Review – HR 2980 Introduced – Energy Cybersecurity Research

Back in April Rep Ross (D,NC) introduced HR 2980, the Energy Cybersecurity University Leadership Act of 2025. After finding that integrating “cybersecurity considerations into the research, design, and development of energy infrastructure represents a cost-effective approach to enhancing the security, resilience, and reliability”, this bill would require DOE to establish an “Energy Cybersecurity University Leadership Program”. No money is authorized by this bill for the program.

HR 2980 is essentially the same as HR 302 which was introduced by Ross in January of 2023. The bill was considered by the full House on February 6^th, 2023, under the suspension of the rules process. HR 302 passed by a vote of 357 to 56. No action was taken on that bill in the Senate.

Moving Forward

The House is scheduled to consider HR 302 on Monday under the suspension of the rules process. That process provides for limited debate, allows for no floor amendments, and requires a super-majority for passage. Scheduling a bill for consideration under this procedure indicates that the leadership expects the bill to receive substantial bipartisan support.

Commentary

Two separate sessions of Congress have had this bill passed in the House, only to have it die in the Senate without consideration. Part of this is procedural. The House has the ‘suspension of the rules’ process that allows bills to pass after abbreviated (40 minutes of debate) consideration with a 2/3rds ‘super majority’. While the Senate only requires a 3/5ths majority for passage, that is only after a lengthy (typically multiple days) debate process requiring as many as three procedural votes before the final vote on the bill. This means that only politically important bills generally get considered in the Senate. Minor bills may pass under the unanimous consent process, but a single voice ‘objecting’ to the bill stops that process. There is no requirement that the objection has anything to do with the bill being considered, frequently it is a political ploy looking to trade removing the objection for considering something else entirely.

 

For more information on the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-2980-introduced-energy-cybersecurity - subscription required.

Review - HR 285 Introduced – Vulnerability Remediation

Earlier this month, Rep Jackson-Lee introduced HR 285, the bill would amend 6 USC 659 to allow the National Cybersecurity and Communications Integration Center (NCCIC) to “identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities”. A report to Congress is also required. No funding is authorized in this bill. The language is very similar to the version of HR 2980 that was passed in the House last session.

Moving Forward

Jackson-Lee has not yet been assigned to any committees. This means that it is too early to tell if she will have sufficient influence to see the bill considered by the House Homeland Security Committee to which this bill was assigned for consideration. The bill would receive significant bipartisan support were it considered by the Committee and would again probably move to the floor of the House under the suspension of the rules process.

Commentary

The development of remediation protocols authorized by this bill is another example of Congress authorizing actions already being taken by CISA. This is, however, going to become more important because of changes made to the House rules for the consideration of spending bills. H Res 5 provides a point of order rule for spending bills to call out “for an expenditure not previously authorized by law”. It is unlikely that this particular activity by CISA would be the subject of a point of order objection, but it remains a possibility.

For more details about the provision of this bill, including differences from the previous version, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-285-introduced   - subscription required.

6 Cybersecurity Bills Passed in House – 7-20-21

Yesterday the House passed six cybersecurity bills as part of an en bloc vote on 21 bills that were considered on Monday and Tuesday under the suspension of the rules process. The recorded vote was 319 to 105 with the Republican vote nearly evenly split. The six cybersecurity bills were:

HR 2928 – Cyber Sense Act of 2021

HR 1871 – Transportation Security Transparency Improvement Act,

HR 3138 – State and Local Cybersecurity Improvement Act, as amended,

HR 1833 – DHS Industrial Control Systems Capabilities Enhancement Act of 2021, as amended,

HR 2980 – Cybersecurity Vulnerability Remediation Act, as amended,

HR 3223 – CISA Cyber Exercise Act

Committee Hearings – Week of 7-18-21

This week with both the House and Senate meeting in Washington, there will be a full slate of committee hearings. Hearings of interest include the markup of the Senate version of the FY 2022 National Defense Authorization Act, three cybersecurity hearings and the start of the consideration process for FY 2022 spending bills. And we will have an interesting slate of cybersecurity legislation being considered on the floor of the House.

NDAA Markup in Senate

The Senate Armed Services Committee will be marking up their version of the FY 2022 NDAA. Each subcommittee will be meeting to markup their portions of the NDAA on Monday and Tuesday. Then the full Committee will meet Wednesday and probably Thursday to complete the markup process. The subcommittee markups of interest here include:

• Monday - Subcommittee on Cybersecurity. CLOSED

• Tuesday - Subcommittee on Emerging Threats and Capabilities. CLOSED.

Cybersecurity Hearings

On Tuesday the House Small Business Committee will be holding a hearing on “Strengthening the Cybersecurity Posture of America’s Small Business Community”. This hearing is unlikely to specifically address control system security issues. The witness list will include:

• Tasha Cornish, Cybersecurity Association of Maryland, Inc.,

• Sharon Nichols, Mississippi Small Business Development Center,

• Kiersten Todt, Cyber Readiness Institute,

• Graham Dufault, The App Association,

On Tuesday the Subcommittee on Oversight and Investigations of the House Committee on Energy and Commerce will be holding a hearing on "Stopping Digital Thieves: The Growing Threat of Ransomware". This hearing is very likely to specifically address control system security issues and could get fairly technical. The witness list includes:

• Kemba Walden, Microsoft Corporation,

• Robert M. Lee, Dragos,

• Christian Dameff, M.D., M.S., Medical Director of Cybersecurity, UC San Diego Health,

• Charles Carmakal, FireEye-Mandiant

• Philip Reiner, Institute for Security and Technology

On Wednesday, the Senate Environment and Public Works Committee will be holding a hearing on “Addressing Cybersecurity Vulnerabilities Facing Our Nation’s Physical Infrastructure”. While the witness list is not yet available, there is a decent chance that there will be some discussion about control system cybersecurity issues. I would not be surprised to see witnesses from the water treatment sector.

Spending Bills

The House Rules Committee has announced that they are accepting amendments for the first spending bill for FY 2022. The House will be considering a minibus (multiple spending bills under one bill number), probably next week. The amendment deadline is Wednesday evening and the Committee is likely to hold their rulemaking hearing next Monday.

The slate for the first minibus is set to include:

Division A (Labor, Health and Human Services, Education),

Division B (HR 4356 – Agriculture, Rural Development),

Division C (Energy and Water Development),

Division D (HR 4345 – Financial Services and General Government),.

Division E (HR 4372 – Interior, Environment),

Division F (HR 4355 – Military Construction, Veterans Affairs),

Division G (Transportation, Housing, and Urban Development),

I do not typically review the FSG, or MCV spending bills, and the ARD bill contained nothing that I cover in this blog. The LHHS and THUD bills will probably be introduced today.

On the Floor

The House will be spreading their 27 bills considered under suspension of the rules over two days this week. The list includes seven cybersecurity bills:

• Monday

◦ HR 2931 – Enhancing Grid Security through Public-Private Partnerships Act,

◦ HR 2928 – Cyber Sense Act of 2021

• Tuesday

◦ HR 1871 – Transportation Security Transparency Improvement Act,

◦ HR 3138 – State and Local Cybersecurity Improvement Act, as amended,

◦ HR 1833 – DHS Industrial Control Systems Capabilities Enhancement Act of 2021, as amended,

◦ HR 2980 – Cybersecurity Vulnerability Remediation Act, as amended,

◦ HR 3223 – CISA Cyber Exercise Act

Republicans have been forcing recorded votes on the suspension bills. Democrats have responded by voting on some and including the remainder in the vote on the language of the rule for consideration of bills under regular order. This may make reporting passage of these bills somewhat piece meal.

Review HR 2980 Markup – Cybersecurity Vulnerability Remediation Act

 Last week the House Homeland Security Committee held a markup hearing that considered seven bills, including four cybersecurity related bills. One of those cyber bills was HR 2980, the Cybersecurity Vulnerability Remediation Act. The bill was ordered favorably reported after substitute language was approved. Both actions were taken under unanimous consent.

The substitute language offered by Rep Jackson-Lee (D,TX) included specifically adding control system security references when discussing the cybersecurity vulnerabilities covered by the bill.

The bill is now likely to move to the floor of the House under the suspension of the rules process.

For more detailed information see my post at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-2980-markup  - Subscription required –

Update on Cybersecurity Markup – 5-18-21

The House Homeland Security web site now has complete listings for the seven bills that it will be marking up this afternoon. Four of the bills are cybersecurity bills and a fifth deals with critical infrastructure. I have not yet had a chance to publish detailed reviews of each of these bills, so I am going to do a quick review of those that I have not reviewed.

The five bills of interest are:

• HR 2980, the “Cybersecurity Vulnerability Remediation Act”

• HR 3138, the “State and Local Cybersecurity Improvement Act”

• HR 3223, the “CISA Cyber Exercise Act”

• HR 3243, the “Pipeline Security Act”

• HR 3264, the “Domains Critical to Homeland Security Act”

HR 3138

This bill is similar to HR 5823 from last session. It would establish a grant program, the State and Local Cybersecurity Grant Program, with $500 million being authorized each year for the program through 2026. Each grant applicant would have to submit a cybersecurity plan to DHS for approval. Each applicant would also have to establish a cybersecurity planning committee. Multi-state grants would be authorized.

CISA would be required to establish a State and Local Cybersecurity Resiliency Committee. CISA would also be required to prepare and maintain a resource guide to help officials identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents.

Definition of ‘information system’ in this bill uses the ICS inclusive definition from 6 USC 1501.

HR 3223

This bill would amend the Homeland Security Act or 2002 by adding a new section 2220A, National Cyber Exercise Program. It would require CISA to establish a National Cyber Exercise Program  to evaluate the National Cyber Incident Response Plan. No additional funding authorization is provided. CISA is already conducting similar cybersecurity exercises.

HR 3243

This bill (Committee Print) would amend 49 USC 114, Transportation Security Administration, mandating that TSA continue being responsible for securing pipeline transportation and pipeline facilities against cybersecurity threats {new §114(f)(16)}.

It would also add a new section 1631, Pipeline Security Section, to a new Subtitle D, Pipeline Security, to the Homeland Security Act of 2002. It would require TSA to establish a pipeline security section to implement the responsibilities of §114(F)(16) {§1631(a)}. The new section would include personnel with cybersecurity expertise {§1631(c)}.

HR 3264

This bill (Committee Print) would add a new section 890B, Homeland Security Critical Domain Re6 Search And Development, to the Homeland Security Act of 2002. It defines two new terms {§890B(c)}: ‘United States critical domains for economic security’ (NOT related to  the cyber term ‘domains’) and ‘economic security’. Section 890B(a) would authorize research and development to identify and evaluate United States critical domains for economic security and homeland security. The bill authorizes $1 million for this program.

Committee Hearings – Week of 5-16-21

This week, with both the House and Senate in session, there is a full slate of committee hearings. There are two cybersecurity hearings of interest this week, one a markup hearing and the other a look at the cybersecurity of the defense industrial base.

Cybersecurity Markup

Tomorrow, the House Homeland Security Committee will be holding a markup hearing for seven pieces of legislation, including at least three cybersecurity bills. I say ‘at least’ because three of the bills slated to be covered are listed on the House.gov calendar page are simply listed as “H.R.____”. I suspect that one of those three blank will be HR 3243, I discussed that briefly on Friday. The cybersecurity bills we know for sure are:

• HR 2980, Cybersecurity Vulnerability Remediation Act

• HR 3138, State and Local Cybersecurity Improvement Act

• HR 3223, CISA Cyber Exercise Act

Sharp eyed readers will recall that I thought those three bills might be coming to the floor this week. That is not the case. It seems that Rep Thompson (D,MS), Chair of the Homeland Security Committee asked the GPO to print those bills earlier than ‘normal’ so the Committee did not have to rely on committee prints for their markups.

Defense Industrial Base Cybersecurity

The Subcommittee on Cyber of the Senate Armed Services Committee will be holding a hearing Tuesday on “Cybersecurity of the Defense Industrial Base”. The witness list includes:

• Rear Admiral William Chase III, DOD

• Jesse Salazar, DOD

The DIB is increasingly becoming the most heavily regulated industry for the purposes of cybersecurity. We should probably be watching this area of regulation as a potential test-bed for cybersecurity regulations for other critical infrastructure sectors.

On the Floor

There will be nothing of particular interest on the floor of the House this week, but there is some potential for some cybersecurity action in the Senate. Last Thursday, the Senate started to consider S 1260, the Endless Frontiers Act. This bill will establish a new Directorate for Technology and Innovation at the National Science Foundation. I have not been covering this bill, but there are indications that there could be come cybersecurity amendments offered that may be of interest here.

The Senate will vote today to close debate on the motion to consider. That will start the amendment process, so I will be watching the Congressional Record closely for any potential cybersecurity amendments.

HR 2980 Introduced - Cybersecurity Vulnerability Remediation Act

Earlier this month Rep Jackson-Lee introduced HR 2980, the Cybersecurity Vulnerability Remediation Act. The bill would amend 6 USC 659 to allow the National Cybersecurity and Communications Integration Center (NCCIC) to “identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities” {new §659(n)}. The bill is essentially identical to HR 3710 that was passed in the House last session.

Changes to §659

The major change to 6 USC 659 made in this bill is the addition of a new sub-section (n):

“(n) Protocols To Counter Cybersecurity Vulnerabilities.—The [CISA] Director may, as appropriate, identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities, including in circumstances in which such vulnerabilities exist because software or hardware is no longer supported by a vendor.”

Report on Vulnerabilities

Section 3 of the bill requires CISA to prepare a report to Congress on how it coordinates vulnerability disclosures under §659(m), Cybersecurity outreach, and how it “disseminate actionable protocols to mitigate cybersecurity vulnerabilities” under the new subsection (n). The report will include {§3(a)}:

• A description of the policies and procedures relating to the coordination of vulnerability disclosures,

• A description of the levels of activity in furtherance of such subsections (m) and (n) of such section 2209,

• Any plans to make further improvements to how information provided pursuant to such subsections can be shared (as such term is defined in such section 2209) between the Department and industry and other stakeholders.

• Any available information on the degree to which such information was acted upon by industry and other stakeholders.

• A description of how privacy and civil liberties are preserved in the collection, retention, use, and sharing of vulnerability disclosures.

Moving Forward

Jackson-Lee is a member of the House Homeland Security Committee. She certainly has the influence to see this bill considered in Committee. In fact, as I mentioned earlier today, it looks like the bill will be skipping the committee consideration process based upon the passage of HR 3710 last session. The bill will almost certainly pass in the House with strong bipartisan support.

Commentary

As I mentioned in a couple of posts on HR 3710, the one real problem with this legislation is found in the last phrase in the new subsection (n): “…including in circumstances in which such vulnerabilities exist because software or hardware is no longer supported by a vendor.” As long as the mitigation measures offered by CISA or researchers only address workaround or process measures, there should not be any significant issues. But such measures are seldom a real fix for the problem in practice. To really fix a software problem, one has to change the program.

Unfortunately, the only one who can change the program is the owner of the software. One of the peculiarities of modern technology is that the person who operates software is not typically the owner of the software; they buy a license. Making changes to the program without the permission of the owner is probably a violation of 18 USC 1030(a)(5). In my post on the House Homeland Security Committee report on HR 3710, I proposed ‘not withstanding’ language to address this potential fraud issue, but that ignores the larger issue of the liability issues of making changes to the software. And those issues are not addressed in this bill.

Cybersecurity Legislation Watch – 5-14-21

I received two emails from Congress.gov this morning about the publication of text for two cybersecurity bills. Anyone can sign up for this service for tracking changes in the files for individual pieces of legislation on that site. It has been especially valuable to me this session because of the large number of bills being introduced and the problems the Government Printing Office is having publishing text of those bills in a timely manner.

Anyway, back to the two bills. The two cybersecurity bills are:

HR 2980, the Cybersecurity Vulnerability Remediation Act, and

HR 3138, the State and Local Cybersecurity Improvement Act

Generally speaking, the GPO tries to publish the text of bills in the order that they were introduced. This keeps them out of problems with congresscritters screaming favoritism when someone else’s bill is published first. These two bills, however, are being published well outside of that sequence. This typically means that the leadership has notified the GPO of their particular interest in seeing these bills published early in the que.

Now I have not had time yet to do a detailed comparison, but it looks like each of these bills is substantially the same as bills introduced in the 116^th Congress:

• HR 2980 – HR 3710, which passed in the House on September 26^th, 2019, and

• HR 3138 – HR 5823, which passed in the House on September 30^th, 2020

I suspect that later this afternoon when the House Majority Leader’s ‘The Weekly Leader’ is published outlining what will be happening in the House next week, we will see both of these bill on the list of bills that will be considered under the suspension of the rules process. Bills are not typically seen on the floor before they are considered in committee, but with the current attention on cybersecurity and the fact that both bills went through the committee process last session, this would not be a very unusual process.

There are two other cybersecurity bills that could also be considered on the floor next week, as they have both been considered in committee:

HR 1833, the DHS ICS Capabilities Enhancement Act, and

HR 1850, the Supporting Research and Development for First Responders Act

Bills Introduced – 5-4-21

Yesterday, with just the House meeting in pro forma session, there were 57 bills introduced. Two of those bills will receive additional coverage in this blog:

HR 2980 To amend the Homeland Security Act of 2002 to provide for the remediation of cybersecurity vulnerabilities, and for other purposes. Rep. Jackson Lee, Sheila [D-TX-18]

HR 2982 To amend title 32, United States Code, to authorize cybersecurity operations and missions to protect critical infrastructure by members of the National Guard in connection with training or other duty. Rep. Kim, Andy [D-NJ-3]

It will be interesting to see if HR 2980 is going to provide DHS with authority to take remote remediation actions like DOJ did with some of the Microsoft email servers.