Review - HR 3435 Introduced – Federal Cyber Workforce Training

Back in May Rep Fallon (R,TX) introduced HR 3435, the Federal Cyber Workforce Training Act of 2025. The bill would require the National Cyber Director to formulate a plan for the establishment of a federal cyber training institute. It does not authorize the actual establishment of the institute, that would require subsequent legislation. The bill specifically does not authorize new spending.

This bill is essentially the same as to HR 9520 that was introduced by Fallon in September 2024. No other action was taken on HR 9520 in the 118^th Congress.

Moving Forward

Fallon is a member of the House Oversight and Accountability Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. With new spending being prohibited, I see nothing in this bill that would engender any organized opposition. I suspect that the bill would receive some level of bipartisan support, perhaps enough that it could be considered under the suspension of the rules process.

Commentary

While the proposed institute is not a cybersecurity institute, all cyber work roles should include some level of cybersecurity responsibilities. I think it would be helpful to delineate a responsibility for the institute to establish a minimum level of cybersecurity training for all cyber personnel. To that end, I would like to suggest the insertion of a new §2(b)(2)(C):

“(C) establish a common skill level cybersecurity curriculum for all entry level positions and a more advanced cybersecurity training program for personnel transitioning to mid-career level positions;”

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-3435-introduced-federal-cyber - subscription required.

Review - S 4813 Introduced – Cyber Ready Workforce

Back in July, Sen Rosen introduced S 4813, the Cyber Ready Workforce Act. The bill would establish a grant program within the Department of Labor to support the creation, implementation, and expansion of registered apprenticeship programs in cybersecurity. The bill would authorize ‘such funds as necessary’ to be appropriated for this program. This bill is very similar to S 3570 [removed from paywall], which Rosen introduced in the 117^th Congress. No action was taken on the earlier bill.

Moving Forward

Rosen is a member of the Senate Health, Education, Labor and Pensions Committee to which this bill was assigned for consideration. This means that there should be sufficient influence to see this bill considered in Committee. I see nothing in this bill that would engender any organized opposition. I suspect that the bill would pass in Committee with significant bipartisan support.

This bill is not important enough to be considered under regular order in the Senate. It is possible that it could be considered under the unanimous consent process. A more likely route to the President’s desk would be including this language from this bill in some large piece of legislation, either added in the drafting or as an amendment in the floor process for that bill. Unfortunately, it is almost too late in the Session for the Committee to move the bill forward.

 

For more information on the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4813-introduced - subscription required.

Review - HR 6524 Introduced – CISA Cybersecurity Apprenticeship Programs

Last month, Rep Houlahan (D,PA) introduced HR 6524 , the Federal Cybersecurity Workforce Expansion Act. The bill would require CISA to establish an apprenticeship program that would lead to cybersecurity related employment with CISA or other Federal entity. The bill would also require the Veterans Administration to establish a pilot program providing cyber-specific training for eligible individuals. There is no funding authorized in the legislation.

This bill is very similar to S 2256 [removed from paywall], introduced in the Senate on July 12^th, 2023, and recently reported in the Senate. While there are many editorial differences between the two bills, the major difference is that the Senate bill is a standalone act, whereas this legislation would add a new section to the Homeland Security Act of 2002 (§2220F). Where the Senate bill would have to be codified as a note to an existing USC section, this bill would become a new section in 6 USC. This makes finding the resulting codified language much easier.

Moving Forward

Neither Houlahan, nor any of her four cosponsors, are members of the House Homeland Security Committee to which this bill was assigned for primary consideration. This means that there would probably not be sufficient influence to see this bill considered in Committee. I see nothing in the bill that would engender any organized opposition. I suspect that there may be sufficient bipartisan support that the legislation could move to the floor under the suspension of the rules process.

Commentary

The lack of funding authorization in HR 6524 removes a possible source of opposition to the bill from the fiscal conservatives in the House. Unfortunately, it would also mean that any spending on these apprenticeship programs would have to come out of existing CISA budget authorizations. This effectively limits the size and number of apprenticeship programs that CISA could operate. It would also make it easy for CISA to decide to opt out of any new apprenticeship program.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-6524-introduced - subscription required. 

HR 3208 Reported in House – CISA Cyber OJT

Last month, the House Homeland Security Committee published their Report on HR 3208 [removed from paywall], the DHS Cybersecurity On-the-Job Training Program. The Committee met on May 17^th, 2023, and recommended the bill favorably reported without amendment by a voice vote. The legislation is now cleared for possible consideration by the full House.

The bill would establish in CISA “the ‘DHS Cybersecurity On-the-Job Training Program’ to voluntarily train Department employees who are not currently in a cybersecurity position for work in matters relating to cybersecurity at the Department.”

The Report

The report notes (pg 2) that as the DHS Cyber Talent Management System (CTMS) continues to ramp up its efforts to increase the number of skilled cybersecurity professionals within the Department, CISA will need to reskill existing DHS employees to support the Department’s vital cybersecurity mission. It further explains that:

“The bill formally authorizes CISA’s training activities in this space, in consultation with the Under Secretary for Management, while also giving them the flexibility needed to expand and adapt the program to address the growing cyber workforce gap.”

The Committee had not received a Congressional Budget Office report on the cost of the provisions of this legislation.

Moving Forward

With a voice vote approval in Committee and no ‘Alternate View’ section outline Democratic concerns about the bill, it is clear that this bill has broad, bipartisan support. As such it could reasonably be expected to be considered under the House suspension of the rules process. I expect that, if the bill were considered, that it would receive similar support on the floor.

Review - S 2256 Introduced – CISA Cyber Training

Last month Sen Hassan (D,NH) introduced S 2256, the Federal Cybersecurity Workforce Expansion Act. It would require CISA to establish an apprenticeship program that would lead to cybersecurity related employment with CISA or other Federal entity. The bill would also require the Veterans Administration to establish a pilot program providing cyber-specific training for eligible individuals. There is no funding authorized in the legislation.

This bill is nearly identical to the reported version of S 2274 from the 117^th Congress. That bill was reported favorably by the Senate Homeland Security Committee, but no further action was taken.

Moving Forward

Hassan is a member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. She probably has enough influence to see this bill considered in Committee. I see nothing in the bill that would engender any specific opposition. I suspect that it would receive significant bipartisan support in committee. This bill would not be considered on the floor of the Senate under regular order, but it might make it into the DHS spending bill as an amendment.

Commentary

While this bill does not directly address control system security issues, increasing the cybersecurity qualified staffing of CISA is certainly of interest to the ICS security community. While the training programs established under this bill would be targeted at future CISA employment, they should result in a net increase to the nation’s cybersecurity workforce.

 

For more information about the two programs outlined in this legislation, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2256-introduced - subscription required.

 

HR 6868 Introduced – School Cybersecurity Grants

Earlier this week, Rep Garbarino (R,NY) introduced HR 6868, the Cybersecurity Grants for Schools Act of 2022. The bill would amend 6 USC 665f (which established the Cybersecurity Education and Training Assistance Program), expanding the scope of entities that could receive grants under the CETAP grant program.

The bill would add a new subsection (e) to §665f that would allow CETAP grants to go to States, local governments, institutions of higher education, nonprofit organizations, and other non-Federal entities for the purposes of funding cybersecurity education or training programs.

As I noted on Monday, this bill will be marked up tomorrow by the House Homeland Security Committee. No amendments to this bill are currently listed on the Hearing web site. I expect that this bill will be adopted by the Committee, probably by a voice vote. The bill will move to the full House later this year.

HR 6588 Introduced – Cybersecurity Apprenticeships

Earlier this month, Rep Lee (D,NV) introduced HR 6588, the Cyber Ready Workforce Act. The bill would establish a grant program within the Department of Labor to support the creation, implementation, and expansion of registered apprenticeship programs in cybersecurity. The bill would authorize ‘such funds as necessary’ to be appropriated for this program. This bill is a companion bill (identical language) to S 3570, upon which I reported earlier today.

Neither Lee, nor her sole cosponsor {Rep Fitzpatrick (R,PA)} are members of the House Education and Labor Committee to which this bill was assigned for consideration. This makes it unlikely that the Committee will take up the bill. I see nothing in this bill that would engender organized opposition. If the bill were to be considered in Committee, I suspect that it would receive significant bipartisan support.

Review - S 3570 Introduced – Cybersecurity Apprenticeships

Earlier this month, Sen Rosen (D,NV) introduced S 3570, the Cyber Ready Workforce Act. The bill would establish a grant program within the Department of Labor to support the creation, implementation, and expansion of registered apprenticeship programs in cybersecurity. The bill would authorize ‘such funds as necessary’ to be appropriated for this program.

Moving Forward

Rosen is a member of the Senate Health, Education, Labor and Pensions Committee to which this bill was assigned for consideration. This means that there should be sufficient influence to see this bill considered in Committee. I see nothing in this bill that would engender any organized opposition. I suspect that the bill would pass in Committee with significant bipartisan support.

This bill is not important enough to be considered under regular order in the Senate. It is possible that it could be considered under the unanimous consent process. A more likely route to the President’s desk would be including this language from this bill in some large piece of legislation, either added in the drafting or as an amendment in the floor process for that bill.

Commentary

There is nothing in the language of this bill that would prohibit the funding from going to some cybersecurity training program that concentrated on industrial control system. I would be more comfortable, however, if some sort of control system certification program were listed in §4(b)(1).

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3570-introduced - subscription required.

Review - HR 4389 Introduced - New Collar Jobs Act

Last month, Rep Lieu (D,CA) introduced HR 4389, the New Collar Jobs Act of 2021. The bill would provide employer incentives to provide cybersecurity training to employees and would provide federal loan forgiveness to certain individuals student loans. No monies are authorized by this bill.

Neither Lieu, nor his three cosponsors are members of any of the four committees to which this bill was assigned for consideration. This means that the bill is unlikely to be considered in any of the committees. I see nothing in this bill that would engender any organized opposition and I suspect that if it were considered that it would receive at least some level of bipartisan support.

For a more detailed look at the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4389-introduced - subscription required.

S 2305 Introduced - Cybersecurity Opportunity

Last month, Sen Ossoff (D,GA) introduced S 2305, the Cybersecurity Opportunity Act. The bill would require DHS to award grants to Historically Black Colleges and Universities (HBCU) and other minority serving institutions to “expand cybersecurity education opportunities, cybersecurity technology and programs, cybersecurity research, and cybersecurity partnerships with public and private entities.” No monies are authorized in the bill to support these grants.

Ossoff is a member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This means that there may be enough influence available to see this bill considered in Committee. I see nothing in this bill that would engender any specific opposition, especially since no new funds are being authorized.

This bill will not make it to the floor of the Senate as a stand-alone measure. The only way that Ossoff can see this bill make it to the President’s desk is to see it included in a larger spending or authorization bill. We will be able to see how important this bill is to Ossoff by watching for it as an amendment for one or more bills where open amendments are encouraged.

Review - S 2274 Introduced - Federal Cybersecurity Workforce Expansion

Last month Sen Hassan (D,NH) introduced S 2274, the Federal Cybersecurity Workforce Expansion Act. It would allow CISA to establish an apprenticeship program that would lead to cybersecurity related employment with CISA or a CISA supporting entity. The bill would also require the Veterans Administration to establish a pilot program providing cyber-specific training for eligible individuals. The CISA program is authorized ‘such funds as necessary’, but no funding is specified for the VA program.

Hassan is a member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. She probably has enough influence to see this bill considered in Committee. I see nothing in the bill that would engender any specific opposition. I suspect that it would receive significant bipartisan support in committee. This bill would not be considered on the floor of the Senate under regular order, but it might make it into the DHS spending bill as an amendment.

While this bill does not directly address control system security issues, increasing the cybersecurity qualified staffing of CISA is certainly of interest to the ICS security community. While the training programs established under this bill would be targeted at future CISA employment, they should result in a net increase to the nation’s cybersecurity workforce.

For a closer look at the details of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2274-introduced - subscription required.

HR 5942 Introduced – DHS Cybersecurity Training

Last week Rep Jackson-Lee introduced HR 5942, the DHS Cybersecurity On-the-Job Training and Employment Apprentice Program Act. The bill would require DHS to establish a cybersecurity on-the-job training and apprenticeship program with the Cybersecurity and Infrastructure Security Agency (CISA) to fill cybersecurity vacancies within the Agency.

The Program

The bill would amend the Homeland Security Act of 2002 to include a new §2215, DHS Cybersecurity on-the-Job Training and Employment Apprentice Program. CISA would be required to {new §2215(b)}:

• Submit to the Secretary a monthly report on the status of vacancies in cybersecurity positions throughout the Department;

• Identify diagnostic tools that can accurately and reliably measure an individual’s capacity to perform cybersecurity related jobs or serve in positions associated with network or computing security;

• In consultation with relevant Department component heads, identify a roster of positions that may be a good fit for the Program and make recommendations to the Secretary relating to such identified positions;

• Develop a curriculum for the Program, which may include distance learning instruction, in classroom instruction within a work location, on-the-job instruction under the supervision of experienced cybersecurity staff, or other means of training and education as determined appropriate by the Secretary;

• Recruit individuals employed by the Department to participate in the Program;

• Determine the best means for training and retention of Department employees enrolled in the Program;

• Maintain an accurate numeration and description of all filled and unfilled cybersecurity positions within the Department by office and component;

• Keep up-to-date a roster of open positions relating to cybersecurity, as determined and approved by the Secretary, and the skills applicants must attain to qualify to fill such positions;

• Maintain information on individuals enrolled in the Program; and

• Annually submit to Congress a report containing information relating to the duties specified in this subsection.’’.

Moving Forward

Johnson-Lee is an influential member of the House Homeland Security Committee to which this bill was assigned for consideration. It is very likely that this bill will be considered in Committee. I do not see anything in this bill that would engender any significant opposition and I suspect that the bill will receive significant bipartisan support both in the Committee and on the floor of the House. If it makes it to the floor, it will be considered under the suspension of the rules process; with limited debate, no floor amendments and requiring a supermajority for passage.

Commentary

On-the-job training and apprenticeship programs are certainly well-established mechanisms to build a technically trained workforce. Who could possibly be against such a program where there is a well-known skill shortage as there is in the cybersecurity field? Okay, I am not against the idea, but this implementation is flawed.

First, I have to acknowledge that this bill is almost certainly deliberately lite on details for the Program. This provides maximum leeway for experts on the ground to craft a program that will provide an effective training development process; too much political control from Congress will certainly impede innovation. This is a good thing.

Having said that, there are some flaws in the approach taken in this bill. My first concern is the assignment of this program to CISA. CISA is not a training management organization nor does it have human resources authority over other agencies within DHS. If this is going to be a Department wide training effort then it needs to be run out of the Office of the Secretary, probably under the Assistant Secretary for Cyber Policy.

Any federal cybersecurity training effort that does not utilize the expertise and programs established by the National Institute of Standards is going to spend a great deal of time and effort reinventing programs, technologies and techniques already perfected by NIST. Any training program authorization should include, somewhere, “in consultation with the Director of the National Institute of Science and Technology”.

Another problem with this proposal is that it takes people out of existing positions within the Department and moves them into cybersecurity positions. This is good for the shortages in cybersecurity, but with the ongoing problems that agencies in DHS have in hiring and retaining people, this is only going to exacerbate the problems in other job categories within the agency. Provisions need to be made in a bill like this to include hire folks, probably specifically including recently released veterans, to move into these training slots.

A bill like this would also be a good place to require the development of a cybersecurity training program for personnel not working in a cybersecurity position. That may be asking a bit much, but it is becoming increasingly obvious that too many attack vectors utilize actions by inadequately trained personnel to gain a network foothold.

Finally, and you knew it was coming, I am concerned about the lack of definitions, particularly of the term ‘cybersecurity’ in this bill. Lacking definitions in this new proposed §2215, we would have to rely on definitions from 6 USC 651. There are two ‘cybersecurity’ related definitions in section; one relies on the IT restrictive definition of ‘information system’ in §659 and the other on the control system inclusive definition in §1501. That poses some potential problems down the road.

While I would prefer to see a total revamping of the cybersecurity definitions (see my rant) that would not really be appropriate here; so I would propose using the following definitions to be included in an newly inserted §2215(b):

(b) Definitions – In this section:

(1) Cybersecurity - the term ‘cybersecurity’ means actions, skills, policies or procedures that fulfill a cybersecurity purpose as that term is defined in 6 USC 1501; and

(2) Cybersecurity Position – the term ‘cybersecurity position’ means any position within the Department of Homeland Security where the principle duties include:

(A) Developing, implementing or inspecting defensive measures as that term is defined in §1501; or

(B) Directly supervising one or more personnel performing duties described in (A).

Senate ENR Amends and Approves Cybersecurity Bills – 11-19-19

Yesterday the Senate Energy and Natural Resources Committee held a business meeting to consider three nominations and markup 19 bills. Those bills included three cybersecurity bills that have been covered in this blog. All three of those bills were amended and then passed on voice votes.

S 876, DOE Vet Training

The Committee considered S 875, the Energy Jobs for Our Heroes Act of 2019. A staff amendment was adopted by the Committee rewrote the proposed §1107(f) by removing the grant funding provisions and removed (g) the spending authorization provisions of the bill. A second amendment was proposed by Sen Lee (R,UT) and it was also adopted by the Committee. The Lee amendment provided more detailed information about what was to be included in the Report to Congress required by (h) {changed to (g) by the previous amendment}.

S 2556, Cybersecurity Investment

The Committee considered S 2556, the PROTECT Act. The Committee adopted an amendment in the nature of a substitute. The substitute language:

Adds §219A(c)(2) that adds a prohibition of duplicate recovery to the rate recovery provision; and

Adds §3(a)(2)(E) that adds “an investor-owned electric utility that sells less than 4,000,000 megawatt hours of electricity per year” to the list of entities eligible for the e Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program.

S 2714, ARPA-E Reauthorization

The Committee considered S 2714, the ARPA–E Reauthorization Act of 2019. The Committee adopted an amendment. That amendment inserted a new §2(c) and renumbered the subsequent sub-sections. The new subsection amends 42 USC 16538(f). The new language would allow DOE to consider past grant performance during the award of new grants.

Moving Forward

These three bills had significant bipartisan support in Committee, but Lee insisted on being recorded as a Nay vote on each of the bills. This means that he would be likely to raise an objection if the bills were offered for consideration under the Senate’s unanimous consent process. If that were to happen the bills would not be adopted under those provisions and would have to be considered under regular order. None of these bills is important enough to take up the Senate’s time under regular order.

The only other way that these bills could be considered would be as part of a DOE authorization bill.

Committee Adopts Rule for Consideration of HR 2500 – FY 2020 NDAA

Last night the House Rules Committee formulated the Rule for the consideration of HR 2500, the FY 2020 National Defense Authorization Act (NDAA). It is a structured rule with 439 amendments that may be offered (with provisions for en bloc consideration of amendments. I will be watching five of those amendments. Consideration of the bill begins this afternoon.

The Five Amendments

These are the five amendments that I will be watching. These are the five that I briefly listed last week in my post about the report on HR 2500.

53. Aguilar (D,CA) #244 Expands the Department of Defense Cyber Scholarship Program (formerly known as the Information Assurance Scholarship Program) to include students attending certificate programs that span 1 to 2 years.

158. Gallego (D,AZ) #415 Requires a report on the National Guard's capacity to meet Homeland Defense missions.

200. Jackson-Lee (D,TX) #160 (REVISED) Requires that a report from the Secretary of Defense 240 days after the date of the enactment to the congressional defense committees that accounts for all of the efforts, programs, initiatives, and investments of the Department of Defense to train elementary, secondary, and postsecondary students in fields related to cybersecurity, cyber defense, and cyber operations.

363. Speier (D,CA) #395 (REVISED) Increases funding for the Defense Security Service by $5,206,997 for the purposes of procurement of advanced cyber threat detection sensors, hunt and response mechanisms, and commercial cyber threat intelligence to ensure Defense Industrial Base networks remain protected from nation state adversaries.

381. Torres, Norma (D,CA), Panetta (CA), Cisneros (CA), Stevens (MI) #457 (REVISED) Requires the Department of Defense, in consultation with the Manufacturing Extension Partnership program, to develop policies to assist small- and mid-sized manufacturers to meet cybersecurity requirements.

The Gallego amendment is interesting. It would require a DOD report to Congress setting out “the roles and missions, structure, capabilities, and training of the National Guard and the United States Northern Command, and an identification of emerging gaps and shortfalls in light of current homeland security threats to our country” {new §520(1)}. Critical infrastructure cybersecurity is never explicitly mentioned in the amendment (an odd oversight) but would almost certainly be covered in any DOD report submitted in response to this amendment.

The one specific threat that is mentioned is a “multi-State electromagnetic pulse event” {new §520(2)}. Presumably DOD would also include a geomagnetic storm event in any report on the topic as the response to the two would be similar.

Moving Forward

None of the amendments listed above are very controversial and only one provides a specific spending authorization. Spier would off-set that spending increase by decreasing the spending on “in section 101 for other procurement, Air Force” {new §16XX(b)}. I suspect that all five of these amendments will be adopted; most will be included in en bloc amendments.

HR 2500 will pass, probably along a nearly party-line vote. The Senate already passed their version of the NDAA, S 1790, so differences between the two bills will have to be worked out (probably over the summer recess) in a conference committee. Normally, that reported version of the NDAA would be expected to pass, but with the whimsical nature of the current occupant of the White House, that is not a guarantee that anyone would be willing to make.

Bills Introduced – 02-05-19

Yesterday with both the House and Senate in abbreviated session there were 49 bills introduced. One of those bills will probably see consideration in future blog posts here:

S 333 A bill to authorize the Secretary of Homeland Security to work with cybersecurity consortia for training, and for other purposes. Sen. Cornyn, John [R-TX] 

HR 334 Introduced – Cybersecurity Education

Earlier this month Rep. Lieu (D,CA) introduced HR 334, the New Collar Jobs Act of 2019. The bill would amend the Internal Revenue Code to add a new section establishing an “employee cybersecurity education credit” {new §45S(a)}.

The Tax Credit

The general business tax credit to be included under 26 USC §38 would be for 50% of cybersecurity education expenses (up to $5,000 per year per employee) “paid or incurred by the employer during such taxable year”. The qualified expenses would be the “amounts paid or incurred for each employee who earns a certificate or degree at the undergraduate or graduate level or industry-recognized certification relating to those specialty areas and work roles that are listed in NCWF Work Roles in the document entitled, ‘NICE Cybersecurity Workforce Framework (NCWF)’ [NIST Special Publication 800-181; NOTE: the link does not work during the current Federal Funding Fiasco]” {new §45S(c)}.

Moving Forward

Because of the politics of the Federal Funding Fiasco the committee membership listing for the House has not yet been completed so it is hard to tell what sort of influence Lieu and his three cosponsors will have to see that HR 334 is considered in committee.

I do not see anything in the bill that would raise any great objection to the bill. I suspect that if it were considered in committee or on the Floor it would generally receive bipartisan support.

Commentary

While there are no definitions in the bill nor can we see the current listing of the ‘specialty areas and work roles’ to which this tax credit would apply, it would be reasonable to assume that it would include cybersecurity training for industrial control systems (ICS). I say this because the Congressional Findings portion of the bill specifically notes {§2(2)}:

“As manufacturers leverage new technologies from robotics to distributed control systems to create modern factories and industrial plants, different employment requirements have emerged including the need for cybersecurity talent.”

The next subparagraph goes on to explain:

“Leading cybersecurity experts have reported spike of 250 percent in industrial automation and control system cyber-incidents occurring during the period between 2011 and 2015 and as a result are seeking personnel with knowledge of their industry coupled with knowledge of security technology to prevent their organization from becoming victims of cyber-attacks.”

I do not believe that the bill would limit the tax credit to just ICS cybersecurity programs, but this clearly explicates the crafters intent that such programs would be covered under this proposed tax credit.

Senate Consideration of HR 5895 – FY 2019 EWR Spending

The Senate took up debate on HR 5895, the Energy and Water Development and Related Agencies (EWR) Appropriations Act earlier this week. The bill, as passed in the House, also included language from the Legislative Branch, and Military Construction and Veterans Affairs spending bills.

Senate Amendments

Senators proposed about 240 amendments to the bill over a period of four days. Only two of those amendments will be of specific interest to readers of this blog; SA 2910 (pg S3985) from Sen. Shelby (R,AL) and SA 2983 (pg S4053) from Sen. Bennet (D,CO)

Shelby’s amendment is this substitute language for the Senate version of the bill. The EWR language in the amendment comes from S 2975. Senate language from the Legislative Branch, and Military Construction and Veterans Affairs spending bills was also included.

Bennet’s amendment would require the DOE and DOD to conduct an evaluation of military facilities to determine “at which it would be cost-effective to establish a partnership with community colleges, institutions of higher education, and the private sector to train veterans and members of the Armed Forces transitioning to civilian life to enter the cybersecurity, energy, and artificial intelligence workforces”. A report to Congress would be required and no funding is provided.

Moving Forward

After considering (and mostly adopting) a large number of amendments, the Senate finally adopted the Shelby substitute language on Thursday. The Bennet amendment was not considered.

The Senate is scheduled to conduct their final vote on the bill Monday evening.

Bills Introduced – 04-27-17

Yesterday with both the House and Senate in session there were 88 bills introduced. Of those, two may be of specific interest to readers of this blog:

HR 2184 To support meeting our Nation's growing cybersecurity workforce needs by expanding the cybersecurity education pipeline. Rep. McCaul, Michael T. [R-TX-10]

S 965 A bill to improve passenger vessel security and safety, and for other purposes. Sen. Blumenthal, Richard [D-CT]

HR 2184 looks like it will be one of a number of cybersecurity related bills being introduced by McCaul in the next month or so. As usual I will be watching for control system security related provisions, specifically ICS inclusive definitions.

S 965 is probably a companion bill to HR 2173 that was introduced earlier this week. I will be watching both bills for cybersecurity provisions.

WaterISAC ICS Cybersecurity Guide

Thanks to Bridget O’Grady over at the ASDWA’s SecurityNotes blog for pointing at the updated WaterISAC cybersecurity guide; “10 Basic Cybersecurity Measures: Best Practices to Reduce Exploitable Weaknesses and Attacks”. While the overview of the 10 measures is written at a fairly high-level of generality (a good overview for upper management), each of the 10 sections is accompanied by links to a number of supporting documents from such organizations as ICS-CERT, NIST and SANS. That alone makes this a very valuable reference document.

While all 10 of the cybersecurity measures are important, I would like to add my 2 cents worth on measure number 8 in this document; “Implement an Employee Cybersecurity Training Program”. Time and again we have seen that one of the easiest ways for an attacker to get past security measures is through social media attacks against system users, administrators and management. Organizations that implement an annual ‘read and understand’ training program are doing little to protect their employees against such attacks.

A cybersecurity training program must include detailed classroom presentations about corporate security policies, security programs and individual responsibilities in those programs as well training in recognizing and reporting suspicious emails. While on-line training courses may have some value, face-to-face classroom presentations are typically more effective in communicating the importance of cybersecurity to the organization. This is particularly true when the organization takes the time and expense of ensuring that their training presenters have the tools (effective training materials, expertise, and presentation training) necessary to present effective classes.

But effective training cannot be limited to just periodic classes. There needs to be an ongoing communication from a designated management representative about the importance of cybersecurity, the current state of cybersecurity in the industry and the organization, and the sharing of news about updates on vulnerabilities and attacks.

Finally, consider the use of a social media attack incentive program. Conduct periodic in-house phishing attacks. Give small rewards and recognition to employees that report such attacks (and special, high-level recognition to employees that report real, out-side phishing attacks) and consider the use of system shutdowns for employees that fall for the training attacks. Those shutdowns would need to include a one-on-one review of why the attack succeeded before system access is restored.

For training to be effective, it must be repetitive, targeted and ongoing. And the only way to know if it is actually effective is if the training is evaluated through end-of-training testing and periodic real-world follow-up assessments.

More Amendments to S 2943 – FY 2017 NDAA – 06-06-16

Yesterday there were a total of 75 additional amendments proposed for S 2943, the FY 2017 National Defense Authorization Act (NDAA). Of those five may be of specific interest to readers of this blog:

• SA 4392. Ms. CANTWELL (D,WA) - SEC. 1641. Training for member of the armed forces on cyber skills for the protection of industrial control systems. Pgs S3440-1

• SA 4399. Mr. DAINES (R,MT) - SEC. 1655. Upgrades to the nuclear command, control, and communications system. Pg S3442

• SA 4413. Mr. CARPER (R,DE) - Subtitle J—Preventing Dirty Bomb Terrorism. Pgs S3449-50

• SA 4423. Mr. PORTMAN (R,OH) - SEC. 526. Plan to meet demand for cyberspace career fields in the reserve components of the armed forces. Pgs S3445-6

• SA 4430. Mr. CARPER - SEC. 1097. Renaming the national protection and programs directorate. Pgs S3458-9

The Cantwell and Portman amendments are pretty generic requirements to develop plans for training cybersecurity personnel. The Daines amendment includes specific (if brief) mention of including cybersecurity in the required upgrades for nuclear weapon command and control systems.

The Carper dirty bomb prevention amendment is mentioned here solely because it adds yet another security program to the list of those that require employee vetting against the Terrorist Screening Database (TSDB). This new requirement would be applied to organizations that were holders of Nuclear Regulatory Agency industrial and commercial licenses under 42 USC 2133. It does not specifically address similar medial licenses under §2134(a).

The Carper NPPD amendment would authorize the planned reorganization of the DHS National Protections and Programs Directorate as the new ‘United States Agency for Cyber and Infrastructure Security’. This is very similar to the as of yet unintroduced bill that the House Homeland Security Committee will be marking up tomorrow.