Review – S 3404 Introduced – Satellite Cybersecurity

Last month Sen Peters (D,MI) introduced S 3404, the Satellite Cybersecurity Act of 2025. The bill would require the GAO to publish a report on government actions to support cybersecurity of commercial satellite systems. It also outlines new responsibilities for the Department of Commerce (DOC) on satellite cybersecurity. No new funding is authorized by this legislation.

This bill is very similar to S 1425, the Satellite Cybersecurity Act, that was introduced by Peters in May 2023. The Senate Homeland Security Committee held a business meeting on May 17^th, 2023, where this bill was considered. The bill was ordered favorably reported and the Committee Report was published on September 5^th, 2023. No further action was taken in the Senate.

There are two significant differences between the two bills. First, S 3404 changes the definitions in Section 3. S 3404 removes two definitions; ‘Director’ and ‘Sector Risk Management Agency’. It also adds the definition of the term ‘appropriate congressional committee’. The later change obviates the need for naming these committees in various places in the bill. The deleted definitions relate to the other, more significant change, a change in the agency, from CISA to DOC, responsible for the cybersecurity responsibilities outlined in this bill.

Moving Forward

Peters is a member of the Senate Commerce, Science, and Transportation Committee. This means that there may be sufficient influence to see the bill considered in Committee. I see nothing in this bill that would engender organized opposition, and I would suspect the bill would receive the same level of bipartisan support that S 1425 received in the 118^th Congress. Unfortunately, I do not think that the bill is politically important enough to take up the Senate’s time if it were to be considered under regular order.

 

For more information on the provisions of the bill, including a commentary on why the responsible agency was changed, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3404-introduced-satellite-cybersecurity - subscription required.

HR 866 Reported in the House – ROUTER Act

Earlier this month the House Energy and Commerce Committee took up HR 866, the Removing Our Unsecure Technologies to Ensure Reliability and Security (ROUTERS) Act, in a business meeting along with 25 other pieces of legislation. Substitute language for the bill was considered and adopted by the Committee by a voice vote. On Thursday the Committee published their report (H Rept 119-75) and the reported version of the bill. The bill is scheduled to be considered by the Full House tomorrow under the suspension of the rules.

The amendment expanded the scope of the required study to specifically include ‘cybersecurity vulnerabilities’; “study of the national security risks and cybersecurity vulnerabilities posed by consumer routers, modems, and devices”. The other significant change was the insertion of a new §2(c) that requires consulting “with appropriate bureaus and offices within the Department of Commerce” during the conduct of the study.

The bill would still require the Department of Commerce to conduct a study on the national security risks of consumer routers and modems manufactured in China. No new funding is authorized by the legislation.

OMB Approved DOC ICTS Supply Chain Security Final Rule

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the Department of Commerce on “Securing the Information and Communications Technology and Services Supply Chain”. The notice of proposed rulemaking was published on November 27^th, 2019. An interim final rule (IFR) was published on January 19^th, 2021.

According to the Spring 2024 Unified Agenda entry for this rulemaking:

“Pursuant to Executive Order 13873 [link added] of May 15,2019,"Securing the Information and Communications Technology and Services Supply Chain” and Executive Order 14034 [link added] of June 9, 2021, Protecting Americans' Sensitive Data From Foreign Adversaries,” the Department of Commerce is finalizing the rule that sets forth the process and procedures that the Secretary of Commerce will use to identify, assess, and address transactions that pose an undue risk to the security, integrity, and reliability of information and communications technology and services provided and used in the United States.”

With a probable effective date well after Trumps inauguration in January, the new administration will be able to effectively kill this final rule with an executive order (the underlying IFR would take a new rulemaking to undo). While the rulemaking was initiated under Trumnp 45, the Biden Administration put their stamp on the rulemaking, so it is unclear whether the new administration would let this rule stand.

I will probably not be covering the publication of this final rule in any detail. I will, however, note its publication in the appropriate Short Takes post.

DOC Submits Final Rule on ICT Supply Chain Security to OMB

Yesterday, OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from the Department of Commerce on “Securing the Information and Communications Technology and Services Supply Chain; Connected Software Applications”. 

The Spring 2022 Unified Agenda listing for this rulemaking describes its purpose as:

“To implement Executive Order 14034, Protecting Americans’ Sensitive Data from Foreign Adversaries (EO 14034), the Department of Commerce is proposing to amend its Interim Final Rule on Securing the Information and Communications Technology and Services Supply Chain (Supply Chain IFR), that was published on January 19, 2021.  Specifically, this proposed rule would update the Supply Chain IFR to clarify that the term information and communications technology and services (ICTS) includes connected software applications. This update also would add the term connected software applications to the definition section of the Supply Chain IFR, as well as to the definition of ICTS and ICTS Transaction.  Additionally, this proposed rule would make other conforming changes to the Supply Chain IFR to explicitly state that ICTS Transactions include transactions that involve connected software applications.”

OMB Approves Software Supply Chain NPRM

Yesterday, the OMB’s Office of Information and Regulatory Affairs announced that it had approved a Department of Commerce (DOC) notice of proposed rulemaking (NPRM) on “Securing the Information and Communications Technology and Services Supply Chain; Connected Software Applications”. This rulemaking is not listed in the Spring 2021 Unified Agenda.

As I noted when this rulemaking was sent to OMB for review, I suspect that this is related to §4 of EO 14028. This will probably appear in the Federal Register within the next week so we will know for sure what it covers then.

DOC Sends Software Supply Chain NPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from the DOC concerning “Securing the Information and Communications Technology and Services Supply Chain; Connected Software Applications”. This rulemaking was not included in the Spring 2021 Unified Agenda.

While EO 14028, Improving the Nation's Cybersecurity, does not specifically task DOC with a requirement to publish a rule concerning supply chain security, §4 of the EO does provide DOC with a laundry list of software supply chain responsibilities. I suspect that this NPRM is a natural outgrowth of those taskings.

Review - DOC Publishes IaaS Cybersecurity ANPRM – 9-24-21

Today the Department of Commerce published an advance notice of proposed rulemaking (ANPRM) in the Federal Register (86 FR 53018-53021) on “Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities”. This action is being taken in response to requirements in EO 13984, Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities. This ANPRM was sent to OMB’s Office of Information and Regulatory Affairs on August 6^th, and approved by OIRA on September 13^th.

DOC is soliciting responses from the public and industry on the issues raised in today’s ANPRM notice. Comments may be submitted via the Federal eRulemaking Portal (www.regulations.gov; Docket # DOC-2021-0007). Comments should be received by October 25^th, 2021.

For further details about the EO 13984 requirements and the questions for which DOC is seeking answers, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/doc-publishes-iaas-cybersecurity - subscription required.

OMB Approves DOC Cybersecurity ANPRM

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an advanced notice of proposed rulemaking (ANPRM) for a Department of Commerce rulemaking on “Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities”. This rulemaking was not reported in the Spring 2021 Unified Agenda.

As I noted when this rulemaking was submitted to ORIA last month, I suspect that this is an action required under EO 13984 of the same name. We could see this being published in the Federal Register within the coming week.

DOC Sends Cybersecurity ANPRM to OMB – 8-6-21

Yesterday, OMB’s Office of Information and Regulatory Affairs announced that it had received an advanced notice of proposed rulemaking (ANPRM) from the Department of Commerce on “Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities”.

This rulemaking was not listed in the Spring 2021 Unified Agenda, which makes it difficult to tell for sure what the ANPRM may cover. There are, however, two regulation making requirements in EO 13984, Taking Additional Steps To Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities, for DOC.

NOTE: EO 13984 was not one of the Trump executive orders repudiated by the incoming Biden Administration in EO 13992.

The first is for DOC to “propose for notice and comment regulations that require United States IaaS [Infrastructure as a Service] providers to verify the identity of a foreign person that obtains an Account”. This requirement called for DOC to propose those regulations within 180 days of January 19^th 2021, or July 18^th.

The same deadline was set for the second regulation proposing requirement for “Special Measures for Certain Foreign Jurisdictions or Foreign Persons.”

In any case, without the listing in the Unified Agenda, it is not possible to say for sure if the rulemaking sent to OIRA yesterday was either, both, or something completely different.

DOC Supply Chain Regulations to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs announced that it had received an advanced notice of proposed rulemaking (ANPRM) from the Department of Commerce on “Securing the Information and Communications Technology and Services Supply Chain: Licensing Procedures”. This rulemaking was not listed in the Fall 2020 Unified Agenda.

It is not unusual for rulemakings to appear without being mentioned in the most recent Unified Agenda, but at the start of a new administration it typically means (especially when it is an ANPRM) that this is a new initiative of the new administration. An ANPRM is an indication of early interest in establishing a regulatory framework of some sort, but the agency is looking to industry and the public for guidance in how it could go about it.

OMB Approves ‘Foundational Technology’ ANPRM

Yesterday the OMB’s Office of  Information and Regulatory Affairs (OIRA) announced that it had approved an advance notice of proposed rulemaking (ANPRM) for a Department of Commerce rule on “Identification and Review of Controls for Certain Foundational Technologies”. The ANPRM could be expected to be published in the coming weeks.

According to the abstract for this rulemaking in the Spring 2020 Unified Agenda:

“In this advanced notice of proposed rulemaking, BIS [Bureau of Industry and Security] seeks comment on the scope of potential foundational technologies as well as on the criteria for determining which of those technologies, and therefore the related items, are essential to national security, pursuant to applicable sections of the Export Control Reform Act of 2018.”

This rulemaking would implement the requirements of 50 USC 4817 to identify emerging and foundational technologies that are essential to the national security of the United States, but not already controlled by current export control regulations.

I will be watching for this ANPRM for its potential to impact export controls on cybersecurity systems and research similar to what we saw with the 2017 Wassenaar rulemaking.

DOC Sends IT Supply Chain Security Rule to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received an interim final rule (IFR) from the Department of Commerce on Securing the Information and Communications Technology and Services Supply Chain for review. This rulemaking was not listed in the 2019 Spring Unified Agenda.

With this rulemaking starting out as an IFR, it must be implementing a specific congressional mandate. I suspect that it deals with restrictions on the use of Chinese telecom equipment.