S 2731 Introduced – Skinny NDAA

Last week Sen. Inhofe (R,OK) introduced S 2731, the Essential National Security Authorities Act for Fiscal Year 2020. This is a ‘skinny’ national defense authorization act (NDAA), with the bare minimum authorization requirements needed to keep the defense apparatus of the United States in operation through FY 2020. Both the House (HR 2500) and Senate (S 1790) passed expanded versions of this bill earlier in the year, but have not yet been able to work out a compromise version of the bill in conference committee.

Cybersecurity

This ‘skinny’ NDAA only contains 2 of the 49 cybersecurity sections found in Title XVI, Division A of the original bill:

§1627. Authority to use operation and maintenance funds for cyber operations-peculiar capability development projects.

§1639. Extension of authorities for Cyberspace Solarium Commission.

Moving Forward

The NDAA is a ‘must pass’ bill. While there is still a chance that the conference committee will work out their differences on the previously passed versions, Inhofe is concerned enough to offer up this bill as a minimum workable solution. I suspect that this bill could be passed in the Senate under their unanimous consent process if the failure of the conference committee became obvious enough; though I would have been more hopeful if Sen Reed (D,RI), the Ranking Member of the Senate Armed Services Committee had signed on as a cosponsor of the bill.

There is also a chance that the conference committee could use this language as a new starting point for working out a compromise version of the NDAA.

Commentary

There is an interesting set of remarks [pg S6246] by Inhofe in the Congressional Record on the introduction of this bill. He explains the dangers of a ‘must pass bill’; everyone wants to add on language that probably would not pass on its own. If that tendency is not adequately controlled, we end up in our current apparent stalemate.

This also provides a good point for the discussion of the term ‘control of the Congress’. Typically, most people mean that a party controls Congress when it has a majority of the elected legislators in both the House and the Senate. That is not exactly the case. Under current rules, the Senate requires a vote of 60 Senators to begin consideration of most legislation. Thus, a minority of 41 Senators can block legislation in that body. True legislative control of the Senate (again under current rules) requires a party to have 60 Senators.

There have been frequent calls for doing away with, or at least restricting, this requirement for a super majority to pass legislation in the Senate. The majority party frequently complains that they are being hamstrung in their efforts to pass legislation that they have promised their voters. And, to be fair, this is frequently true.

Unfortunately, we have seen in recent years what the probable outcome would be if this supermajority requirement were removed or even seriously restricted. Whenever the opposition party gained control of the Senate it would spend a great deal of its time and effort repealing laws and rules established by the other party. Now there are certainly instances where one could fairly describe this as a good thing, but business and society both require a certain amount of stability in the rules and regulations under which they operate. If the Senate could unwrite laws and regulations every two-years, nothing would ever get done and we would have regulatory anarchy.

House Amends and Passes HR 2500 – FY 2020 NDAA

Yesterday the House concluded the amendment process for HR 2500, the FY 2020 National Defense Authorization Act (NDAA) and passed the bill on a near party-line vote of 220 to 197 (eight Democrats voted NAY). Among the literally hundreds of amendments passed are all five of the amendments I mentioned in my post earlier in the week. As expected, they all passed by voice votes as part of en bloc amendments.

There were a number of provisions in the version of the bill considered in the House and a number of passed amendments that would not be able to pass in the Senate. The Senate already passed their version of the bill (S 1790) with a strongly bipartisan vote. A conference committee will ultimately combine the two versions into something that will subsequently pass in both the House and Senate and would ultimately be signed by the President.

Committee Adopts Rule for Consideration of HR 2500 – FY 2020 NDAA

Last night the House Rules Committee formulated the Rule for the consideration of HR 2500, the FY 2020 National Defense Authorization Act (NDAA). It is a structured rule with 439 amendments that may be offered (with provisions for en bloc consideration of amendments. I will be watching five of those amendments. Consideration of the bill begins this afternoon.

The Five Amendments

These are the five amendments that I will be watching. These are the five that I briefly listed last week in my post about the report on HR 2500.

53. Aguilar (D,CA) #244 Expands the Department of Defense Cyber Scholarship Program (formerly known as the Information Assurance Scholarship Program) to include students attending certificate programs that span 1 to 2 years.

158. Gallego (D,AZ) #415 Requires a report on the National Guard's capacity to meet Homeland Defense missions.

200. Jackson-Lee (D,TX) #160 (REVISED) Requires that a report from the Secretary of Defense 240 days after the date of the enactment to the congressional defense committees that accounts for all of the efforts, programs, initiatives, and investments of the Department of Defense to train elementary, secondary, and postsecondary students in fields related to cybersecurity, cyber defense, and cyber operations.

363. Speier (D,CA) #395 (REVISED) Increases funding for the Defense Security Service by $5,206,997 for the purposes of procurement of advanced cyber threat detection sensors, hunt and response mechanisms, and commercial cyber threat intelligence to ensure Defense Industrial Base networks remain protected from nation state adversaries.

381. Torres, Norma (D,CA), Panetta (CA), Cisneros (CA), Stevens (MI) #457 (REVISED) Requires the Department of Defense, in consultation with the Manufacturing Extension Partnership program, to develop policies to assist small- and mid-sized manufacturers to meet cybersecurity requirements.

The Gallego amendment is interesting. It would require a DOD report to Congress setting out “the roles and missions, structure, capabilities, and training of the National Guard and the United States Northern Command, and an identification of emerging gaps and shortfalls in light of current homeland security threats to our country” {new §520(1)}. Critical infrastructure cybersecurity is never explicitly mentioned in the amendment (an odd oversight) but would almost certainly be covered in any DOD report submitted in response to this amendment.

The one specific threat that is mentioned is a “multi-State electromagnetic pulse event” {new §520(2)}. Presumably DOD would also include a geomagnetic storm event in any report on the topic as the response to the two would be similar.

Moving Forward

None of the amendments listed above are very controversial and only one provides a specific spending authorization. Spier would off-set that spending increase by decreasing the spending on “in section 101 for other procurement, Air Force” {new §16XX(b)}. I suspect that all five of these amendments will be adopted; most will be included in en bloc amendments.

HR 2500 will pass, probably along a nearly party-line vote. The Senate already passed their version of the NDAA, S 1790, so differences between the two bills will have to be worked out (probably over the summer recess) in a conference committee. Normally, that reported version of the NDAA would be expected to pass, but with the whimsical nature of the current occupant of the White House, that is not a guarantee that anyone would be willing to make.

HR 2500 Reported in House – FY 2020 NDAA

Last month the House Armed Services Committee published their report on HR 2500, the FY 2020 National Defense Authorization Act (NDAA) along with a copy of the marked up version of the bill. There is one interesting TWIC bit in the actual bill and an entire subtitle of cyber-operations provisions (§1621 thru §1632 starting on page 884), but nothing specific to control system security. There is, however, and interesting discussion about ICS security in the Committee Report in a section dealing with facility electrical utility security.

TWIC Use

Section 2832 clarifies the use of the Transportation Workers Identification Credential (TWIC) for access to military facilities. This section amends §1050 of the National Defense Authorization Act for Fiscal Year 2017 (PL 114–328, 130 STAT. 2396). That earlier legislation directed DOD to consider allowing the use of TWICS for unescorted access to military facilities. The actual language allowed some wiggle room; “the Secretary shall, to the maximum extent practicable, ensure that the Transportation Worker Identification Credential (TWIC) shall be accepted as a valid credential for unescorted access to Department of Defense installations by transportation workers.” {§1050(a)}

In this bill the entire first paragraph was replaced with stricter language providing that the TWIC “is accepted as a valid credential for unescorted access to a work site at a maritime terminal of the Department of Defense” {new §1050(a)(1)} and allowing DOD to consider authorizing the use of TWIC for access to other DOD facilities.

ICS Security

The Committee Report (pgs 284-5) notes that in 2015 (2016?) the “Department subsequently directed the services and other Defense agencies to develop plans for identifying the goals, milestones, and resources needed to identify, register, and implement cybersecurity controls on facility-related ICS.” Apparently DOD has not provided adequate feedback to the Committee on how that work has progresses, so the Committee is directing the Government Accountability Office (GAO) to evaluate:

• The extent to which the military departments have developed and implemented plans and associated guidance to enhance the cybersecurity of ICS and what, if anything, remains incomplete;

• The challenges the military departments have encountered in implementing relevant guidance to enhance the cybersecurity of ICS and how effectively the challenges have been overcome;

• How effectively the military departments implemented industry leading practices to enhance cybersecurity for ICS; and

• How effectively the military departments conduct tests of the cybersecurity of ICS and implement improvements to security to counter any weaknesses identified.

Moving Forward

The House Rules Committee has closed the period for submitting possible amendments to HR 2500. As of today, 652 amendments have been submitted. I am currently keeping an eye on five of those amendments for possible coverage in future blog posts; #160, #244, #395, #415, and #457.

The Committee has not yet established a date for hearing on the rule for consideration of HR 2500. There has been some talk of adding a DHS spending bill (not yet published by the Appropriations Committee) to HR 2500, but that would be an unusual combination of bills. I do expect that some form of this bill will be considered before the House takes their summer recess.

Senate Passes S 1790 – FY 2020 NDAA

Yesterday the Senate amended and passed S 1790, the National Defense Authorization Act (NDAA) for Fiscal Year 2020, by a strongly bipartisan vote of 86 to 8. Only two amendments were adopted, the most important being SA 764 [pgs S 3856- 4093]; substitute language for the bill. That amendment did not make any changes to the cybersecurity portions of the bill that I previously discussed.

The House has not yet taken up HR 2500, the House version of the NDAA. That will probably happen after the extended 4^th of July weekend. I will have more on that bill next week.

Ultimately, the House will take up the language of HR 2500 (either directly as that bill or as substitute language for S 1790). A conference committee will then iron out the differences before the bill is again voted upon in the House and Senate. As has become the new normal, we will have to watch out for last minute presidential tweets to see if the final bill will be able to be passed.

Committee Hearings – Week of 06-09-19

This week with both the House and Senate in session spending bills start to move to the Floor of the House and the FY 2020 NDAA finally finishes up.

FY 2020 Spending Bills

• Tuesday, House, Full Committee, DHS;

• Tuesday, House, Full Committee, Financial Services;

This afternoon and tomorrow the House Rules Committee will hold hearing on the rule to consider HR 2740, the first FY 2020 spending minibus. As I mentioned on Saturday, this bill includes the original HR 2740 (LHHE), HR 2729 (Legislative Branch), HR 2968 (DOD), HR 2839 (State), and HR 2960 (EW). The two meetings will set which amendments will be considered during the Floor debate which will begin on Tuesday or Wednesday.

HR 2500 – FY 2020 NDAA

With the subcommittee work finally finishing up last week, the full House Armed Services Committee is set to take up HR 2500, the FY2020 National Defense Authorization Act (NDAA) Wednesday. We should see a report and final version of the bill this week.

On the Floor

This afternoon the House will take up seven homeland security related bills under the suspension of the rules process. This will include HR 1158 – DHS Cyber Incident Response Teams Act of 2019. This bill is expected to receive strong bipartisan support; it will certainly pass.

Committee Hearings – Week of 06-02-19

This week the House and Senate will both be in session. Lots of hearings in the House; of interest here are FY 2020 spending bills and HR 2500, FY 2020 NDAA, markups. Fewer hearings in the Senate, but one will address reforming CFATS.

FY 2020 Spending Bills

• Tuesday, House, Full Committee, Transportation, Housing, Urban Development, and Related Agencies (THUD) Appropriations Bill;

• Tuesday, House, Full Committee, Agriculture, Rural Development, Food and Drug Administration, and • Related Agencies (ARF) Appropriations Bill;

• Wednesday, House, Homeland Security Subcommittee, Homeland Security;

HR 2500 Markups – FY 2020 NDAA

• Tuesday, Subcommittee on Intelligence and Emerging Threats and Capabilities;

• Wednesday, Subcommittee on Intelligence and Emerging Threats and Capabilities;

CFATS

On Tuesday the Senate Homeland Security and Governmental Affairs Committee will hold a hearing on “Sensibly Reforming the Chemical Facility Anti-Terrorism Standards Program”. The witness list includes:

• Brian Harrell, DHS;

• Nathan Anderson, GAO

• Matthew Fridley, Brenntag North America;

• Timothy O'Brien, Detotec North America;

• William Erny, American Chemistry Council;

• Andrew Wright, International Liquid Terminals Association; and

• John Morawetz, International Chemical Workers Union Council

I do not expect anything new here outside of an updated GAO report on the CFATS program. It is odd that Director Wulf is not sitting in for DHS, but his boss should be an interesting substitute.

HR 2500 Introduced – FY 2020 NDAA

On Friday Rep. Smith (D,WA) introduced HR 2500, National Defense Authorization Act (NDAA) for Fiscal Year 2020. This is the bare bones of the bill that will ultimately be considered by the full House. Mark-ups in the subcommittees of the House Armed Services Committee will probably start later this coming week. Those markups will start to fill in the many blanks in the current bill.

Bills Introduced – 05-02-19

Yesterday with the House and Senate preparing to depart Washington for the weekend 101 bills were introduced. Of these one will likely receive additional coverage here:

HR 2500 To authorize appropriations for fiscal year 2020 for military activities of the Department of Defense and for military construction, to prescribe military personnel strengths for such fiscal year, and for other purposes. Rep. Smith, Adam [D-WA-9] 

As with each new NDAA I will be watching this bill for cybersecurity provisions.