Review - HR 4609 Reported in House – NIST Reauthorization

Last week, the House Science, Space, and Technology Committee published their report on HR 4609, the National Institute of Standards and Technology for the Future Act of 2021. The Committee met on July 27^th, 2021 and adopted substitute language along with 14 other amendments to the bill. The reported language includes eight new sections and many language changes, including some changes to the cybersecurity requirements.

New Sections

The following new sections were added to the bill:

§214. Facilitating development and distribution of forensic science standards.

§215. Sustainable Chemistry Research and Education.

§307. Standard technical update.

§308. GAO study of NIST research security policies and protocols.

§309. Premise plumbing research.

§401. Establishment of expansion awards pilot program as a part of the Hollings Manufacturing Extension Partnership.

§402. Update to manufacturing extension partnership.

§403. National supply chain database

Moving Forward

With the publication of the Committee Report, the bill is now cleared for consideration by the full House. The bill, along with all of the amendments, was adopted by voice vote. This indicates strong bipartisan support for the bill. I suspect that the bill will come before the House next month. It will likely be considered under the House suspension of the rules process. This limits debates, prohibit floor amendments, and would require a supermajority for passage. The bill will pass in the House.

 

For more details about the cybersecurity related changes to the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4609-reported-in-house - subscription required.

Review - HR 4609 Introduced – NIST for the Future Act

Last month, Rep Stevens introduced HR 4609, the National Institute of Standards and Technology (NIST) for the Future Act of 2021. This reauthorization bill includes language providing NIST with specific cybersecurity responsibilities.

On July 27^th, the House Science, Space, and Technology Committee held a markup hearing that included the consideration of HR 4609. Substitute language was offered that included minor wording changes to cyber security responsibility language. There were fourteen other amendments adopted before the substitute language was adopted by voice vote. One of those amendments would require NIST to develop tools and guidance to “enable software developers and operators to identify, assess, and manage cyber risks over the full lifecycle of software products.”

With the bipartisan support seen for this bill in Committee, and considering that this is a perennial legislative requirement, this bill will move to the full House. I suspect that it will be considered under the suspension of the rules process; limited debate, no floor amendments and requiring a supermajority to pass. It will almost certainly pass with significant bipartisan support.

For more details on the language of the bill and its amendments, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4609-introduced - subscription required.

Bills Introduced – 7-21-21

Yesterday, with both the House and Senate in session, there were 60 bills introduced. Four of those bills may receive additional coverage in this blog:

HR 4597 To amend the Federal Water Pollution Control Act to make certain projects and activities eligible for financial assistance under a State water pollution control revolving fund, and for other purposes. Rep. Garamendi, John [D-CA-3]

HR 4609 To reauthorize the National Institute of Standards and Technology, and for other purposes. Rep. Stevens, Haley M. [D-MI-11]

HR 4611 To direct the Secretary of Homeland Security to issue guidance with respect to certain information and communications technology or services contracts, and for other purposes. Rep. Torres, Ritchie [D-NY-15]

S 2407 A bill to ensure timely Federal Government awareness of cyber intrusions that pose a threat to national security, enable the development of a common operating picture of national-level cyber threats, and to make appropriate, actionable cyber threat information available to the relevant government and private sector entities, as well as the public, and for other purposes. Sen. Warner, Mark [D-VA] 

I will be watching HR 4597 and HR 4611 for language and definitions that would include industrial control systems within the coverage of the bill.

I will be covering HR 4609 as NIST has become an important cybersecurity standards setting organization for the US Government.

S 2407 is the long awaited and much publicized Senate Intelligence Committee bill on reporting of cyber incidents. It has an impressive list of cosponsors. See Warner’s press release of the bill here. A draft version of the bill (GPO version will be out sometime) has been provided by Warner’s office. After a quick scan I see one thing of importance (certainly there will be more as I look at it in more depth), the bill kicks down to CISA the responsibility for defining what ‘critical infrastructure’ organizations will be required to report cyber breaches. This could become the de facto list of what constitutes critical infrastructure.