Conference Committee Finishes Final Version of FY 2026 NDAA – S 1071

Yesterday the House Rules Committee updated their meeting notice for their Tuesday meeting to include S 1071 as the vehicle for the final version of FY 2026 National Defense Authorization Act. The Rules Committee web site provides the text of the new NDAA. The Committee will meet tomorrow to formulate the rule for the consideration of the bill. I would expect it to be a closed rule, with limited debate, no further amendments, and a simple majority vote requirement. There should be significant bipartisan support for the bill.

Originally, S 1071 passed in the Senate as “A bill to require the Secretary of Veterans Affairs to disinter the remains of Fernando V. Cota from Fort Sam Houston National Cemetery, Texas, and for other purposes”. According to a press release from Sen Cruz’ office, Cota was a convicted rapist that was interred in the Fort Sam Houston National Cemetery. The text from the Senate passed bill has been included in the final conference version of the bill as §8806.

The bill now includes:

DIVISION E—Department of State Authorization Act for Fiscal Year 2026,

DIVISION F – Intelligence Authorization Act for Fiscal Year 2026,

DIVISION G – Coast Guard Authorization Act of 2025, and

TITLE LXXXVI – Securing the airspace, facilitating emergency response, and safeguarding key infrastructure, entertainment venues, and stadiums.

I will have more details in subsequent posts.

Review - S 4443 Report Published – FY 2025 Intel Authorization

After initially ordering S 4443, the Intelligence Authorization Act for Fiscal Year 2025, reported without a written report, the Senate Intelligence Committee published their report on the bill. In addition to providing summaries of the requirements of various sections of the bill, the report provides two additional discussions about cybersecurity related topics.

Moving Forward

As with most authorization bills, the Senate is not expected to take up S 4111, rather they will take up the House bill (HR 8512) which as just recently reported. The Senate will take up the House passed language of that bill and immediately off the language from S 4111 as substitute language for the purpose of the debate in the Senate. A conference committee will subsequently iron out the differences between the two versions of the legislation.

 

For more details about the two new cybersecurity discussions, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4443-report-published - subscription required.

Review – S 4443 Reported in the Senate– FY 2025 Intel Authorization

Last week, Sen Warner (D,VA) introduced S 4443, the Intelligence Authorization Act for Fiscal Year 2025. This bill extends various intelligence agency authorizations and provides congressional directives and oversight to those agencies. The bill contains a number of cybersecurity provisions that may be of interest outside the intelligence community.

Sections addressing cyber security issues of potential concern include:

§313. Report on sensitive commercially available information.

§401. Strategy and outreach on risks posed by People's Republic of China smartport technology.

§510. Management of artificial intelligence security risks. (similar to S 4230)

§511. Protection of technological measures designed to verify authenticity or provenance of machine-manipulated media.

§512. Sense of Congress on hostile foreign cyber actors.

§513. Designation of state sponsors of ransomware and reporting requirements.

§514. Deeming ransomware threats to critical infrastructure a national intelligence priority.

§1203. Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing Act of 2024. (similar to HR 7447- removed from paywall)

Moving Forward

While this bill has now been cleared for consideration in the Senate, it is not likely to come to the floor for direct consideration. In recent years it was incorporated into either a consolidated spending bill or the National Defense Authorization Act as a Division of the bill. In the case of the NDAA, the language from this bill (likely with modifications) would be added to the substitute language when the House passed NDAA was considered. In the case of a spending bill, the intelligence authorization division would be added to the drafted bill behind closed doors, it would be some sort of amalgam of this bill, the House version of the bill and other provisions added as needed.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4443-reported-in-the-senate - subscription required.

Review - HR 3932 Reported in House – FY 2024 Intel Authorization Act

Earlier this month, the House Intelligence Committee published their Report on HR 3932, the Intelligence Authorization Act for Fiscal Year 2024. They also published the reported version of the bill. There is one section in the bill that addresses cybersecurity for intelligence agencies and the sole mention in the report explicates that section. This legislation would also exempt the intelligence community from rules covering controlled unclassified information. The bill also briefly addresses the chemicals used to manufacture illicit drugs in Mexico.

NOTE: The introduced version of this bill was a very bare bones bill that would act as a skeleton for the work by the Committee to flesh out the language. Thus, there is no point in trying to explain the differences between the two versions of the bill.

Moving Forward

With the publication of this report, the bill is now cleared for consideration by the House. This is one of the annual ‘must pass’ bills and in recent years it has been included in the massive year end spending bill. With Congress being ‘prohibited’ from passing a consolidated spending bill, there is a strong likelihood that this bill will be considered by the House before the end of the year.

There are a number of provisions in the bill (not covered here, but see §418 for example) that will draw almost automatic opposition from Democrats in the House, so this will require a united Republican front to pass the bill. Depending on amendments offered by the Republican 11 and rejected by the more moderate Republicans, this bill may not be able to pass without the removal of some of the provisions objected to by the Democrats.

 

For more details about the provisions of this bill, including commentary on some of them, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-3932-reported-in-house - subscription required.

S 2103 Reported I Senate – FY 2024 Intel Authorization

Last month, the Senate Select Committee on Intelligence published a written report for S 2103, the Intelligence Authorization Act for Fiscal Year 2024. The publication of the reported version [note, since the Committee marked up the bill before it was introduced the reported version is the introduced version] of the bill took place back in June. The unclassified portion of the report does not include any additional information on cybersecurity matters.

Normally, this would be the end of this post, but there is an odd entry near the end of the Report (pg 21) under ‘Additional Views’. This area of the report is normally where the minority party explains their objections to items found in the bill. This time, however, the lead ‘Additional View’ is provided by Sen Warner (D,VA) the Committee Chair. He objects to two amendments that were passed without over his objections, neither one of specific interest here.

Those amendments added two new sections to the bill:

Section 312. Office of Intelligence and Analysis

Section 325. Pay cap for diversity, equity, and inclusion staff and contract employees of the Central Intelligence Agency

Interestingly, the next ‘Additional View’ (pg 23) is from Sen Rubio (R,FL) explaining Rubio’s support for §312.

S 2103 Introduced – FY 2004 Intel Authorization

Review - Last week, Sen Warner (D,VA) introduced S 2103, the Intelligence Authorization Act for Fiscal Year 2024. This annual, must-pass legislation, provides continuing authorization for the activities of the intelligence community. In the unclassified portions of this bill there are two cybersecurity related provisions (a workforce measure and an election security act) and one cybersecurity mention-in-passing.

Moving Forward

This bill is one of the must pass bills that Congress needs to deal with each year. Warner is the Chair of the Senate Intelligence Committee and the Committee will take up this legislation when they come back from their two week 4^th of July recess next month. I do not review this bill in enough detail (nor do I follow intelligence politics closely enough) to offer an opinion on the prospects for passage of this bill, nor the level of opposition to its many provisions. We will be better able to evaluate those matters when we see how the Committee votes on amendments their final recommendation on the bill.

 

For more details about the cybersecurity provisions of this bill, and a longer discussion about the recent politics of passing the intel authorization bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2103-introduced - subscription required.

Review - HR 5412 Introduced – FY 2022 Intel Authorization

Last month, Rep Schiff (D,CA) introduced HR 5412, the Intelligence Authorization Act for Fiscal Year 2022. This is one of the annual ‘must pass’ bills, it provides authorization for the activities of the various intelligence services within the federal government. There is one cybersecurity provision this year, and there is on cybersecurity mention in passing. Funding is authorized by this bill, but the amounts are included in a classified annex.

The House Permanent Select Committee on Intelligence amended and ordered this bill reported on the 30^th of September. Neither that report nor amended language have been forwarded to the GPO yet for publication. Once those are published, the House is expected to take up the bill. It will almost certainly pass. Even though the bill did pass in Committee by a voice vote, I will have to wait and see the Minority Views Section of the Committee Report before I will be willing to attempt to forecast how much bipartisan support it will receive.

For more details on the cybersecurity provision and mention in passing, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-5412-introduced - subscription required.

Review - S 2610 Introduced – FY 2022 Intel Authorization

Earlier this month, Sen Warner (D,VA) introduced S 2610, the Intelligence Authorization Act for Fiscal Year 2022. The bill was adopted by the Senate Select Committee on Intelligence and a Committee Report on the bill has been published. While major portions of the bill are classified, both the bill and the report do include cybersecurity references.

There are three sections of the bill that address cybersecurity related matter and there are three separate sections that include cybersecurity mentions in passing. The three cybersecurity related sections are:

§343 – Report on the assessment of all-source cyber intelligence information, with an emphasis on supply chain risks,

§604 – Access by Comptroller General of the United States to certain cybersecurity records, and

§606 – Study on vulnerability of Global Positioning System to hostile actions.

This is one of those annual ‘must pass’ authorization bills and it is likely to be considered under regular order. The bill was adopted by a unanimous vote in Committee, so I expect that the bill would receive substantial bipartisan support on the floor of the Senate.

For more details about the provisions of the bill and cybersecurity mentions in the Committee Report see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2610-introduced  - subscription required.

Conference Report for HR 6395 – FY 2021 NDAA

On Thursday the conferees for HR 6395, the FY 2021 National Defense Authorization Act (NDAA), published their 4500 page ‘Conference Report’ working out the differences between the two versions of the bill. The official GPO version is not yet available, but the House Armed Services Committee posted a copy on their web site. The House is slated to take up the revised language from the report on Tuesday, followed by the Senate later in the week. There is an open threat of a presidential veto, but we will have to wait and see how that turns out.

Provisions of Interest

There are a huge number of ‘cyber’ related provisions in this bill. The following list shows those that I think are most interesting from a control system security point of view.

§1715. Establishment in Department of Homeland Security of joint cyber planning office. (pg 1810) (revised pg 4170)
§1716. Subpoena authority. (pg 1815)
§1717. Cybersecurity State Coordinator. (pg 1827) (revised pg 4170)
§1718. Cybersecurity Advisory Committee. (pg 1836) (revised pg 4170)

§1725. Pilot program on remote provision by National Guard to National Guards of other States of cybersecurity technical assistance in training, preparation, and response to cyber incidents. (pg 1865) (revised pg 4174)

§1729. Cyber capabilities and interoperability of the National Guard. (pg 1880) (revised pg 4175)

§1736. Defense industrial base cybersecurity sensor architecture plan. (pg 1901) (revised pg 4178)

§1737. Assessment on defense industrial base participation in a threat information sharing program. (pg 1903) (revised pg 4179)

§1738. Assistance for small manufacturers in the defense industrial supply chain on matters relating to cybersecurity. (pg 1909)

§1739. Assessment on defense industrial base cybersecurity threat hunting program. (pg 1912) (revised pg 4180)

§1742. Department of Defense cyber hygiene and Cybersecurity Maturity Model Certification framework. (pg 1922) (revised pg 4182)

§1745. Cybersecurity and Infrastructure Security Agency review. (pg 1933)

§1752. National Cyber Director. (pg 1950) (revised pg 4186)

§9005. GAO study of cybersecurity insurance. (pg 3407)

The ‘(pg XXXX)’ listing refers to the language of the actual provision in the bill. The ‘(revised pg 4XXX)’ listing refers to the brief discussion of changes made to the provision in the conference.

Interesting Finds

There is no way that I ‘read’ all 4517 pages of the report. Most of what I did do was put the term ‘cyber’ in the search tool of my .PDF reader and click through the report. In doing so, I discovered a couple of interesting items.

I found the first item on page 680 in §589F. This section introduces a new term that I have never heard before; ‘cyberexploitation’. It is defined as using digital means and online platforms to [§589F(d)(1)]:

• “knowingly access, or conspire to access, without authorization, an individual’s personal information to be employed (or to be used) with malicious intent; or

• “to deceive an individual with misinformation with malicious intent.”

In this section of the NDAA it is used to describe actions taken against family member of armed forces personnel. The bullet in the definition above could apply to all sorts of cyber activities that we have been seeing in recent history. I think that this term (I would hyphenate it ‘cyber-exploitation’) should be more widely used.

I found the second item on page 2247 during the discussion of §2826, Improved electrical metering of Department of Defense infrastructure supporting critical missions. The final subsection shows the increasing cybersecurity sophistication of congressional staffers. It reads:

“(c) CYBERSECURITY.—The Secretary of Defense and the Secretaries of the military departments shall consult with the Chief Information Officer of the Department of Defense to ensure that the electrical energy metering options considered under subsection (b) do not compromise the cybersecurity of Department of Defense networks.”

Intelligence Authorization Act

As I noted in my blog post about the Senate passing HR 3695, the Senate include the FY 2021 Intelligence Authorization Act as a division in the bill. That language did not survive conference. The House has not yet acted on their version of this (HR 7856) ‘must pass’ legislation. The Senate has not acted on their standalone version (S 3905). There is still a chance that some version of this bill could find it into the omnibus spending bill.

HR 6395 Amended and Passed in Senate – FY 2021 NDAA

On Monday, the Senate adopted substitute language for, and passed, HR 6395, the National Defense Authorization Act for Fiscal Year 2021, by a voice vote. The substitute language closely tracks the language the Senate earlier adopted for S 4049, the Senate version of this bill. The Senate’s action set up today’s scheduled vote in the House to go to conference on the bill. This would allow the House and Senate to work out the differences between the two versions of the bill.

The Senate language does include a version of the FY 2021 Intelligence Authorization Act.

I would suspect that most of the cybersecurity provisions that were added during floor action in the House will remain in the approved conference version of the bill.

HR 7856 Reported in House – FY 2021 Intel Authorization

The House Permanent Select Committee on Intelligence recently published their Report on HR 7856, the Intelligence Authorization Act for Fiscal Year 2021. The reported version of the bill contains no significant changes to the cybersecurity provisions that were included in the introduced version and no new cybersecurity provisions. The Report only includes two discussions of cybersecurity issues.

Cybersecurity and the ABMS

The first cybersecurity discussion is found on pages 17 thru 18 under the heading “Advanced Battle Management Family of Systems”. The Committee insists that given “the sensitive nature of the intelligence information that will act as the backbone of ABMS, it is vital that ABMS use only the most secure tools and technology. To this end the Committee directs the Air Force to work with the National Security Agency to establish “minimum security standards, and build these recommendations into the requirements for ABMS” and to then vet those “technologies to ensure that they meet such standards”.

Cybersecurity and UAS

The other discussion of cybersecurity issues in this report is found on pages 26 thru 27 under the heading “Countering the Malicious Use of Unmanned Aircraft Systems (UAS) in the United States”. The Committee notes that both DHS and the FBI report that UAS can be used maliciously in a number of ways, “including kinetic attacks with payloads of firearms, explosives, or weapons of mass destruction and cyber-attacks against wireless devices or networks [emphasis added]. The Committee directs the Director of National Intelligence to prepare an assessment of the potential UAS threat and a report on potential congressional actions necessary to counteract that threat. The Committee is specifically asking the DNI to:

“Propose what the Federal Government would need—with respect to authorities, regulations, policies, protections for civil liberties and privacy, and resources—to carry out feasibility studies and pilot programs enabling U.S. airports, state and local law enforcement, and critical infrastructure owners [emphasis added] to counter the malicious use of UAS.”

Moving Forward

This is typically considered to be one of those ‘must pass bill’ that is generally produced in a bipartisan manner in Committee and then taken up by the Whole House in a fairly collegial manner. That has not been the case this year.  The ‘Minority Views’ section of the Report (starting on page 151) lays out the Republican objections to this bill in quite some vociferous detail. This bill is likely to move to the floor of the House where it will pass on nearly party lines.

The Senate has not taken up their version of the bill (S 3905). If HR 7856 is passed in the House early enough, the Senate could take it up and substitute the language from S 3905. That language has some minor Democratic opposition {see Sen Widen’s (D,OR) short comment section on pages 18 and 19 of that Committee Report}, but probably not enough to stop the bill from being considered. There would be significant differences to be worked out in a Conference Committee, so many differences that they would probably not be able to be worked out before the 116^th Congress closes next month.

I suspect that there are, however, on-going backroom negotiations that could allow for a Division in an FY 2021 spending bill to address necessary intelligence authorization issues. It is an open question on what cybersecurity provisions could make its way into such a division.

S 3905 Introduced – FY 2021 Intel Authorization

Last week Sen Rubio (R,FL) introduced S 3905, the Intelligence Authorization Act for Fiscal Year 2021. This ‘must pass’ bill would set priorities, funding and authorization for the intelligence community. There are no specific cybersecurity measures in the bill, but there is a requirement for reports about the Cyberspace Solarium Commission Report.

Reporting on Commission’s Recommendations

Section 504 of the bill would establish reporting requirements for various federal agencies about the recommendations made by the Cyberspace Solarium Commission. The Commission was charged by the §1652 of the 2019 NDAA (PL 115-232) to make recommendations for opportunities for the private and public sectors to implement critical changes that could harden United States defenses against cyber-attacks. The five federal agencies included in the reporting requirement are {§504(c)}:

• Office of the Director of National Intelligence,

• Department of Homeland Security (Under Secretary of Homeland Security for Intelligence and Analysis),

• Department of Energy (Director of Intelligence and Counterintelligence),

• Department of Commerce, and

• Department of Defense

The reports, required within 180 days of the adoption of the bill, would be required to include {§504(d)}:

• An evaluation of the recommendations in the report described in subsection (b) that pertain to the agency, and

• A description of the actions taken, or the actions that the head of the agency expects to take, to implement any of the recommendations included in such report.

Moving Forward

Rubio is currently the Acting Chair of the Senate Select Committee on Intelligence. The bill was ordered reported by the Committee (without report) on June 8^th, 2020. This bill will be taken up by the full Senate at some point in time and it (or some other version of it) will be amended and ultimately passed by the Senate and the House. That ‘some other version’ caveat has become increasingly necessary for this ‘must pass’ legislation in the last couple of years. Some version of the FY 2021 Intel Authorization Act will ultimately reach the President’s desk.

Commentary

I have not discussed the Cyberspace Solarium Commission Report, mainly because the recommendations are too vague to mean anything besides a call to action. That is why the staff of the Senate Select Committee on Intelligence included §504 in the bill. Unfortunately, they missed an important requirement, making recommendations to Congress on what congressional action would be required to fully implement the Commission’s proposals. A third sub-paragraph needs to be added to §504(d):

“(3) A list of congressional actions that would need to be taken to allow the full implementation of the Commission’s recommendations for the agency.”

Bills Introduced – 6-8-20

Yesterday with the Senate in Washington and the House meeting in pro forma session there were 44 bills introduced. One of those bills will receive future coverage in this blog:

S 3905 An original bill to authorize appropriations for fiscal year 2021 for intelligence and intelligence-related activities of the United States Government, the Intelligence Community Management Account, and the Central Intelligence Agency Retirement and Disability System, and for other purposes.  Sen. Rubio, Marco [R-FL] 

House Amends and Adopts HR 3494 – FY 2020 Intel Authorization

On Wednesday the House completed the amendment process and passed HR 3494, the FY 2020 Intelligence Authorization, by a bipartisan vote of 397 to 31. The Ruppersberger amendment that would establish a energy grid cybersecurity pilot program was adopted on Tuesday by a voice vote. For a more detailed discussion of that amendment see my blog posts on HR 680 and S 79 (from 115^th Congress).

What will be interesting now is figuring out how this bill will move forward. The House passed this as a stand-alone bill, but the Senate passed their version (without debate) as two divisions (Division F – 2020 authorization and Division G 2018 and 2019 authorization) within the Senate’s version of the National Defense Authorization Act, S 1790. Neither the House nor the Senate have ‘taken action’ on the other’s version of the NDAA, the process that would start the conference committee action on one of the two bills (S 1790 or HR 2500),

What would probably be easiest (for some version of easy) would be for the House to take up S 1790 and amend it to include the language from both HR 2500 and HR 3494. That would be passed with a party-line vote similar to that received on HR 2500. The Senate would then insist on its language and call for the conference committee to be formed. The resulting compromise bill would probably come back to Congress after the summer recess.

Rule Adopted for HR 3494 – FY 2020 Intel Authorization

Yesterday the House Rules Committee crafted the rule for the consideration of HR 3494, the Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018, 2019, and 2020. It provides a structured rule, allowing for the consideration of 31 amendments with limited debate. The bill will be considered by the House today.

The Ruppersberger amendment that I briefly discussed yesterday was included in the list of amendment authorized to be offered on the floor. It is amendment #6.

HR 3494 Reported in House – FY 2020 Intel Authorization

This week the House Intelligence Committee reported on HR 3494, Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018, 2019, and 2020. While the bill contains some cyber operations and cyber intelligence language, it does not address any control system cybersecurity issues. There is, however, a brief discussion in the Committee Report about the development of a “cybersecurity and intelligence collection doctrine” that bears some scrutiny.

The House Rules Committee is meeting tomorrow to create the rule under which this bill will be considered on the floor later this week. A total of 46 amendments were proposed to the Committee last week. They will consider which amendments may be considered during the consideration of the bill on the floor of the House. One of those amendments addresses cybersecurity in the energy sector.

Cybersecurity and Intelligence Collection Doctrine

On page 95 of the Report, the Committee directs the Office of the Director of National Intelligence (ODNI) “to develop an analytic framework that could support the eventual creation and execution of a Government-wide cybersecurity and intelligence collection doctrine.” The framework would include:

• An assessment of the current and medium-term cyber threats to the protection of the United States’ national security systems and critical infrastructure;

• IC definitions of key cybersecurity concepts, to include cyberespionage, cyber theft, cyber acts of aggression, and cyber deterrence;

• Intelligence collection requirements to ensure identification of cyber actors targeting U.S. national security interests, and to inform policy responses to cyberattacks and computer network operations directed against the United States;

• The IC’s methodology for assessing the impacts of cyberattacks and computer network operations incidents directed against the United States, taking into account differing levels of severity of incidents;

• Capabilities that the IC could employ in response to cyberattacks and computer network operations incidents, taking into account differing levels of severity of incidents;

• A policy and architecture for sharing cybersecurity-related intelligence with government, private sector, and international partners, including existing statutory and other authorities which may be exercised in pursuit of that goal; and

• Any necessary changes in IC authorities, governance, technology, resources, and policy to provide more capable and agile cybersecurity.

Possible Cybersecurity Amendment

Amendment #20 was submitted by Rep. Ruppersberger (D,MD) and Rep. Carter (R,TX). This amendment would authorize a pilot program identifying new classes of security vulnerabilities and researching technology to address the ever-present and changing face of cyber security threats to the energy grid. The amendment is essentially HR 680, which Ruppersberger and Carter introduced in January. No action has been taken on that bill. Nearly identical language was included (§10742) Intel Authorization Act that was included in S 1790, the FY 2020 NDAA that was passed last month.

There is no resolution of the vulnerability disclosure issue  that I discussed in my post on HR 680 in either this submitted amendment to HR 3494 or in §10742 in S 1790.

Moving Forward

The House is currently scheduled to consider HR 3494 on Tuesday. With the small number of amendments be submitted to the Rules Committee, it looks like it could complete consideration of the bill on the same day. The bill is likely to pass, but I suspect it will be largely a party-line vote. The problem is going to come with how to deal with the intel authorization once the House vote is completed. Normally, there would be a conference committee to iron out the differences, but the Senate passed their intel authorization act as part of the DOD authorization act. It will be interesting to see how this procedural issue is resolved.

Bills Introduced – 06-26-19

Yesterday with both the House and Senate ins session there were 63 bills introduced. Of these, one will probably see additional coverage in this blog:

HR 3494 To authorize appropriations for fiscal year 2020 for intelligence and intelligence-related activities of the United States Government, the Community Management Account, and the Central Intelligence Agency Retirement and Disability System, and for other purposes. Rep. Schiff, Adam B. [D-CA-28]

I will be watching this bill for cybersecurity language. The House Permanent Select Committee on Intelligence will be meeting today to markup this bill.

S 1589 Report Printed in Senate – Intel Authorization Act

Last week the Senate Select Committee on Intelligence printed their Report to accompany S 1589, the Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018, 2019, and 2020. As I reported earlier, the Committee favorably reported the bill last month without a report.

There was one interesting bit on control system security in the report on page 31:

National Security Threats to Critical Infrastructure

The Committees are aware of significant threats to our critical infrastructure and industrial control systems posed by foreign adversaries. The sensitive nature of the information related to these threats make the role of the IC of vital importance to United States defensive efforts. The Committees have grave concerns that current IC resources dedicated to analyzing and countering these threats are neither sufficient nor closely coordinated. The Committees include provisions within this legislation to address these concerns.

Unfortunately, I could find nothing in the bill that covered this topic. If it is in there, and congresscritters would never fib, it is buried in a section titled with something that does not deal with cybersecurity.

Bills Introduced – 05-22-19

Yesterday with both the House and Senate in session, there were 102 bills introduced. Two of those bills may see future coverage in this blog:

HR 2915 To amend the Federal Food, Drug, and Cosmetic Act to require physicians and physician's offices to be treated as covered device users required to report on certain adverse events involving medical devices, and for other purposes.  Rep. Fitzpatrick, Brian K. [R-PA-1] 

S 1589 An original bill to authorize appropriations for fiscal years 2018, 2019, and 2020 for intelligence and intelligence-related activities of the United States Government, the Community Management Account, and the Central Intelligence Agency Retirement and Disability System, and for other purposes. Sen. Burr, Richard [R-NC]

I will be watching HR 2915 to see if the ‘certain adverse events’ covered in the bill specifically include cyber events.

S 245 Introduced – FY 2019 Intel Authorization

Last month Sen. Burr (R,NC) introduced S 245, the Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018 and 2019. Intel authorization bills were introduced last session (HR 6237 and S 3153), but only the House bill received any action; it passed by a vote of 363 to 54. No action was taken in the Senate on either bill.

Cybersecurity Provisions

There are a number of cybersecurity related provisions in this bill, but only one of potential specific interest to the industrial control system community. The cybersecurity sections of note include:

§303. Modification of special pay authority for science, technology, engineering, or mathematics positions and addition of special pay authority for cyber positions.

§307. Consideration of adversarial telecommunications and cybersecurity infrastructure when sharing intelligence with foreign governments and entities.

§308. Cyber protection support for the personnel of the intelligence community in positions highly vulnerable to cyber attack.

§309. Modification of authority relating to management of supply-chain risk.

§422. Establishment of Energy Infrastructure Security Center.

§701. Limitation relating to establishment or support of cybersecurity unit with the Russian Federation.

EISC

The potentially interesting ICS provision is, of course, §422 establishing the EISC. A nearly identical provision (different section/paragraph numbers is the only difference) was included in HR 6237. I covered that issue in my post on the introduction of the earlier bill.

Missing Provision

Last year Burr’s authorization bill included a section on energy sector cybersecurity. This was taken almost in whole cloth from last session’s S 79. A bill similar to S 79 was introduced earlier this session; S 174. It is not clear if Burr left this out because he felt that S 174 had a good chance to pass on its own (not likely in my opinion) or whether he got push-back from including the costly provisions in last year’s intel bill.

Moving Forward

Burr’s bill will move forward in Committee, he is after all the Chair of the Senate Select Committee on Intelligence. Getting it to the floor of the Senate may prove to be a bigger problem; he has not had an intel authorization bill on the floor since the FY 2017 bill passed.

Commentary

This used to be considered one of the ‘must pass’ annual authorization bills, but since Trump came to town that does not seem to be the case. Spending bills continue to be approved, but the general Congressional oversight provided through the authorization bills seems to be less important as the community status has waned under Trump. This is doubly unfortunate given the cybersecurity troubles being seen in the world.