House Passes HR 3202 – DHS Vulnerability Reporting

This afternoon the House passed HR 3202, the Cyber Vulnerability Disclosure Reporting Act, by a voice vote. There were only 12 minutes of debate and no amendments were authorized from the floor. The bill would require an unclassified report to Congress on procedures that DHS has developed with regards to vulnerability disclosures.

While it is currently unclear whether or not the Senate will take up the bill, it would most likely be considered under the Senate’s unanimous consent process which would involve even less debate and no provision for amendments.

NOTE: This bill gives lie to the current picture of the House as a strictly partisan body. The bill was introduced by Rep. Jackson-Lee (D,TX) with no Republican co-sponsors. The bill moved relatively quickly through the Homeland Security Committee and then to the floor of the House. This could only happen if the Democrat, Ms Jackson-Lee, had the explicit support of her Republican Committee Chair.

Committee Hearings – Week of 1-7-18

Today is the first full week of the second session of the 115^th Congress. Both the House and Senate will be in session, but the hearing schedules is pretty light. Only one hearing of potential interest to readers of this blog; a DOE oversight hearing that will briefly touch on cybersecurity.

DOE Oversight

Tomorrow the Energy Subcommittee of the House Energy and Commerce Committee will be holding a hearing on “DOE Modernization: Advancing DOE’s Mission for National, Economic, and Energy Security of the United States”. According to the staff background memo, this will include a look at the DOE’s role in energy sector cybersecurity. The lengthy witness list includes:

• Dan Brouillette, DOE;
• Paul Dabbar, DOE;
• Frank Klotz , DOE;
• Sarah Ladislaw, Center for Strategic and International Studies;

• Donald Levy, University of Chicago and Co-Chair;

• Mark Menezes; DOE;
• Rich Powell, ClearPath Foundation;

• Dan Reicher, Brookings Institution; and

• Steve Wasserman, Argonne National Laboratory

On the Floor

There is one bill that will make it to the floor this week that may be of specific interest to readers of this blog; HR 3202, the Cyber Vulnerability Disclosure Reporting Act. The bill would require a report to Congress on procedures that DHS has developed in regards to vulnerability disclosures. It only addresses DHS vulnerability discoveries, not those made by DOD or DOE and the report to Congress is not really a public report, but it is required to be unclassified (with potentially classified annexes).

The bill will be considered Tuesday under suspension of the rules. There will be limited debate and no floor amendments. It is expected to pass with bipartisan support.

HR 3202 Introduced – Cybersecurity Reporting

Earlier this month Rep. Jackson-Lee (D,TX) introduced HR 3202, the Cyber Vulnerability Disclosure Reporting Act. The bill would require a report to Congress on procedures that DHS has developed in regards to vulnerability disclosures.

Section 2 of the bill requires DHS (within 240 days of passage of the bill) to report to Congress that describes “the policies and procedures developed for coordinating cyber vulnerability disclosures, in accordance with section 227(m) of  the Homeland Security Act of 2002 (6 U.S.C. 148(m) [Link Added; Note: it is §148(l) at this link, an amendment changing that para to (m) has not yet been published])” {§2(a)}.

Moving Forward

Jackson-Lee is an influential member of the House Homeland Security Committee, the committee to which the bill was assigned for consideration. It is very likely that she has enough influence to have this bill considered in Committee. There is nothing in the bill that would draw the ire of any organization. Since it just requires a very legitimate report to Congress it is likely that this bill would have enough bipartisan support to allow it to be considered under the suspension of the rules procedures in the House. If it were to be considered in the Senate, it would likely be considered under their unanimous consent procedure.

Commentary

Since the bill specifies that the main report will be unclassified (with a potential classified annex) I would have liked to have seen the bill include a provision for DHS to post a copy of the unclassified version of the report to the NCCIC web site. That would allow these policies and procedures to become public knowledge, as they should be. Without that sort of provision we may never see this report; it certainly will not show up on a congressional web site.

Bills Introduced – 07-12-17

Yesterday with both the House and Senate in session there were 46 bills introduced. Of those, four may be of specific interest to readers of this blog:

HR 3191 To prohibit the use of Federal funds to establish, support, or otherwise promote a joint cybersecurity initiative with Russia, and for other purposes. Rep. Boyle, Brendan F. [D-PA-13]

HR 3198 To provide for Federal Aviation Administration research and development, and for other purposes. Rep. Knight, Stephen [R-CA-25]

HR 3202 To require the Secretary of Homeland Security to submit a report on cyber vulnerability disclosures, and for other purposes. Rep. Jackson Lee, Sheila [D-TX-18]

S 1544 A bill to prevent Federal funds from being used to establish a cybersecurity unit in cooperation with the Russian Federation.  Sen. Klobuchar, Amy [D-MN]

HR 3191 and S 1544 are almost certainly political statements rather than a serious attempt at legislating, but they will be followed here for their potential effects on cybersecurity programs of the US government.

HR 3198 will only be followed if it includes cybersecurity provisions.

I will be watching HR 3202 for possible specific language related to industrial control systems.

House Passes Four Homeland Security Bills

As I noted this morning the House addressed a number of bills today under suspension of the rules. Four of them were mentioned as being of probably interest to readers of this blog:

• HR 2952 - The Critical Infrastructure Research and Development Act;

• HR 3107 - The Homeland Security Cybersecurity Boots-on-the-Ground Act;

• HR 3202 - The Essential Transportation Worker Identification Credential Assessment Act; and

• HR 3696 - The National Cybersecurity and Critical Infrastructure Protection Act.

All four bills, as expected, passed with impressive bipartisan support. Two of the bills (HR 2952 and HR 3696) passed by voice votes. The other two bills passed in voice votes; HR 3107 (395 to 8) and HR 3202 (400 to 0). Interestingly, HR 3107 was incorporated into HR 3696 before the bill was reported by the Homeland Security Committee.

I suspect the four bills could also garner similar bipartisan support in the Senate. There is a possible problem for HR 3696. This bill is as close at things will get in the near future to being a comprehensive cybersecurity bill. ‘Comprehensive bills’ have been routinely held up by Sen. Reid (D,NV) as the various affected committees in the Senate tried to craft their own bills. I suspect that Reid will do the same for this bill as the leadership tries to craft a deal to pass S 2588, the Cybersecurity Information Sharing Act of 2014. It is not really a competing bill, but Reid seems to figure that he can only pass one significant cybersecurity bill each session.

Congressional Hearings – Week of 7-27-14

This is the start of the last week currently scheduled for the House and Senate to be in Washington until after the Labor Day Weekend. There is only one hearing currently scheduled that is of specific interest to readers of this blog; a Senate markup hearing that looks at a number of interesting bills including CFATS.

Senate Markup Hearing

On Wednesday the Senate Homeland Security and Governmental Affairs Committee will hold a business meeting to cover a wide range of nominations and legislation. Included in the list of bills to be addressed are:

• HR 4007, the Chemical Facility Anti-Terrorism Standards Program Authorization and Accountability Act of 2014;

• S 2547, the RESPONSE Act of 2014; and

• S 2664, a public alert and warning system bill yet to be published.

HR 4007 is, of course, the bill of biggest interest here. The Committee leadership has been talking about writing their own bill since the first of the year, but has failed to reach a consensus on that language. There has been recent talk about Chairman Carper (D,DE) wanting to see language added that would allow Tier 4 facilities to ‘self-certify’ compliance with the site security plan requirements. That amendment would probably be acceptable to the House. Anything more complicated than that might derail passage of this bill.

House Floor

Today the House will consider a number of bills under suspension of rules. Four of them will be of interest to readers of this blog:

• HR 2952 - The Critical Infrastructure Research and Development Act;

• HR 3107 - The Homeland Security Cybersecurity Boots-on-the-Ground Act;

• HR 3202 - The Essential Transportation Worker Identification Credential Assessment Act; and

• HR 3696 - The National Cybersecurity and Critical Infrastructure Protection Act.

The House leadership has determined that these bills have enough bipartisan support to ensure their passage with a 2/3 vote. I’m kind of surprised that HR 3696 made that cut considering the number of organizations that still have problems with privacy issues in the bill. We will see if they get surprised on this vote; it does happen periodically.

HR 3202 Reported in House – TWIC Assessment

Last week the House Homeland Security Committee published their report on HR 3202, the Essential Transportation Worker Identification Credential Assessment Act. The bill is now available for consideration by the Whole House and could be considered next week under suspension of the rules.

There has been some fine tuning made to the requirements for the independent report on the efficacy of the TWIC program, though nothing of major significance. It does expand the reporting requirements for the Comptroller General to include reporting on the progress made in implementing the plan developed by DHS.

There is one major change made in the reported bill. The Committee back-tracked on supporting the GAO report recommendation that the current TWIC Reader Rule be delayed until a comprehensive review of the efficacy of the TWIC program is completed. The new version of the bill adds §2(e)(2) that exempts the current rulemaking from any delay caused by this bill. The report explains that this way (pg 8 of the report):

“The Committee has been critical of the Department’s delay in issuing a final rule for the use of card readers at MTSA regulated vessels and facilities and, at this time, the Committee believes that the current card reader rule should move forward. The Committee directs DHS to incorporate the results of this comprehensive assessment into any additional rule making or changes to existing rules.”

One can certainly sympathize with the Committees impatience; the TWIC Reader Rule was supposed to be in place years ago. Of course, industry may not be too pleased with this change. The TWIC Readers are going to be expensive to install, use and maintain. If the TWIC program has to undergo major revisions because of the assessment required in this bill, the Readers may not be useful too far into the future. That assumes, of course, that Congress and DHS can act in an expeditious manner to implement any changes recommended by the study.

As I mentioned in an earlier blog post, I expect that this bill will receive substantial bipartisan support when it comes to the floor. With that in mind, I would not be surprised to see it considered early next week under suspension of the rules. That way the House would be done with it before the recess. I think the bill would have a good chance of passing in the Senate in September, even with the electioneering and short schedule.

Congressional Hearings – Week of 6-8-14

Both the House and Senate will be working in Washington this week. Spending bills dominate; two spending markup hearings and a Rules Committee hearing make the list of potential specific interest to readers of this blog. Also included would be another markup hearing of miscellaneous homeland security bills and a Senate oversight hearing on DHS.

Spending Bills

The House Appropriations Committee will mark up the FY 2015 Defense spending bill on Tuesday and the DHS spending bill on Wednesday. Committee drafts are not yet publicly available.

The House Rules Committee will be holding a hearing on Tuesday that will include the Agriculture spending bill, HR 4800. The text of that bill and the Appropriations Committee report are both available on the Rules Committee web site.

The Full House will begin consideration of HR 4745, the FY 2015 THUD spending bill today under an open rule. I expect that we will see at least one crude oil train related amendment offered.

Homeland Security Markups

The House Homeland Security Committee will meet on Wednesday to mark up a number of bills. Of particular interest to readers of this blog will be:

• HR 3202, the “Essential Transportation Worker Identification Credential Assessment Act”;

• HR 4263, the "Social Media Working Group Act of 2014"’; and

• HR 4289, the “Department of Homeland Security Interoperable Communications Act”

DHS Oversight

The Senate Judiciary Committee will hold an oversight hearing on DHS operations on Wednesday. This will be a high-level review with little in the way of details.

HR 3202 Markup Hearing Update

The House Homeland Security announced on their web site this afternoon that HR 3202, the Essential Transportation Worker Identification Credential Assessment Act, markup hearing that had been scheduled for Wednesday had been postponed until a date and time to be determined. This is the second time in about a week that the markup of this bill was postponed. While the first delay was generally explained as a response to the government shut-down, that does not so easily explain the current delay. The shutdown was already in effect when the second hearing was scheduled.

Bills Introduced – 9-27-13

While the Congress is still in deep disagreement on the 2014 spending program they do continue to be hard at work drafting new legislation proposals. There were three bills introduced yesterday that might be of specific interest to readers of this blog:

HR 3202 Latest Title: To require the Secretary of Homeland Security to prepare a comprehensive security assessment of the transportation security card program, and for other purposes. Sponsor: Rep Jackson Lee, Sheila (D,TX)

HR 3208 Latest Title: To clarify that certain natural gas facilities are not subject to the Natural Gas Act. Sponsor: Rep McKinley, David B. (R,WV)

HJ RES 66 Latest Title: Making continuing appropriations for fiscal year 2014, and for other purposes. Sponsor: Rep Reed, Tom (R,NY)

TWIC

The bill from Rep. Jackson-Lee is almost certainly a direct (though certainly delayed) response to the Government Accounting Office recommendation made in a Congressional Hearing on May 8^th. It will be interesting to see what gets included in this bill.

Natural Gas

I’m not sure what the purpose of this bill is; there is nothing on Rep. McKinley’s web site about the bill. I suspect that it deals with exportation of natural gas, but we will just have to wait and see.

Another Continuing Resolution

This is another conservative Republican alternative Continuing Resolution. It would continue the current sequestered spending limits until December 15^th (and extends the CFATS authorization to that date). It delays Obamacare funding for one year instead of killing Obamacare; so it is an attempt at compromise, probably not enough though. Rep. Reed is not a member of the Appropriations Committee, so it is unlikely that this will get to the floor, but it has already been printed by the GPO so it is possible that it could reach the floor of the House.