching up on publishing bills that will have no effect. Instead of trying to complete writeups on each of these housekeeping items, I am simply going to provide a list of each of the bills that I would normally expect to cover in this blog with the appropriate links. If anyone wants me to cover one of these bills in detail in my blog, just drop me a comment on this post; I will see if I can work them into the schedule.

Reports Filed:

HR 3208 Reported in Senate – DHS Cybersecurity OJT

S Rept 118- 161 .pdf – not yet published

HR 3208 RFS .pdf - https://www.congress.gov/118/bills/hr3208/BILLS-118hr3208rfs.pdf

HR 5840 Reported in House – TSA Screening Modernization

H Rept 118-888 .pdf – not yet published

HR 5840 IH .pdf - https://www.congress.gov/118/bills/hr5840/BILLS-118hr5840rh.pdf

HR 6494 Reported in House – PIPES Act of 2023

H Rept 118-884 .pdf – not yet published

HR 6494 RH .pdf - https://www.congress.gov/118/bills/hr6494/BILLS-118hr6494rh.pdf

HR 9689 Reported in House – DHS Cybersecurity Internships

H Rept 118-858 .pdf – not yet published

HR 9689 RH .pdf - https://www.congress.gov/118/bills/hr9689/BILLS-118hr9689rh.pdf

HR 9769 Reported in House – Cyber Resilience

H Rept 118-859 .pdf – not yet published

HR 9769 RH .pdf - https://www.congress.gov/118/bills/hr9769/BILLS-118hr9769rfs.pdf

Text of Bills Published:

S 5639 Introduced – cUAS Authority

S 5639 ES .pdf - https://www.congress.gov/118/bills/s5639/BILLS-118s5639es.pdf

NOTE: S 5639 was passed in the Senate by unanimous consent.

Short Takes – 12-21-24

ICS Threat Analysis: New, Experimental Malware Can Kill Engineering Processes. Forescout.com blog post. Pull quote: “The artifact clusters we identified may primarily act as nuisances in real OT environments. Yet, the fact that this type of malware can infiltrate critical networks is alarming.including a 14-year old sample observed thousands of times. Even more concerning is the ability of hacking groups to create malware targeting engineering processes with assistance from generative AI while using legitimate services for C2. This reliance on legitimate services makes detecting these threats more challenging. The gap between a relatively simple example like Chaya_003 and more sophisticated OT-specific malware is narrowing, especially as generative AI empowers less skilled attackers to craft OT-specific code.”

Current State of SonicWall Exposure: Firmware Decryption Unlocks New Insights. BishopFox.com blog post. Pull quote: “Our scan identified a total of 430,363 unique targets (IP address and port combinations) with SonicOS/X login pages exposed on the public internet. Of these, the majority had both the management and SSL VPN interfaces accessible, while the rest only exposed one interface.”

The Top Cybersecurity Agency in the US Is Bracing for Donald Trump. Wired.com article. Pull quote: “Under Biden, CISA gained broader authority and new funding to monitor other agencies’ networks for suspicious activity, turning it into the centralized defender of federal networks that many experts always hoped it would become. That could change under Trump, especially if senior officials close to Trump bristle at CISA’s oversight.” Too much guessing in the article, not much information from the Trump transition team yet.

White House charges Pentagon to develop cislunar monitoring tech, including for ‘planetary defense’. BreakingDefense.com article. Pull quote: “This includes taking the lead in the development of new, and/or improvement of current, ground- and space-based sensors for monitoring the cislunar region. In particular, the plan notes that the Pentagon should assess the value of putting new satellites in “novel orbits” to monitor satellites and space debris near the Moon.” Priorities will probably be different in Trump DOD.

New supersonic ramjet detonation engine takes to the sky. NewAtlas.com article. Pull quote: “The JinDou400, however, uses detonation combustion instead of a regular, steady burning flame. It creates controlled explosions (detonations) in the combustion chamber which are far more powerful and efficient than regular combustion (at high speeds), allowing the engine to produce more thrust with less fuel and work effectively, but only at much higher speeds.”

Bills Introduced – 12-20-24

Yesterday, with both the House and Senate in session, there were 31 bills introduced. Three of those bills would have been expected to receive additional attention in this blog were there any time left in the session:

HR 10545 American Relief Act, 2025 Cole, Tom [Rep.-R-OK-4]

HR 10555 To create mechanisms by which state law enforcement can coordinate with the federal government to detect and stop drones involved in unlawful activities, and for other purposes. Smith, Christopher H. [Rep.-R-NJ-4]

S 5639 Counter-UAS Authority Extension Act Peters, Gary C. [Sen.-D-MI]

HR 10545 passed in both the House (366 to 34 to 1) and Senate (85 to 11) and was signed by President Biden (PL number has not yet been assigned).

S 5639 was passed in the Senate by unanimous consent.

Chemical Incident Reporting – Week of 12-14-24

NOTE: See here for series background.

Mukilteo, WA– 12-13-24

Local News Report: Here, here, and here.

There was an anhydrous ammonia leak at a seafood processing facility. A shelter-in-place warning was issued for neighboring businesses. One minor fire-fighter exposure-injury was treated on the scene. No damages reported.

Not CSB reportable.

Orlando, FL – 12-19-24

Local News Report: Here, here, and here.

There was a lithium powder fire at an aerospace manufacturing facility. Three people were transported to a local hospital; two are reportedly in critical condition. There are no reports about the extent of the damages.

Probable CSB reportable. 

Review – Public ICS Disclosures – Week of 12-14-24

This week we have 13 vendor disclosures from Dassault Systèmes (4), FortiGuard Labs, GE Vernova (3), Hitachi (3), HPE (2), Meinberg, and Western Digital. We have 11 vendor updates from FortiGuard, Hitachi Energy (8), and Palo Alto Networks. There are also five researcher reports describing vulnerabilities in products from ABB, Delta Electronics (3), and Rockwell Automation. Finally, we have an exploit report for products from FLIR.

Advisories

Dassault Advisory #1 - Dassault published an advisory that describes a cross-site scripting vulnerability in their ENOVIA Collaborative Industry Innovator.

Dassault Advisory #2 - Dassault published an advisory that describes a cross-site scripting vulnerability in their ENOVIA Collaborative Industry Innovator.

Dassault Advisory #3 - Dassault published an advisory that describes a cross-site scripting vulnerability in their ENOVIA Collaborative Industry Innovator.

Dassault Advisory #4 - Dassault published an advisory that describes a cross-site scripting vulnerability in their ENOVIA Collaborative Industry Innovator.

FortiGuard Advisory - FortiGuard published an advisory that describes an OS command injection vulnerability in their FortiManager product.

GE Vernova Advisory #1 - GE published an advisory that discusses two vulnerabilities (both listed in CISA’s Known Exploited Vulnerability catalog) in their Control Server installations utilizing VMware vCenter Server.

GE Vernova Advisory #2 - GE published an advisory that discusses two vulnerabilities (both listed in CISA’s KEV catalog) in their  engineering workstations with Veeam Backup & Replication 9.5, 10, or 11 installed.

GE Vernova Advisory #3 - GE published an advisory that discusses six vulnerabilities (one with publicly available exploit) in their e UCSE, UCSC, and UCSB controllers utilized in the Mark* VIe Platform.

Hitachi Advisory #1 - Hitachi published an advisory that discusses 19 vulnerabilities in their Ops Center Common Services.

Hitachi Advisory #2 - Hitachi published an advisory that describes a missing authentication for critical function vulnerability in their Infrastructure Analytics Advisor and Ops Center Analyzer products.

Hitachi Advisory #3 - Hitachi published an advisory that discusses 56 vulnerabilities in multiple Hitachi products.

HPE Advisory #1 - HPE published an advisory that discusses an improper authentication vulnerability in their SANnav Management Portal.

HPE Advisory #2 - HPE published an advisory that describes an exposure of sensitive information to unauthorized actor vulnerability in their Alletra MP OS.

Meinberg Advisory - Meinberg published an advisory that discusses four vulnerabilities (one with publicly available exploit) in their Lantime product.

Western Digital Advisory - Western Digital published an advisory that discusses three vulnerabilities in their My Cloud Home & Duo products.

Updates

FortiGuard Update - FortiGuard published an update for their regreSSHion advisory that was originally published on July 9^th, 2024, and most recently updated on December 4^th, 2024.

Hitachi Energy Update #1 - Hitachi Energy published an update for their Modbus TCP Packet advisory that was originally published on April 19^th, 2022, and most recently updated on September 24^th, 2024.

Hitachi Energy Update #2 - Hitachi Energy published an update for their RTU500 Series Product advisory that was originally published on March 25^th, 2023, and most recently updated on October 1^st, 2024.

Hitachi Energy Update #3 - Hitachi Energy published an update for their RTU500 series products advisory that was originally published on December 19^th, 2023, and most recently updated on September 24^th, 2024.

Hitachi Energy Update #4 - Hitachi Energy published an update for their RTU500 series Product advisory that was originally published on March 26^th, 2024, and most recently updated on October 1^st, 2024.

Hitachi Energy Update #5 - Hitachi Energy published an update for their RTU500 series Product advisory that was originally published on April 25^th, 2024, and most recently updated on October 1^st, 2024.

Hitachi Energy Update #6 - Hitachi Energy published an update for their RTU500 series Product that was originally published on June 28^th, 2022, and most recently updated on September 24^th, 2024.

Hitachi Energy Update #7 - Hitachi Energy published an update for their RTU500 series Product that was originally published on November 28^th, 2023, and most recently updated on October 1^st, 2024.

Hitachi Energy Update #8 - Hitachi Energy published an update for their RTU500 series Product that was originally published on February 14^th, 2023, and most recently updated on October 1^st, 2024.

Palo Alto Networks Update - Palo Alto Networks published an update for their GlobalProtect App advisory that was originally published on November 25^th, 2024, and most recently updated on December 13^th, 2024.

Researcher Reports

ABB Report - Zero Science published a report that describes an authentication bypass vulnerability (with a publicly available exploit) in the ABB Cylon Aspect building energy management product.

Delta Reports - The Zero Day Initiative published three reports for vulnerabilities in the Delta Electronics DRASimuCAD.

Rockwell Report - ZDI published a report that describes an out-of-bounds write vulnerability in the Rockwell Arena Simulation product.

Exploit

FLIR Exploit - YZS17 published an exploit for a command injection vulnerability in the FLIR AX8 thermal imaging camera.

 

For more information about these notifications, to include links to 3rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-12-3dd   - subscription required.

Short Takes – 12-20-24

We need to address APT threats. Oh, by the way what is an APT? SCADAMAG.Infracritical.com article. Pull quote: “After this non-exhaustive search for a comprehensive definition of APT is it acceptable to conclude  that in terms of addressing the malicious activities of states we still have a dangerously limited definition of APT? That the kinds of non cybercrime related threats to the critical infrastructure of states that can disrupt the economy, affect national security, and degrade the well-being of society are off some of our radar screens?”

‘Bird flu symptoms’: Online searches spike after first severe case in US. TheHill.com article. Pull quote: “Flu experts said the trajectory of the virus in people remains unclear, but they urged people who have contact with sick or dead birds to take precautions, including wearing respiratory and eye protection and gloves when handling poultry.”

Johnson says plan C reached to avert shutdown, vote expected. TheHill.com article. Pull quote: “Members on Thursday night were unsure how they would solve the funding impasse after the plan B failed. They will have to not only get a bill that can appease Trump and pass in the narrow House GOP majority, but get approval from the Democratic-controlled Senate and White House.” NOTE: Passed in House, pending in Senate as of midnight.

HR 10545 Passed in House – American Relief Act, 2025

With less than six hours remaining before the current government funding authorization ended, the House took up yet another version of a continuing resolution, HR 10545 [, the American Relief Act, 2025. Similar to yesterday’s HR 10515, the bill continues the current spending (FY 2024 levels) authorization through March 14^th, 2025, provides a relatively-clean 1-year extension of the Ag bill, and provides additional funding for disaster relief (specifically including agricultural relief for weather related AG losses). Missing is any mention of the debt limit that President-Elect Trump demanded be included in yesterday’s bill. After a little more than one hour of debate, the House passed the bill by a bipartisan vote of 366 to 34 to 1 {Rep Crockett (D,TX) voted ‘Present;}. Not unsurprisingly, all 34 nay votes came from Republicans.

TheHill.com is reporting that the Senate intends to take up HR 10545 before midnight so that there will be no need to ‘shut down’ the federal government. If they are late by even a couple of hours, it will make no practical difference.

Program Extensions

Beyond the healthcare program extensions in Division C, and the agricultural program extensions in Division D, there are five other stand alone program extensions found in Division E (links are provided for programs of interest here):

• Commodity futures trading commission whistleblower program,

• Protection of certain facilities and assets from unmanned aircraft {6 USC 124n(i)},

• Additional special assessment,

• National cybersecurity protection system authorization {6 USC 1525(a)}, and

• Extension of temporary order for fentanyl-related substances.

Notice that the Chemical Facility Anti-Terrorism Standards (CFATS) program was not included. I think that we can finally declare the program to be dead. Any attempt to revive the program in the 119^th Congress will have to deal with Sen Paul (R,KY) as Chair of the Senate Homeland Security and Governmental Affairs Committee. Paul can be expected to block any such legislation. Perhaps the focus should be on getting the voluntary ChemLockprogram authorized and expanded.

Bills Introduced – 12-19-24

Yesterday, with both the House and Senate in session, there were 77 bills introduced. Two of those bills would receive additional coverage in this blog:

HR 10515 Making further continuing appropriations for the fiscal year ending September 30, 2025, and for other purposes. Cole, Tom [Rep.-R-OK-4].

S 5610 A bill to provide grants to support continuing education in election administration or cybersecurity for election officials and employees. Klobuchar, Amy [Sen.-D-MN] 

NOTE: HR 10515 was voted down by the House last night. See my post here. Interestingly the bill still has not been officially printed by the GPO. Probably a waste of time and money at this point.

Transportation Chemical Incidents – Week of 11-16-24

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 410 (374 highway, 31 air, 5 rail, 0 water)

• Serious incidents – 3 (3 Bulk release, 0 evacuation, 0 injury, 0 death, 0 major artery closed, 0 fire/explosion, 24 no release)

• Largest container involved – 33,600-gal DOT112A340W Railcar {Petroleum Gases, Liquefied Or Liquefied Petroleum Gas} Leaking pressure relief device on ‘empty’ railcar.

• Largest amount spilled – 504-gal A1A steel drum {Resin Solution, Flammable} One 5-gallon metal pale leaked due to improper loading. NOTE: There is a definite mis-match between the reported amount of spill and the description of the event.

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: Disodium Trioxosilicate – A white, odorless solid. Corrosive to skin, eyes, mouth, throat, esophagus and digestive tract. Water-Reactive. (Source: CameoChemicals.NOAA.gov).

 

OMB Approves NHTSA Automated Driving System NPRM

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking (NPRM) from the DOT’s National Highway Transportation Safety Administration (NHTSA) on “Exemption and Demonstration Framework for Automated Driving Systems”. The NPRM was submitted to OIRA on October 21^st, 2024. NHTSA published an advanced notice of proposed rulemaking (ANPRM) on this topic on December 3^rd, 2020.

According to the Fall 2024 Unified Agenda entry for this rulemaking:

“This notice would propose a framework for the review and assessment of Automated Driving System (ADS)-equipped vehicles, in order to evaluate operations or requests for exemptions involving such technologies while also informing the agency's approach to future rulemaking and oversight.”

Short Takes – 12-19-24

Johnson spending deal throws Speakership into question as floor vote approaches. TheHill.com article. Pull quote: “Even if Johnson survives this roadblock, the mutiny he faced over the spending deal is foreshadowing what the next Congress could bring — when Republicans will have an even slimmer majority and, after a number of members depart for the Trump administration, will not be able to afford to lose any lawmakers on party-line votes.”

Johnson has 3 main options to avert a shutdown. None of them are looking good. Politico.com article. Pull quote: “Stopgap with a debt limit hike: This is the preferred option of Trump and others — but it requires rank-and-file to walk what has been the third rail of modern GOP politics: Lifting the nation’s borrowing limits. Republicans have twisted themselves into all sorts of pretzels to avoid precisely these sorts of votes over the last decade, preferring to leave it to Democrats.”

Shutdown chances rise as Johnson defers to Trump on a spending plan. Politico.com article. Pull quote: “There’s no final plan yet, as the Lousiana Republican continues to huddle in his office on Thursday with a rotating cross-section of his conference, including members of his leadership team, House Freedom Caucus lawmakers and others. The speaker is assessing various options and running them by Trump world to ensure he has the incoming president’s buy-in before moving forward on another plan, after Trump publicly trashed the spending bill Wednesday and suddenly demanded that lawmakers raise the debt ceiling as well.”

GOP strikes a new spending deal that includes disaster aid and raising the debt limit. Politico.com article. Pull quote: “The plan Johnson is expected to put on the House floor would fund the government through March 14, just like the spending patch he agreed to with Democrats, and also includes the $110 billion disaster aid package mirroring that bipartisan negotiation. But the measure contains a straightforward extension of current "farm bill" policy for food and agriculture programs, along with a simple renewal of expiring health care policy, rather than making changes to those programs and adding new policy like overhauling rules for pharmacy benefit managers.”

Vast Announces Deal with SpaceX to Launch Two Human Spaceflight Missions to the International Space Station. VastSpace.com update. Pull quote: “‍"Enabling payload and crewed missions to the ISS is a key part of Vast’s strategy, allowing us to further our collaboration with NASA and global space agencies. These missions not only strengthen our expertise in human spaceflight operations and collaboration with NASA, but also position Vast as a leading contender to deliver the next-generation successor to the ISS, advancing the future of human space exploration," said Max Haot, Chief Executive Officer of Vast.”

Freight Car Safety Standards Implementing the Infrastructure Investment and Jobs Act. Federal Register FRA final rule. Summary: “FRA is amending the Freight Car Safety Standards (FCSS) to implement section 22425 of the Infrastructure Investment and Jobs Act (Act). The Act places certain restrictions on newly built freight cars placed into service in the United States (U.S.) including limiting content that originates from a country of concern (COC) or is sourced from a state-owned enterprise (SOE) and prohibiting sensitive technology that originates from a COC or is sourced from a SOE. The Act mandates that FRA issue a regulation to monitor and enforce industry's compliance with the Act's standards.”

US temporarily bans drones in parts of NJ, may use “deadly force” against aircraft. ArsTechnica.com article. Pull quote: “The New Jersey Office of Homeland Security and Preparedness recently released a "drone incidents FAQ" to answer residents' concerns. One question in the FAQ was, "Why can't authorities or the military shoot down or capture a drone midflight?" It answered that "state and local authorities do not have the legal ability to mitigate threatening drone activity at this time" and that "federal agencies and the US military have different legal abilities and technical capabilities."”

Intel Officials Warned Police That US Cities Aren’t Ready for Hostile Drones. Wired.com article. Pull quote: “In the memo obtained by WIRED, DHS displays less confidence in its ability to detect menacing drones. The document, which authorities were instructed not to make public, states that “tactics and technology to evade counter-UAS capabilities are circulated and sold online with little to no regulation.” In reality, the ability of police to track errant drones is hindered by a range of evolving technologies, the memo says, including “autonomous flight, 5G command and control, jamming protection technology, swarming technology, and software that disables geofencing restrictions.””

NASA, Axiom Space Change Assembly Order of Commercial Space Station. NASA.gov article. Pull quote: “Under the company’s new assembly sequence, the Payload, Power, and Thermal Module will launch to the orbiting laboratory first, allowing it to depart as early as 2028 and become a free-flying destination known as Axiom Station. In free-flight, Axiom Space will continue assembly of the commercial destination, adding the Habitat 1 module, an airlock, Habitat 2 module, and the Research and Manufacturing Facility.”

Perchloroethylene (PCE); Regulation Under the Toxic Substances Control Act (TSCA). Federal Register EPA final rule. Summary: “The Environmental Protection Agency (EPA or Agency) is finalizing a rule to address the unreasonable risk of injury to health presented by perchloroethylene (PCE) under its conditions of use. TSCA requires that EPA address by rule any unreasonable risk of injury to health or the environment identified in a TSCA risk evaluation and apply requirements to the extent necessary so that the chemical no longer presents unreasonable risk. EPA's final rule will, among other things, prevent serious illness associated with uncontrolled exposures to the chemical by preventing consumer access to the chemical, restricting the industrial and commercial use of the chemical while also allowing for a reasonable transition period where the industrial and commercial use of the chemical is being prohibited, providing a time-limited exemption for a critical or essential use of PCE for which no technically and economically feasible safer alternative is available, and protecting workers from the unreasonable risk of PCE while on the job.” Effective date: January 17^th, 2025.

Updates to New Chemicals Regulations Under the Toxic Substances Control Act (TSCA). Federal Register EPA final rule. Summary: “The Environmental Protection Agency (EPA or the Agency) is amending the new chemicals procedural regulations under the Toxic Substances Control Act (TSCA). These amendments align the regulatory text with the amendments to TSCA's new chemicals review provisions contained in the Frank R. Lautenberg Chemical Safety for the 21st Century Act, enacted on June 22, 2016, will improve the efficiency of EPA's review processes, and update the regulations based on existing policies and experience implementing the New Chemicals Program. This final rule includes amendments that will increase the quality of information initially submitted in new chemicals notices and improve the Agency's processes for timely, effective completion of individual risk assessments and the new chemicals review process overall. EPA is also finalizing several amendments to the regulations for low volume exemptions (LVEs) and low release and exposure exemptions (LoREXs), which will require EPA approval of an exemption notice prior to commencement of manufacture, make per- and polyfluoroalkyl substances (PFAS) categorically ineligible for these exemptions, and provide that certain persistent, bioaccumulative, toxic (PBT) chemical substances are ineligible for these exemptions.”  Effective date: January 17^th, 2025.

Boeing Starliner astronauts will return to Earth in March 2025 after new NASA, SpaceX delay. Space.com article. Pull quote: “Adding a fifth Crew Dragon to its fleet will allow SpaceX more versatility in its commercial offerings and NASA some extra flexibility in its mission manifests as well. For instance, had a fifth Dragon been available to launch without disruption to the Crew-9 and Crew-10 missions, it's possible NASA could have utilized such a vehicle to bring Starliner's Wilmore and Williams home at an earlier date.”

HR 10515 Failed in House – Trump Revised CR

After President-Elect Trump objected to the language of HR 10445, Speaker Johnson came up with a new version of the CR that met Trumps requirement, HR 10515 (draft version), the American Relief Act, 2025. The House took up that bill this evening and rejected the revised CR by a vote of 174 to 235. Thirty-five Republicans rejected the leaderships bill along with all but two Democrats. Politico.com is reporting that Democrats rejected the bill because they were left out of the negotiations today.

There were two reasons for the Republican opposition to the bill. First, it was another continuing resolution and there is a hard-core faction that will never support anything but the 12 standard spending bills. The second item was the addition demanded by Trump, the temporary extension of the debt limit (§5106). There are many in the Republican party that would not support such an extension without the inclusion of spending limits.

There is an outside chance that Johnson will bite-the-bullet and bring HR 10445 to the floor for a vote. There will be fewer Republican votes, but there will be a large number of Democrats that would support that bill, perhaps enough to make the supermajority limit required for passage under the suspension of the rules. The number of Republican votes will depend on individuals weighing the Trump/Musk threats versus being held responsible for a holiday government shutdown.

Regardless of what happens with the spending deadline, the Republicans have a real problem facing them on January 3^rd when the House convenes for the 119^th Congress. It is now obvious to even the most hopeful observer that Johnson will not be able to get 217 votes for Speaker in the opening vote. Too many people are upset with the way this CR issue was dealt with. And it does not look like Johnson is a good enough horse trader to get the requisite votes even further down the line. A bigger problem is the Party has no realistic backup candidate that can do any better. There are just too many bitter feelings and divergent views of where the Party should be going. January 2025 is going to be interesting, even before the 20^th.