HR 2825 Reported in House – DHS FY 2018 Authorization

Last month the House Homeland Security Committee published their report on HR 2825, the DHS Authorization Act of 2017, along with the amended version of the bill. These documents reflect the actions the Committee took in their markup hearing earlier last month.

Additional Changes

In addition to the changes I reported upon earlier a rather significant change was made by deleting Section 3, Definition of congressional homeland security committees. Readers might remember that this section limited (to some undefined extent) the oversight of DHS to four committees in Congress, the two homeland security committees and the two appropriations committees. I do not recall seeing an amendment offered in the mark-up hearing that would have deleted this section that was definitely in the substitute language (as §2) offered by Chairman McCaul (R,TX).

Explanation of Congressional Intent

One of the important aspects of committee reports is that they offer a brief explanation of the intent of the Committee in crafting the various sections of the bill. In looking back at the explanations for the sections about which I had previously reported, I found two that might be of specific interest to readers of this blog.

The first deals with §403, Cyber at ports. The report notes (pg 159):

“The Committee believes that our ports and the automated systems that control them are vulnerable to cyber-attacks, which could be devastating to the transit of international commerce. While USCG inspects and approves what are known as ‘‘facility security plans’’ at ports twice a year, these plans are not currently required to have a cybersecurity strategy. The Committee believes that requiring facility operators to have a cyber security plan, and providing them with a mechanism to share best practices and receive current intelligence, is critical to maintaining the uninterrupted flow of maritime commerce and the security of our ports.”

The second concerns §642. The report notes (pg 197):

“The Committee is concerned with findings from an August 2014 DHS Inspector General review of the Department’s medical countermeasure program, DHS Has Not Effectively Managed Pandemic Personal Protective Equipment and Antiviral Medical Countermeasures (OIG–14–129) [Link Added]. As a result, the section addresses the Inspector General recommendations related to medical countermeasure quantity determination; stockpile replenishment; inventory tracking; and cross-component standards for storage, security, dispensing and documentation.”

Moving Forward

Having the report prepared for this complex a bill so quickly after the mark-up hearing is usually a good indication that the Chair expects to be able to move the bill to the floor of the House relatively quickly. It is not currently on the schedule for the coming week, but there is a good chance that it could come to the floor for a vote before the summer recess.

The removal of the section limiting oversight will make it much easier for McCaul to convince the leadership to move this bill forward in the House. It will also increase (by some amount anyway) the possibility that the Senate could actually take up the bill once it is passed in the House.

Commentary

I am disappointed in the explanatory language for §642. While Congress should be concerned with the results of the GAO investigation, this language ensures that DHS will limit their study and report required in §642 {essentially the same study required in the proposed HR 2922 (§302)} to those specific pandemic related measures identified in the report. As I noted in my post about HR 2922, I would prefer to see this specifically expanded to include medical countermeasures for chemical incidents (see here for example).

HR 2825 Amended and Approved in Committee

Last week the House Homeland Security Committee held a markup hearing on HR 2825, the DHS Authorization Act of 2018 [corrected date 6-19-17 0710 EDT]. The Committee adopted a large number of amendments, including substitute language.

Substitute Language

The original bill was extremely light in its coverage and was obviously missing some titles. The substitute language offered by Rep. McCaul (R,TX) substantially enlarged and expanded the coverage of the bill. New sections in the substitute language that may be of specific interest to readers of this blog include:

§403. Cyber at ports.

§409. Repeal of interagency operational centers for port security and secure systems of transportation.

§572. Surface transportation security assessment and implementation of

risk-based strategy.

§577. Surface transportation security advisory committee.

§583. Study on surface transportation inspectors.

§584. Security awareness program.

§585. Voluntary use of credentialing.

§586. Background records checks for issuance of hazmat licenses.

§587. Recurrent vetting for surface transportation credential-holders.

§588. Pipeline security study.

§589. Repeal of limitation relating to motor carrier security-sensitive material

tracking technology.

§620. Cyber preparedness.

§642. Medical Countermeasures Program.

The provisions I discussed in my post about the original bill remain essentially unchanged.

Maritime Security

Title IV of the substitute language addresses maritime security issues. Most of the provisions found in this title were included in HR 2831, the Maritime Security Coordination Improvement Act that I reviewed yesterday. That bill includes provisions not seen in this bill, so it is likely to continue forward. I suspect that the duplicate provisions in this bill are those that McCaul considers the most important.

The cybersecurity provisions that I discussed in HR 2831 are included in this bill (§403) essentially unchanged.

Surface Transportation Security Studies

The substitute language contains a new Title V, Subtitle G (sections 571 thru 589) that addresses a number of surface transportation security issues. Many of them deal with various study and report requirements. There are two studies outlined in this subtitle that may be of specific interest to owners and operators of surface transportation organizations and activities.

Section 583 would require the Government Accountability Office (GAO) to conduct a study looking at potential duplications or redundancies between TSA and DOT “relating to surface transportation security inspections or over sight” {§583(1)}. While TSA has been given the responsibility for overseeing all transportation security issues, its main (some would say almost exclusive) focus has been on passenger air transportation security. As a result, the DOT modal agencies have continued to oversee the pre-TSA security requirements that were initiated by the modal agencies. There exists a very real potential that this study could lead to the disbanding of the TSA surface transportation security program as duplicative and ineffective.

Section 588 requires a separate GAO study of the TSA/DOT oversight conflict in the pipeline security arena. Of particular interest to readers of this blog is the specific inclusion of cybersecurity issues in the study parameters. The GAO is tasked with looking at how the current memorandum of understanding between DHS and DOT adequately delineates the responsibility for {§588(a)(1)}:

• Protecting against intentional pipeline breaches and cyber-attacks;

• Responding to intentional pipeline breaches and cyber-attacks; and

• Planning to recover from the impact of intentional pipeline breaches and cyber-attacks.

The big problem here is that most of the activities that are used to respond to a pipeline breach are the same for both intentional and accidental breaches. Given the fact that accidental breaches are much more common than intentional breaches, the DOT pipeline safety folks will have much more practical experience in this field.

The one area that is not specifically identified in the §588 requirements is having the GAO study identify if either PHMSA or TSA have enough people with the requisite skill and background in control system security to deal with cyber-attacks.

Other Amendments

An amendment offered by Rep. Thompson (D,MS) amended the new requirement for surface security awareness training outlined in §584. The Thompson amendment would reiterate that this new requirement would not “replace or affect in any way the security training program requirements” specified in 6 USC sections 1137, 1167, and 1184. Readers of this blog will remember that TSA finally published a notice of proposed rulemaking (NPRM) on those requirement last December. This amendment was adopted by voice vote.

An amendment offered by Rep. Langevin (D,RI) would add a new section to the bill that would require the FEMA Administrator to conduct a study on the use of grant funds awarded pursuant to 6 USC §604 (Urban Area Security Initiative) and §605 (State Homeland Security Grant Program) to support efforts to prepare for and respond to cybersecurity risks and incidents (as such terms are defined in 6 USC 148. Readers should see my discussion on HR 2831 on why the reference to 6 USC 148 ignores control system security issues. This amendment was adopted by voice vote.

Moving Forward

The amended substitute language on this bill passed by a voice vote. Even with the Democrats losing party line votes on six amendments, there is still substantial bipartisan support within the Committee for the amended bill. If McCaul can get buy in from the House leadership (including the chairs of a number of other potentially interested committees) to bring this bill to the floor, it is almost certain to pass. Convincing the Senate leadership to bring the bill to the floor in that body will be another intra-party, political issue.

HR 2825 Introduced – FY 2018 DHS Authorization

Last week Rep. McCaul (R,TX) introduced HR 2825, the Department of Homeland Security (DHS) Authorization Act of 2017. While the original title of the bill seemed to imply that it was a technical corrections act, this would actually be (if it is passed) the first authorization bill for DHS since it was introduced 2002.

As introduced this bill would have minimal effect on the chemical security, transportation security or cybersecurity functions of the department. There are only three provisions of the bill that may be of specific interest to readers of this blog:

Sec 3 – Definition of congressional homeland security committees;

Sec 117 – Research and development and CBRNE organizational review; and

Sec 108 – Office of Strategy, Policy, And Plans.

Congressional Oversight

It looks like §3 is an attempt to consolidate the congressional oversight of DHS to four committees by specifically identifying only those committees in the definition of the term “congressional homeland security committees”. Those four committees are:

• House Homeland Security Committee;

• House Appropriations Committee;

• Senate Homeland Security and Governmental Affairs Committee; and

• Senate Appropriations Committee.

This will almost certainly not directly affect the rules of the House that provide for congressional oversight activities, but it does serve to restrict reporting requirements outlined in this bill.

Interestingly, this bill was only assigned to the House Homeland Security Committee for review instead of the nine committees (for instance) to which HR 6381 (last sessions late entry attempt at a DHS authorization bill) was assigned. It will be interesting to see if this bill gets to the floor without being considered by any other House Committee.

Chemical Security

Section 117 provides for a formal review of research activities of the Department, mainly those being conducted by the Science and Technology (S&T) Directorate. The Department would be required to report the four committees on that review.

Additionally paragraph (b) of that section would require DHS to undertake a review of the Departments “chemical, biological, radiological, nuclear, and explosives activities” {§117(b)(1)} with the intent to develop “organizational structure to ensure enhanced coordination and provide strengthened chemical, biological, radiological, nuclear, and explosives capabilities in support of homeland security” {§117(b)(1)}.

This could potentially effect to whom the Departments Infrastructure Security Compliance Division (ISCD) (the CFATS people) reports. It would not probably have much actual effect on the operation of that organization.

DHS Organization

Section 108 addresses some of the high-level organization changes of the Department that McCaul has been calling for four a couple of years. However, instead of specifically calling for a separate cybersecurity element it outlines the apportionment of the political appointees within the Department. The positions of particular interest to readers of this blog would include:

• Administrator, Transportation Security Administration;

• Assistant Secretary, Infrastructure Protection;

• Assistant Secretary, Office of Cybersecurity and Communications;

• Assistant Secretary for Threat Protection and Security Policy;

• Assistant Secretary for Cyber, Infrastructure, and Resilience Policy;

The TSA Administrator would be appointed by the President with the ‘advice and consent’ of the Senate. The IP Assistant Secretary would not require Senate approval and the remainder would be appointed by the DHS Secretary.

No details are given in the bill for their duties or the organizations which they would oversee.

Moving Forward

McCaul is Chair of the House Homeland Security Committee so this bill will obviously move forward there. In fact, it is slated to be considered in a full committee markup on Wednesday. Interestingly, the Ranking Member is not a cosponsor of this bill, an unusual move on McCaul’s part. It will be interesting to see how much bipartisan support this bill receives in Committee.

The only problem that I see with this bill moving forward is that it would seem to trample on the political prerogatives of a number of Committee Chairs. That would normally doom this bill to languish after the Homeland Security Committee favorably reported it. This problem will become even worse when the House Homeland Security takes up the bill on Wednesday. The Committee will consider substitute language that will specifically address a number of areas dealing with both TSA and the Coast Guard which would normally have to be considered by the Transportation and Infrastructure Committee.

McCaul has either worked out this change in Congressional Oversight with the House Leadership (a major undertaking that he and his predecessor have been trying to achieve for well over ten years now), or he is trying to pull a fast one. Hopefully it is the former. If it is the latter, this bill will never make it to the floor and he will have poisoned the well of cooperation for any future projects.