Review – HR 7390 Introduced - SELF DRIVE Act

Last month Rep Latta (R,OH) introduced HR 7390, the Safely Ensuring Lives Future Deployment and Research In Vehicle Evolution (SELF DRIVE) Act of 2026. The bill would require the establishment of motor vehicle safety standards for automated driving systems. No new funding is authorized.

I could find no legislation in the 118^th Congress that would appear to be similar to HR 7390, but there was a similarly titled bill (HR 3711) introduced in the 117th Congress by Latta, but it was substantially different from this bill. No action was taken in the House on the earlier bill.

The bill would add two new sections to 49 USC Chapter 301:

§30130. Motor vehicle safety standards for automated driving systems, and

§30131. National Automated Vehicle Safety Data Repository

The proposed §30130 includes cybersecurity requirements.

Moving Forward

On February 10^th, 2026 the Subcommittee on Commerce, Manufacturing, and Trade of the House Energy and Commerce Committee held a business meeting where HR 7390 was considered. Three amendments were offered and withdrawn. The Subcommittee voted 12 to 11 to refer the bill favorably to the full Committee.

 

For more information about the cybersecurity provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7390-introduced-self-drive-act - subscription required.

Review – Public ICS Disclosures – Week of 3-21-26 – Part 2

For Part 2 we have nine additional vendor disclosures from Siemens, Supermicro, TP-Link (4), WatchGuard (2), and Yokogawa. Finally, we have a vendor update from FortiGuard.

Advisories

Siemens Advisory - Siemens published an advisory that describes two vulnerabilities in their SICAM 8 products.

Supermicro Advisory - Supermicro published an advisory that discusses nine vulnerabilities in multiple Supermicro product lines.

TP-Link Advisory #1 - TP-Link published an advisory that describes a clear-text storage of sensitive information vulnerability in their TL-WR850N wireless router.

TP-Link Advisory #2 - TP-Link published an advisory that describes an out-of-bounds read vulnerability in their TL-WR841N wireless router.

TP-Link Advisory #3 - TP-Link published an advisory that describes an improper input validation vulnerability in their TD-W8961N wireless modem-router.

TP-Link Advisory #4 - TP-Link published an advisory that describes four vulnerabilities in their Archer NX series gigabit wireless routers.

WatchGuard Advisory #1 - WatchGuard published an advisory that describes a deserialization of untrusted data vulnerability in their Fireware OS products.

WatchGuard Advisory #2 - WatchGuard published an advisory that describes a cross-site request forgery vulnerability in their Fireware OS WebUI.

Yokogawa Advisory - Yokogawa published an advisory that describes a use of hard-coded password vulnerability in their CENTUM VP products.

Updates

FortiGuard Update - FortiGuard published an update for their vmimages update feature advisory that was originally published on March 10^th, 2026.

 

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-a57 - subscription required.

House Reamended and Repassed HR 7147 – FY 2026 DHS Spending

Friday, after receiving the amended version of HR 7147, the FY 2026 DHS spending bill, from the Senate, the House took up H Res 1142 - Providing for disposition of the Senate amendment to the bill (H.R. 7147) making further consolidated appropriations for the fiscal year ending September 30, 2026, and for other purposes. That resolution was very short:

“Resolved, That upon adoption of this resolution, the House shall be considered to have taken from the Speaker's table the bill (H.R. 7147) making further consolidated appropriations for the fiscal year ending September 30, 2026, and for other purposes, with the Senate amendment thereto, and to have concurred in the Senate amendment with an amendment consisting of the text of Rules Committee Print 119–21.”

The resulting House amended version of HR 7147, would extend the lapsed continuing resolution (PL 119-37) through May 22nd, 2026.

After almost two hours of debate the House approved H Res 1142 by a near party-line vote of 213 to 203. Three Democrats and one Independent voted with the Republicans on the resolution. The further amended version of HR 7147 now goes back to the Senate.

The Senate is not scheduled to return to Washington until April 13^th, 2026. In my opinion, there is not much chance that the Senate will agree to the House amendment. It will be interesting to see if they ask the House to go to conference on the bill.

Chemical Incident Reporting – Week of 3-21-26

NOTE: See here for series background.

Beachwood, OH – 3-19-26

Local News Report: Here and here.

There was a medical clinic that was evacuated due to an unidentified odor. Oxygen levels tested as low. While some workers felt ill, there were no hospitalizations reported.

Not CSB reportable.

Port Arthur, TX – 3-23-26

Local News Report: Here, here, and here.

There was an explosion and fire at an oil refinery. A shelter-in-place order was issued for nearby residents. No injuries or fatalities were reported.

Possible CSB reportable.

Berlin, NJ – 3-26-26

Local News Report: Here, here, and here.

There was a gas pipeline leak that caused  highway closure. No fires, injuries, or deaths were reported.

Not CSB reportable, transportation incident.

Spartanburg, SC – 3-26-26

Local News Report: Here and here.

There was a rail car pressurization event at a chemical manufacturing facility. Flaring was used to relieve the excessive pressure in the railcar. No injuries were reported.

 

Not CSB reportable.

HR 7147 Amended and Passed in Senate – FY 2026 DHS Spending

Late Thursday night (actually 2:17 am Friday) the Senate bypassed all of the previous attempts to close debate on proceeding to consideration of HR 7147, the FY 2026 DHS spending bill, and began consideration of the bill (pg S1660) under unanimous consent. The Senate took up Thune amendment SA 4790, which was substitute language that removed the section dealing with Immigration and Customs Enforcement (ICE), thus removing funding for that agency from the bill. The amended language and then the amended bill were then adopted by voice vote. Of course, ICE has continued functioning and paying their personnel during the DHS shutdown from monies authorized by the “Big Beautiful Bill”.

Passed by ‘voice vote’ is normally an indication of broad, bipartisan support, as would the consideration of the measure under unanimous consent. But, this bill was ‘considered’ late at night and reporting by Andrew Desiderio of Punchbowl.news noted that there were only five Senators present on the Senate floor when the vote was cast; Sen Thune (R,SD), Sen Schmidt (R,MO), Sen Moreno (R,OH; presiding), Sen Schatz (D,HI), and Sen Kim (D,NJ). So, while there was technically bipartisan support for the measure, there are legitimate questions about how widespread that support extended in both parties.

More on subsequent action in the House in a separate post.

Review – Public ICS Disclosures – Week of 3-21-26 – Part 1

This week was a relatively light disclosure week. We have eleven vendor disclosures from ABB, CODESYS (2), Helmholz, Hitachi (2), HP, HPE, MB Connect, Mitsubishi, and Philips.

 

Advisories

 

ABB Advisory - ABB published an advisory that discusses 25 vulnerabilities in their Ability Camera Connect product.

CODESYS Advisory #1 - CODESYS published an advisory that describes the use of an externally-controlled format string vulnerability in their Control and Runtime Toolkit products.

CODESYS Advisory #2 - CODESYS published an advisory that describes an incorrect resource transfer between spheres vulnerability in their Control runtime system.

Helmholz Advisory - CERT-VDE published an advisory that describes two vulnerabilities in the Helmholz myREX24V2 products.

Hitachi Advisory #1 - Hitachi published an advisory that describes a cross-site scripting vulnerability in their Infrastructure Analytics Advisor and Ops Center Analyzer products.4

Hitachi Advisory #2 - Hitachi published an advisory that describes an open redirect vulnerability in their Ops Center Administrator product.

HP Advisory - HP published an advisory that discusses an out-of-bounds write vulnerability in their consumer notebook PCs.

HPE Advisory - HPE published an advisory that discusses three vulnerabilities (two with publicly available exploits) in their Telco Service Orchestrator product.

MB Connect Advisory - MB Connect published an advisory that describes two vulnerabilities in their mbCONNECT24 products.

Mitsubishi Advisory - Mitsubishi published an advisory that discusses a heap-based buffer overflow vulnerability in multiple Mitsubishi HVAC products.

Philips Advisory - Philips published an advisory that discusses a known Oracle missing authentication for critical function vulnerability.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-4d6 - subscription required

Short Takes – 3-27-26 – Federal Register Edition

Perchloroethylene (PCE) and Carbon Tetrachloride (CTC); Regulation Under the Toxic Substances Control Act (TSCA); Compliance Date Extensions. Federal Register EPA notice of proposed rulemaking. Summary: “The Environmental Protection Agency (EPA or Agency) is proposing to extend certain compliance dates applicable to certain entities subject to the regulation of perchloroethylene (PCE) and carbon tetrachloride (CTC) under the Toxic Substances Control Act (TSCA). EPA is proposing to extend certain Workplace Chemical Protection Program (WCPP) compliance dates for non-federal owners and operators to match the compliance dates for federal agencies and their contractors. For both PCE and CTC, this proposal would extend the compliance date for initial monitoring for inhalation exposure to June 21, 2027, and extend the compliance date to meet the existing chemical exposure limit (ECEL), establish a regulated area, provide any required respiratory personal protective equipment (PPE), and establish a respiratory PPE program to September 20, 2027. For PCE, EPA is also proposing to extend the compliance date for non-federal entities to establish and implement an exposure control plan to December 20, 2027.”

Continuation of the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities. Federal Register Office of the President continuation of national emergency notice. Summary: “These significant malicious cyber-enabled activities continue to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States. For this reason, the national emergency declared in Executive Order 13694, and with respect to which additional steps were taken in Executive Order 13757, Executive Order 13984, Executive Order 14110 (revoked by Executive Order 14148), Executive Order 14144, and Executive Order 14306, must continue in effect beyond April 1, 2026. Therefore, in accordance with section 202(d) of the National Emergencies Act (50 U.S.C. 1622(d)), I am continuing for 1 year the national emergency declared in Executive Order 13694.”

DOT Technical Assistance PRA. Federal Register DOT/OS 60-day ICR renewal notice.

EO 14397 - Further Continuance of the Federal Emergency Management Agency Review Council. Federal Register.

Review – Bills Introduced – 3-26-26

Yesterday, with both the House and Senate in session and the Senate preparing to leave for their two week Easter holiday, there were 121 bills introduced. One of those bills may receive additional coverage in this blog:

HR 8110 To establish a grant program within the Department of Labor to support the creation, implementation, and expansion of registered apprenticeship programs in cybersecurity. Lee, Susie [Rep.-D-NV-3]

Space Geek Legislation

I would like to mention one bill under my limited Space Geek coverage in this blog:

S 4264 A bill to provide NASA the authority to detect, identify, monitor, and track unmanned aircraft systems, and for other purposes. Peters, Gary C. [Sen.-D-MI]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-3-26-26 - subscription required.

Chemical Transportation Incidents – Week of 2-21-26

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 447 (408 highway, 31 air, 7 rail, 1 water)

• Serious incidents – 4 (3 Bulk release, 1 evacuation, 1 injury, 0 death, 0 major artery closed, 6 fire/explosion, 36 no release)

• Largest container involved – 203,900-gal (?) DOT 117R100W Railcar {Diesel Fuel} Bottom outlet valve leaking.

• Largest amount spilled – 500-gal Tank truck {Gasoline Includes Gasoline Mixed With Ethyl Alcohol, With Not More Than 10% Alcohol} Vent pipe malfunction.

• Total amount reported spilled in all incidents – 2117.9-gal

NOTE: Links above are to Form 5800.1 for the described incidents. Link not available for tank truck incident.

Most Interesting Chemical: Tributylamine: A pale yellow liquid with an ammonia-like odor. Less dense than water. Very irritating to skin, mucous membranes, and eyes. May be toxic by skin absorption. Low toxicity. Used as an inhibitor in hydraulic fluids. (Source: CameoChemicals.NOAA.gov).

OMB Approves NTIA Space Launch Portal ICR

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that that it had approved the initial information collection request from DOC’s National Telecommunications and Information Administration (NTIA) respectfully for “NTIA Space Launch Frequency Coordination Portal” and assigned the OMB Control Number 0660-0057 to that collection. The 60-day ICR notice was published on October 1^st, 2025 and the 30-day ICR notice was published on January 27^th, 2026.

The table below provides the approved initial burden estimate.

The supporting document provided to OIRA explains that:

“The proposed portal will collect the information [currently] submitted via e-mail through an online portal.  This information will be routed through the portal and reviewed by NTIA and other federal agencies.  A dashboard will provide transparency on where the request is in the portal.  This system will replace an outdated e-mail process and expedite processing time.”

OMB Approves EPA Chemical Manufacturing NESHAP Final Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the EPA on “National Emission Standards for Hazardous Air Pollutants: Chemical Manufacturing Area Source Technology Review”. The final rule was sent to OIRA on February 23^rd, 2026. The notice of proposed rulemaking was published on January 22^nd, 2025. There was a judicial deadline for the publication of this final rule of January 15^th, 2026.

According to the Spring 2025 Unified Agenda entry for this rulemaking:

“This action will address the agency's technology review of the National Emission Standards for Hazardous Air Pollutants (NESHAP) for Chemical Manufacturing Area Sources (CMAS). The CMAS NESHAP, subpart VVVVVV, was promulgated on October 29, 2009, pursuant to section 112(d) of the Clean Air Act (CAA) and established emission limitations and work practice requirements for controlling emissions of hazardous air pollutants (HAP). The NESHAP controls HAP emissions from process vents, storage tanks, equipment leaks, wastewater streams, transfer operations and heat exchange systems. This action addresses the technology review requirements of CAA section 112(d)(6) which require the EPA to review and revise the standards as necessary (taking into account developments in practices, processes and control technologies) no less often than every 8 years.”

This appears to be outside of the normal scope of this blog, but I would expect to announce the publication of the final rule in the appropriate Short Takes post. I would expect publication within the next week of two.

HR 8029 Passed in House – FY 2026 DHS Spending

This afternoon the House considered HR 8029, the Pay Our Homeland Defenders Act, under a closed rule. After an hour and 20 minutes of debate, the House passed the bill by a near party line vote of 218 to 206. Four Democrats and one Independent vote Aye. The bill now goes to the Senate where it will suffer the same problems as HR 7147, the nearly identical bill that was passed in the House on January 22^nd, 2026, but has not been able to gain the 60 votes needed for passage in the Senate.

Review – 3 Advisories and 1 Update Published – 3-26-26

Today CISA’s NCCIC-ICS published three control system security advisories for products from PTC, OpenCode Systems, and WAGO. They also updated an advisory for products from Honeywell.

Advisories

PTC Advisory - This advisory describes a code injection vulnerability (with available indicators of compromise) in the PTC Windchill and FlexPLM product lifecycle management products.

OpenCode Advisory - This advisory describes an improper access control vulnerability in the OpenCode Systems OC Messaging and USSD Gateway.

WAGO Advisory - This advisory describes the a hidden functionality vulnerability in the WAGO Industrial Managed Switches.

Updates

Honeywell Update - This update provides additional information on the IQ4x BMS Controller advisory that was originally published on March 10^th, 2026.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-and-1-update-published-4be - subscription required.

Short Takes – 3-26-26 – Federal Register Edition

2026 Report on the Effectiveness of the Terrorism Risk Insurance Program. Federal Register Treasury Department. Request for comments. Summary: “The Terrorism Risk Insurance Act of 2002, as amended (TRIA), established the Terrorism Risk Insurance Program (TRIP or Program). TRIA requires the Secretary of the Treasury (Secretary) to submit a report to Congress by June 30, 2026 concerning, in general, the overall effectiveness of TRIP. To assist the Secretary in formulating the report, the Federal Insurance Office (FIO) within the Department of the Treasury (Treasury) is seeking comments from the insurance sector and other stakeholders on the statutory factors to be analyzed in the report, as well as any other feedback on other issues relating to the effectiveness of TRIP.”

EO 14396 - Preserving America's Game – Federal Register.

ICR Notices

• Access to TSCA Confidential Business Information (Renewal). EPA 30-day notice,

• Miscellaneous Licensing and Reporting Responsibilities and Enforcement (Renewal). BIS 30-day notice,

• NOAA Space-Based Data Collection System (DCS) Agreement (Revision). NASA 30-day notice,

• User Needs Survey by the Space Weather Advisory Group (Renewal). NOAA 30-day notice.

Review – Bills Introduced – 3-25-26

Yesterday, with both the House and Senate in Washington, there were 64 bills introduced. None of those bills will receive additional coverage in this blog.

Space Geek Legislation

I would like to mention one bill under my limited Space Geek coverage in this blog:

S 4201 A bill to require the Chief of Space Operations to submit a feasibility report on expanding the Multinational Force Operation Olympic Defender.  Bennet, Michael F. [Sen.-D-CO]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a mention in passing about a bill to require energy and water use reporting from data centers, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-3-25-26 - subscription required.

NHC Publishes 2026 New Products and Services Document

Earlier this week the National Hurricane Center (NHC) published their “National Hurricane Center Products and Services Update for 2026 Hurricane Season”. This document includes more information on the forecast-cone graphics developments that I discussed yesterday. It also includes information on:

• Storm Surge Watches and Warnings, Peak Storm Surge Graphic, and Potential Storm Surge Flooding Map for Hawaii,

• Mobile-friendly front page of the NHC website,

• Updated symbology of disturbances in the Graphical Tropical Weather Outlook for which development is not expected,

• Annual update to the track forecast error cone,

• Experimental Graphical Marine Wind Warning.

OMB Approves DOT Rulemaking Procedure Final Rule

Yesterday the OMB’s Office of  Information and Regulatory Affairs (OIRA) announced that it had approved a final rulemaking from the DOT’s Office of the Secretary on “Administrative Rulemaking, Guidance, and Enforcement Procedures”. The final rule was sent to OMB on February 24^th, 2026. The notice of proposed rulemaking (NPRM) was published on May 16^th, 2025.

According to the Spring 2025 Unified Agenda entry for this rulemaking:

“This rulemaking would reinstate and expound upon procedural reforms for the Department’s rulemakings, guidance documents, and enforcement actions rescinded by a final rule published by the Department on April 2, 2021, Administrative Rulemaking, Guidance, and Enforcement Procedures (86 FR 17292). Accordingly, this proposed rule would revise and update the Department’s internal policies and procedures relating to the issuance of rulemaking documents. In addition, this rulemaking would update the Department’s procedural requirements governing the review and clearance of guidance documents, and the initiation and conduct of enforcement actions, including administrative enforcement proceedings and judicial enforcement actions brought in Federal court.”

As this final rule outlines essentially internal rules for DOT, I do not expect to cover this in any detail when it is published in the next week of two. At a minimum, I will note its publication in the appropriate Short Takes post.

NHC Updates Forecast-Cone Graphics for 2026 Hurricane Season

Yesterday the National Hurricane Center (NHC) published an update for the expected use of their forecast-cone graphics. The NHC has been updating these graphics over the last couple of seasons to visually provide more information. Most of this newly added information was trialed last season as an optional experimental graphic.

The new information includes:

Incorporates all land-based (coastal and inland) tropical storm and hurricane watches and warnings in effect for the continental United States, Hawaii, Puerto Rico, and the U.S. Virgin Islands;

Uses single shading for the entire 5-day outlook cone;

Legend depicts symbols for areas where a hurricane watch and tropical storm warning are both in effect (represented by diagonal pink and blue lines); and

Full and intermediate Tropical Cyclone Advisories are/will be publicly available on hurricanes.gov.

This season’s experimental graphics will change how the NHC determines the dimensions of the cone graphics. On the experimental version instead of using a set of circles set at a 67% experimental error to determine the width of the cone, yesterday’s update notes that:

“Beginning in 2026, the experimental cone will use ellipses anchored at each NHC forecast point, allowing for the experimental cone to capture a range of possibilities for both the speed and direction of the tropical cyclone’s forecast path. NHC will experiment changing two aspects of the cone using ellipses (instead of circles) to account for errors in speed and direction, and the cone will include 90% of forecast track possibilities, instead of the traditional 67% forecast error.”

This should mean that the experimental cones will be larger. The increase in width of the cone will probably be the most noticeable difference, but the overall length of the cone should also increase.

Review – Bills Introduced – 3-24-26

Yesterday, with both the House and Senate in Washington, there were 61 bills introduced. Two of those bills will receive additional coverage in this blog:

HR 8050 To direct owners and operators of gas distribution pipeline facilities to assess systems for the presence of Aldyl-A polyethylene, and for other purposes. Houlahan, Chrissy [Rep.-D-PA-6]

S 4166 A bill to amend the Energy Policy and Conservation Act to require States to include supporting the physical security, cybersecurity, and resilience of local distribution systems in State energy security plans, and for other purposes. Cortez Masto, Catherine [Sen.-D-NV] 

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a mention in passing about yet another bill that would provide some measure of pay equity for DHS employees during the shutdown, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-3-24-26 - subscription required.

Response to ITI Problem

Last week I posted a brief piece looking at a ‘new’ chemical safety problem, instant tank ignition (ITI), described by Valerii Ivanov in a LinkedIn.com article. He posited that there is currently no effective safety response to this type of conflagration, in part because of the lack of a fast enough fire detection system. Today, I read an article at ChemistryWorld.com that may describe the sensor for developing that critical fire suppression system.

The article notes that:

“Now, an international team of researchers has combined cellulose/MXene with gallium–indium alloy nanoparticles in a low-cost, scalable process to create a durable film that enables ultrafast, reversible thermoresistive switching. The new material can activate alarms in roughly 4 seconds upon exposure to flame, and recover its resistance in about half that time.”

Review – 4 Advisories and 1 Update Published – 3-24-26

Today CISA’s NCCIC-ICS published three control system security advisories for products from Schneider (2) and Pharos Controls. They published a medical device security advisory for products from Grassroots.

Advisories

Schneider Advisory #1 - This advisory discusses four vulnerabilities (with publicly available exploit) in the Schneider Plant iT/Brewmaxx product.

Schneider Advisory #2 - This advisory describes a deserialization of untrusted data vulnerability in the Schneider EcoStruxure Foxboro DCS.

Pharos Advisory - This advisory describes a missing authentication for critical function vulnerability in the Pharos Mosaic Show Controller.

Grassroots Advisory - This advisory describes a missing release of memory after effective lifetime vulnerability in the Grassroots DICOM library.

Updates

WHILL Update - This update provides additional information on the Model C2 Electric Wheelchairs advisory that was originally reported on December 30^th, 2025.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-and-1-update-published-2f7 - subscription required.

CSB Publishes Safety Spotlight Acknowledging AFPM Actions

Yesterday the Chemical Safety Board announced the publication of a Safety Spotlight document acknowledging the American Fuel and Petrochemical Manufacturers (AFPM) for the organization’s leadership in chemical safety. Specifically, CSB noted that the AFPM took responsibility for addressing the CSB’s safety recommendation for the American Petroleum Institute (API) that resulted from the Board’s investigation of the 2018 Husky refinery explosion and fire.

The CSB notes that:

“This type of positive collaboration to implement CSB recommendations illustrates that addressing chemical safety is a shared responsibility and should be emulated by others. Such commendable action helps drive chemical safety excellence.”

NASA Sends NEPA Implementation IFR to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received an interim final rule from NASA on “Procedures for Implementing the National Environmental Policy Act”. This is part of the ongoing federal agency response to CEQ’s implantation of EO 14154 requirements to rescind National Environmental Policy Act regulations and update NEPA guidance.

According to the Spring 2025 Unified Agenda entry for this rulemaking:

“The National Aeronautics and Space Administration (NASA) is amending its existing regulations related to environmental quality at 14 CFR 1216 as directed by the Council on Environmental Quality (CEQ) per Memorandum from Executive Office of the President for Heads of Federal Departments and Agencies to meet Executive Orders requirements.”

Coverage of this IFR will fall under my limited Space Geek coverage.

HR 8029 Introduced – FY 2026 DHS Spending

Last week Rep Ciscomani (R,AZ) introduced HR 8029, the Pay Our Homeland Defenders Act. This bill would provide for spending for the Department of Homeland Security through September 30^th, 2026. For the most part this bill is the same as HR 7147, the Department of Homeland Security Appropriations Act, 2026, that is still being ‘considered’ in the Senate.

One provision from HR 7147 is not found in this new bill, §554, Repeal of Senate Notification Requirements Relating to Legal Process on Disclosures of Senate Data. The same provision was included in HR 7148 {§105, Division H}, the last FY 2026 minibus spending bill that was passed in February.

HR 8029 includes the actual text of the spending bill as Division A of the bill. Division B, Further Additional Continuing Appropriations Act, 2026, addresses the period of no funding since February 13^th, 2026. It provides the legal language authorizing back pay for DHS employees, and other obligations made by the Department during that period.

The House Rules Committee is scheduled to meet tomorrow to formulate the rule for the consideration of this bill.

Review – CSB Updates Accidental Release Reporting Data – 3-1-26

Last week the CSB updated their published list of reported chemical release incidents. They added 19 new incidents that occurred since the previous version was published in January 2026. These are not incidents that the CSB is investigating, these are incidents that were reported to the CSB under their Accidental Release Reporting rules (40 CFR 1604) through March 1^st, 2026.

The table below shows the top five states based upon the number of reported incidents since the December update was published. In this case, with the short time frame since the last update, these were the only states that had reported incident.

For more information on the updated incident reporting data, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updates-accidental-release-reporting-b39 - subscription required.

Forced Instant Tank Ignition

There is an interesting post over on LinkedIn where the author, Valerii Ivanov, introduces a new industrial safety term ‘forced instant tank ignition’. He uses this term to describe the type of conflagration that is increasingly being seen in the Persian Gulf region; the catastrophic failure and near instantaneous ignition of large petroleum product storage tanks caused by drone and missile strikes.

Ivanov makes the point that chemical safety programs are not equipped to protect facilities from these types of incidents. Tank failure sensors and fire suppression systems have not been designed to respond to the scope and speed of these military conflict-initiated incidents.

To be fair, safety programs have enough problems dealing with neglect, equipment failures, and human mistakes. Asking safety managers to deal with military strikes is certainly going beyond the scope of their training and fiscal support. Having said that, the current Iranian contretemps show that attacking critical industrial chemical facilities is a cheap route to effective asymmetric warfare with an impact well beyond the cost of the attack.

Ivanov points to investigating and implementing fire suppression systems that are capable of dealing with this type of instantaneous conflagration. While that would limit the effects of such attacks, safety engineering teaches that preventing incidents is more cost effective than mitigating their effects. Protecting chemical facilities from military scale drone and missile attacks is beyond the capabilities of facility security forces and requires a high-level look at the political and military calculus of point defense operations.

Smaller scale drone (both air and sea) attacks by paramilitary and terrorist forces, are certain to see an upturn in the number and effectiveness of attacks on chemical facilities after seeing their effectiveness clearly demonstrated. Facility security forces are almost certainly going to be called upon to conduct defense against these smaller scale attacks, even if government regulations continue to ignore the need for local counter drone operations.

Short Takes – 3-21-26 – Federal Register Edition

Clearance of Renewed Approval of Information Collection: Human Space Flight Requirements for Crew/Space Flight Participants. Federal Register FAA 60-day ICR renewal notice. Summary: “The collection involves information demonstrating that a launch or reentry operation involving human participants will meet the risk criteria and requirement to ensure public safety. The FAA has established requirements for human space flight crew and space flight participants as required by the Commercial Space Launch Amendments Act of 2004. On December 15, 2006, the FAA published a final rule (71 FR 75616) which established requirements for crew qualifications, training and notification, and training and informed consent requirements for space flight participants. The requirements were designed to achieve public safety and to notify participants of the risks they face from launch or reentry.”

NASA Front Door. Federal Register NASA 60-day ICR renewal notice. Summary: “The NASA Front Door (NFD) is an online/web-based tool that will serve as a centralized digital hub to help facilitate engagement between individuals, organizations, and the workforce of NASA, providing personalized support, guidance, and efficient access to NASA's extensive programs, opportunities, resources, and expertise. The information collection will consist of general contact information, interest/intake information and when appropriate, demographic information as part of registration profile. The information will be reviewed by NASA representatives to route individuals, organizations and the workforce of NASA to relevant NASA services, opportunities, resources, and/or expertise.”

Unmanned Aircraft System (UAS) Integration at Airports and Necessary Planning, Design, and Physical Infrastructure Needs. Federal Register – FAA 30-day new ICR notice. Summary: “The collection involves conducting research in the form of written responses or interviews with aviation stakeholders (e.g., airport/droneport operators, private entities, original equipment manufacturers, unmanned aircraft system (UAS) industry vendors, academia, representatives of the military, aviation stakeholders, etc.) to catalog current and planned droneport planning, design, and infrastructure needs, as well as find out which airports are integrating UAS into the airport environment. During each interview, the FAA will ask the stakeholders a specific set of questions, and if necessary, fact-specific follow-up questions will be posed to clarify and enhance the respondent's answers to the specified set of questions. If preferred, stakeholders will be able to provide written responses in lieu of an interview.”

Pipeline Safety: Request for Special Permit; Sable Offshore Corp. Federal Register PHMSA special permit comment extension. Summary: “On February 24, 2026, PHMSA published a notice to solicit public comment on a request for a special permit submitted by Sable Offshore Corp. (Sable). The comment period is currently set to expire on March 26, 2026. PHMSA is issuing this notice to extend the comment period until 14 days from the date of this notice to give the public time to review the proposed special permit in light of recent developments. At the conclusion of the extended comment period, PHMSA will review the comments received from this notice as part of its evaluation to grant or deny the special permit request.”

New Cosponsor Added for S 2938 – AI Risk Evaluation

Earlier this week, Sen Blackburn (R,TN) was added as a cosponsor to S 2938, the Artificial Intelligence Risk Evaluation Act of 2025. She is a member of the Senate Commerce, Science, and Transportation Committee, to which this bill was assigned for consideration. Since Backburn is a subcommittee chair, there may now be sufficient influence to see the bill considered in Committee. Still AI industry’s opposition to the provisions of the bill may stop the bill from moving forward.

The bill would require DOE to establish an Advanced Artificial Intelligence Evaluation Program, and each year submit to Congress a detailed recommendation for Federal oversight of advanced artificial intelligence systems. No new funding is provided in the bill.

Chemical Incident Reporting – Week of 3-14-26

Chemical Incident Reporting – Week of 3-14-26

NOTE: See here for series background.

Dorris, CA – 3-17-26

Local News Report: Here, here, and here.

There was a paraquat dichloride spill on a roadway when a drum fell off of a truck. Twelve people sought medical attention.

Not CSB reportable. Transportation related incident.

Pueblo, CO  – 3-17-26

Local News Report: Here, here, and here.

There was a tanker rollover accident that resulted in a diesel fuel spill. The driver suffered minor injuries. Freeway was shutdown in both directions while cleanup was completed.

Not CSB reportable. Transportation related incident.

Augusta, GA – 3-18-26

Local News Report: Here, here, and here.

There was an unidentified chemical (ammonia odor) spill on a roadway. The road was closed during the cleanup. No injuries were reported.

Not CSB reportable. Transportation related incident.

Richmond, TX – 3-18-26

Local News Report: Here, here, and here.

There was a train derailment with two leaking ethanol railcars. A total of 23 cars derailed. No injuries reported. Multiple crossing were blocked.

Not CSB reportable. Transportation related incident.

Janesville, WI– 3-19-26

Local News Report: Here, here, and here.

There was an equipment overpressure explosion at a food processing facilities. Two employees with ‘life threatening’ injuries airlifted to hospital.

CSB reportable.

Denver, CO – 3-19-26

Local News Report: Here, here, and here.

There was an explosion and fire at a gas station, possibly caused by a natural gas leak. Two people were transported to the hospital with blast and burn injuries. The building was severely damaged.

Probable CSB reportable.

Review – Bills Introduced – 3-20-26

Yesterday, with the Senate in Washington and the House meeting in pro forma session, there were 12 bills introduced. One of those bills will receive additional coverage in this blog:

HR 8029 Pay Our Homeland Defenders Act Ciscomani, Juan [Rep.-R-AZ-6]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-3-20-26  - subscription required.

Review – Public ICS Disclosures – Week of 3-14-26

This is a relatively light disclosure week. We have bulk vendor disclosures from QNAP (5). We have additional 10 vendor disclosures from Dassault Systems, Dell, HPE (3), Philips, Pheonix Contact, Rockwell Automation, Splunk, and TP-Link. We have bulk vendor updates from HP (6). There are two additional vendor updates from Dell and Siemens. Finally, we have 11 researcher reports for products from Hikvision and TP-Link (10).

Bulk Vendor Disclosures – QNAP

• Vulnerability in QVR Pro, 

• Multiple Vulnerabilities in QuNetSwitch (ADRA NDR),

• Vulnerability in Media Streaming Add-on,  

• Multiple Vulnerabilities in QuRouter (PWN2OWN 2025), and

• Vulnerability in QuFTP Service.

Advisories

Dassault Advisory - Dassault published an advisory that describes a code injection vulnerability in their SOLIDWORKS Desktop.

Dell Advisory - Dell published an advisory that describes three vulnerabilities in their ThinOS 10 product.

HPE Advisory #1 - HPE published an advisory that discusses four vulnerabilities in their B-Series SANnav Management Portal product.

HPE Advisory #2 - HPE published an advisory that discusses seven vulnerabilities in their SAN Switches.

HPE Advisory #3 - HPE published an advisory that discusses a stack-based buffer overflow vulnerability in their Telco Service Orchestrator.

Philips Advisory - Philips published an advisory that discussed a Java security library vulnerability.

Pheonix Contact Advisory - Pheonix Contact published an advisory that discusses eight vulnerabilities in their FL SWITCH product lines.

Rockwell Advisory - Rockwell published an advisory that discusses a potential threat actor that is actively targeting Rockwell Automation controllers.

Splunk Advisory - Splunk published an advisory that discusses an improper check for unusual or exceptional conditions vulnerability in their Universal Forwarder product.

TP-Link Advisory - TP-Link published an advisory that describes two vulnerabilities in their TP-Link Archer AX53 product.

Bulk Vendor Updates – HP

• Intel NPU Driver February 2026 Security Update,

• Intel Chipset Firmware August 2025 Security Update,

• Intel NPU Driver November 2025 Security Update,

• Intel Processor Stream Cache August 2025 Security Update,

• Intel Chipset Firmware February 2026 Security Update,

• Intel Graphics Software August 2025 Security Update

Updates

Dell Update - Dell published an update for their Wyse Management Suite advisory that was originally published on February 24^th, 2026.

Siemens Update - Siemens published an update for their SIMATIC S7-1500 advisory that was originally published on March 10^th, 2026, and most recently updated on March 13^th, 2026.

Researcher Reports

Hikvision Report - Cisco Talos published a report that describes a stack-based buffer overflow vulnerability (with proof-of-concept code) in the Hikvision Ultra Face Recognition Terminal.

TP-Link Reports - Cisco Talos published ten reports describing vulnerabilities in the TP-Link Archer AX53 AX3000 Dual Band Gigabit Wi-Fi 6 Router.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-632 - subscription required. 

Review – Bills Introduced – 3-19-26

Yesterday, with both the House and Senate in session, there were 69 bills introduced. One of those bills will receive additional coverage in this blog:

HR 7996 To amend the Homeland Security Act of 2002 to clarify that utility line technicians qualify as emergency response providers. Higgins, Clay [Rep.-R-LA-3] 

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a mention-in-passing of a bill requiring the reporting of railroad caused brush fires, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-3-19-26 - subscription required.

Chemical Transportation Incidents – Week of 2-14-26

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 420 (388 highway, 28 air, 4 rail, 0 water)

• Serious incidents – 1 (1 Bulk release, 0 evacuation, 0 injury, 0 death, 0 major artery closed, 1 fire/explosion, 39 no release)

• Largest container involved – 30,220-gal DOT 117R100W Railcar {Gasoline Includes Gasoline Mixed with Ethyl Alcohol, With Not More Than 10% Alcohol} The liquid and vapor valves were left open and caps were not adequately taped.

• Largest amount spilled – 147-gal Tank Truck {Diesel Fuel} Operator error during unloading at fuel station.

• Total amount reported spilled in all incidents – 1214.5-gal

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: 1,1-Difluoroethane: 1,1-Difluoroethane is colorless, odorless gas shipped as a liquefied gas under its vapor pressure. Contact with the liquid can cause frostbite. It is easily ignited. Its vapors are heavier than air and a flame can travel back to the source of leak very easily. This leak can be either a liquid or vapor leak. It can asphyxiate by the displacement of air. Under prolonged exposure to fire or heat the containers may rupture violently and rocket. (Source: CameoChemicals.NOAA.gov).

 

INSERT UN 2468 Placard

BIS Sends EAR Revision Final Rule to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from the DOC’s Bureau of Industry and Security (BIS) on “Revisions to the EAR” [Export Administration Regulations]. This would be (as is frequently the case with BIS regulatory actions) a direct final rule.

According to the Spring 2025 Unified Agenda entry for this rulemaking:

“In this rule, the Bureau of Industry and Security (BIS) amends the Export Administration Regulations (EAR).”

That is the entire abstract for this rulemaking. Needless to say, this is a less than helpful description of the purpose and scope of the rulemaking. It is hard to tell if there will be any detailed coverage here if/when this is published in the Federal Register.

Review – 8 Advisories Published – 3-19-26

Today CISA’s NCCIC-ICS published control system security advisories for products from Automated Logic, IGL-Technologies, CTEK, Mitsubishi, and Schneider (4).

Advisories

Automated Logic Advisory - This advisory describes three vulnerabilities in the Automated Logic WebCTRL Premium Server.

IGL-Technologies Advisory - This advisory describes four vulnerabilities in the IGL-Technologies eParking.fi.

CTEK Advisory - This advisory describes four vulnerabilities in the CTEK Chargeportal.

NOTE: I briefly discussed Sarieddine/Sayed’s research into vehicle charging systems back on February 26^th, 2026. It is interesting that continuing reports into new systems all show the same four vulnerabilities. Does this mean that all of these systems are using the same core technology?

Mitsubishi Advisory - This advisory describes an improper validation of specified index, position, or offset vulnerability in the Mitsubishi CNC Series products.

Schneider Advisory #1 - This advisory describes a deserialization of untrusted data vulnerability in the Schneider EcoStruxure PME and EPO products.

NOTE: I briefly mentioned this vulnerability on March 16^th, 2026.

Schneider Advisory #2 - This advisory describes code injection vulnerability in the Schneider EcoStruxure Automation Expert.

NOTE: I briefly mentioned this vulnerability on March 16^th, 2026.

Schneider Advisory #3 - This advisory describes a cross-site scripting vulnerability in the Schneider Modicon Controllers.

NOTE: I briefly mentioned this vulnerability on March 16^th, 2026.

 

For more information on these advisories, including another ‘missing advisories’ discussion, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/8-advisories-published-3-19-26-552  - subscription required.

Short Takes – 3-19-26 – Federal Register Edition

Nominations for Substances To Be Evaluated for Toxicological Profile Development. Federal Register ATSDR notice with comment period. Summary: “The Agency for Toxic Substances and Disease Registry (ATSDR), within the Department of Health and Human Services (HHS), announces that it is soliciting nominations of substances to be evaluated for an upcoming set of toxicological profiles. ATSDR is opening a docket for the public to submit nominations and provide comments on which toxicological profiles are developed next. Members of the public, government agencies, or private organizations may comment on which substances they are concerned about so that ATSDR may take this information into consideration when developing future toxicological profiles.”

National Emission Standards for Hazardous Air Pollutants: Ethylene Oxide Emissions Standards for Sterilization Facilities Residual Risk and Technology Review Reconsideration. Federal Register EPA reconsideration of final rule NPRM. Summary: “Based on its reconsideration of the RTR in the 2024 Final Rule, the EPA is proposing to amend the Commercial Sterilization Facilities NESHAP. The amendments would rescind the risk based standards, revise the standard for new aeration room vents that resulted from the technology review, revise the compliance demonstration requirements, and rescind a requirement related to permanent total enclosure (PTE). This proposal also includes technical corrections and clarifications to the Commercial Sterilization Facilities NESHAP and Performance Specification 19 to address erroneous cross-references, omissions of text, and typographical errors in the regulatory text that the EPA has identified after publication of the 2024 Final Rule.”

Internet-Based Telecommunications Relay Service Modernization. Federal Register FCC notice of proposed rulemaking. Summary: “The Federal Communications Commission (Commission) proposes to modernize its telecommunications relay services (TRS) rules and seeks comment on the use of automatic speech recognition (ASR) for speech-to-text conversion and advanced text-to-speech technologies for Internet Protocol (IP) Relay Service; the need for metrics for IP Relay quality; the compatibility of IP Relay with Real-Time Text (RTT) technology; adding captioning functionality to Video Relay Service (VRS) platforms; amending VRS calling rules for calls to U.S. embassies and consulates by U.S. residents while traveling abroad; adjusting VRS call center requirements; streamlining TRS provider certification and user registration processes; updating or eliminating obsolete rules; and closing outdated dockets. With these proposals, the Commission presents targeted reforms that align internet-based TRS with twenty-first century technological advancements in relay services that can better serve the needs of persons with disabilities while securing the viability and enhancing the effectiveness and functional equivalency of internet-based TRS.”

EO 14395 - Establishing the Task Force to Eliminate Fraud. Federal Register.

Short Takes – 3-18-26 – Federal Register Edition

Accepted Means of Compliance for Small Unmanned Aircraft (sUA) Category 2 and Category 3 Operations Over Human Beings; ParaZero Technologies Ltd. Federal Register FAA notice of availability. Summary: “This document announces the acceptance of a means of compliance with FAA regulations for sUA Category 2 and Category 3 operations over human beings. The Administrator finds that ParaZero's “ParaZero Part 107 Operations Over People Means of Compliance,” version 1.5, dated February 4, 2026, provides an acceptable means, but not the only means, of showing compliance with FAA regulations.”

National Emission Standards for Hazardous Air Pollutants: Polyether Polyols Production Industry Review. Federal Register EPA final rule. Summary: “The U.S. Environmental Protection Agency (EPA) is finalizing amendments to the National Emission Standards for Hazardous Air Pollutants (NESHAP) for the Polyether Polyols (PEPO) Production source category (“PEPO NESHAP”) under Clean Air Act (CAA) section 112. Specifically, the EPA is finalizing certain ethylene oxide (EtO)-specific standards pursuant to CAA section 112(d)(6) rather than finalizing the proposed second residual risk review and corresponding amendments pursuant to CAA section 112(f)(2). In addition, the EPA is taking final action addressing certain issues raised in an administrative petition for reconsideration. Lastly, the EPA is finalizing maximum achievable control technology (MACT) standards for certain emission points, work practice standards for certain activities where alternatives are appropriate, performance testing requirements once every five years for certain process vents, and electronic reporting requirements for performance test reports, flare management plans, and periodic reports.” Effective date: March 18^th, 2026.

EO 14391 - Adjusting Certain Delegations Under the Defense Production Act, Federal Register. Federal Register.

EO 14392 - Ensuring Truthful Advertising of Products Claiming To Be Made in America. Federal Register.

EO 14393 - Promoting Access to Mortgage Credit. Federal Register.

EO 14394 - Removing Regulatory Barriers to Affordable Home Construction. Federal Register.

Review – Bills Introduced – 3-17-26

Yesterday, with both the House and Senate in session, there were 53 bills introduced. One of those bills will receive additional coverage in this blog:

S 4127 A bill making continuing appropriations for essential Transportation Security Administration pay and operations during the lapse in appropriations beginning on February 14, 2026, and for other purposes. Rosen, Jacky [Sen.-D-NV]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a brief mention-in-passing of a bill to remove citizenship from individuals supporting terrorism, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-3-17-26-e95 - subscription required.

Review – CSB Updated the Status of 8 Investigation Recommendations – 3-16-26

Yesterday the Chemical Safety Board (CSB) updated their Recent Recommendation Status Updates page, closing two recommendations with acceptable action and one with acceptable alternative actions. These actions left 119 of 1035 recommendations open. Additionally, the CSB updated the open status of four recommendation, noting that the responsible parties had agreed to take the recommended actions. The CSB took all of these actions on March 16^th, 2026. The previous update was published on January 20^th, 2026.

The three recently closed recommendations are:

 

• Chevron Richmond Refinery Fire, 2012-03-I-CA-R23, Governor and Legislature of the State of California,

• Chevron Richmond Refinery Fire, 2012-03-I-CA-R29, American Petroleum Institute (API), and

• Didion Milling Company Explosion and Fire, 2017-07-I-WI-R4, Didion Milling, Inc

 

For more information on the investigation responses, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updated-the-status-of-8-investigation - subscription required.