S 2520 Passed in House – State and Local Cybersecurity

Yesterday the House took up S 2520, the State and Local Government Cybersecurity Act of 2021. The bill was considered under the suspension of the rules process. After limited debate yesterday, a recorded vote was demanded. That vote took place today and the bill passed by a strong bipartisan vote of 404 to 14.

The bill would add additional responsibilities for CISA with regards to State and local governments. It would also provide additional coordination responsibilities for CISA’s National Cybersecurity and Communications Integration Center (NCCIC). No additional funding is authorized to support these additional responsibilities.

Since no changes were made in the bill during consideration in the House, the bill now heads to President Biden for signature.

Committee Hearings – Week of 5-15-22

This week, with both the House and Senate in session, there is a very active hearing schedule on both sides of the Hill. FY 2023 budget hearing continue, including Member Day hearings (where congresscritters not on the Appropriations Committee have a chance to plead for their favorite projects). We also have two cybersecurity markups, a health and education cybersecurity hearing, and an emergency response hearing.

Cybersecurity Markups

On Tuesday, the House Science, Space, and Technology Committee will hold a business meeting to consider four pieces of legislation. It will include:

• HR 7569, the Energy Cybersecurity University Leadership Act of 2022.

On Wednesday, the Senate Small Business Committee, will hold a business meeting to consider five bills. It will include:

• S 1687, the Small Business Cyber Training Act of 2021

NOTE: I have not followed this bill closely because it deals with cybersecurity training for employees of Small Business Development Center, not small businesses.

Cybersecurity Hearings

On Wednesday the Senate Health, Education, Labor and Pensions Committee will hold a hearing on “Cybersecurity in the Health and Education Sectors”. The witness list includes:

• Denise Anderson, Health Information Sharing and Analysis Center,

• Joshua Corman, I Am the Cavalry,

• Amy McLaughlin, Consortium of School Networking, and

• Helen Norris, Chapman University

I do not think that there will be any in depth discussion about medical device cybersecurity issues, but I could be wrong with Corman as a witness.

Emergency Response

On Tuesday, the Emergency Preparedness, Response, and Recovery Subcommittee of the House Homeland Security Committee will hold a hearing on “Creating a More Resilient Nation: Stakeholder Perspectives”. The witness list will include:

• Chris Currie, GAO,

• Orlando Rolón, Chief of Police, City of Orlando, and

• George Dunlap, Mecklenburg County Commission

I do not think that there will be any specific discussion about response planning for chemical incidents.

On the Floor

There are five cybersecurity bills scheduled for consideration in the House this week under the suspension of the rules process. They include:

HR 5658 – DHS Roles and Responsibilities in Cyber Space Act, as amended,

HR 6824 – President’s Cup Cybersecurity Competition Act, as amended,

HR 6825 – Nonprofit Security Grant Program Improvement Act of 2022, as amended,

HR 6868 – Cybersecurity Grants for Schools Act of 2022, as amended, and

S 2520 – State and Local Government Cybersecurity Act of 2021,

S 2520 Passed in Senate – SLT Cybersecurity

Yesterday the Senate took up S 2520, the State and Local Government Cybersecurity Act of 2021 under the Senate’s unanimous consent process. The reported version of the bill was withdrawn and the Senate took up an amendment (SA 4898) in the form of a substitute. In this case the language considered was very close to the reported version of the bill. The bill was passed with no debate and no vote.

The only revision of significance (and not much of that here) is found in the proposed amendment to 6 USC 659. In §659(p)(1)(E)(vii) the new language adds at the end of the clause: “including, as appropriate, information produced by other Federal agencies;” in describing the additional information to be shared with State, local and Tribal governments.

As with S 2201 that I described earlier in the day, this bill is now in the hands of the House. If the bill is taken up (no guarantees of that), it is likely to be considered under the House suspension of the rules process. It would likely pass with strong bipartisan support.

HR 5960 Introduced – SLTT Cybersecurity

Last week, Rep Neguse (D,CO) introduced HR 5960, the State and Local Government Cybersecurity Act of 2021. This bill is almost identical to the version of S 2520 recently reported in the Senate. It would codify existing outreach and support activities by CISA to support State, local, tribal, and territorial governments.

Differences from S 2520

With the exception of a couple of missing comas, the only difference between this bill and S 2520 is the addition of a run-on phrase (highlighted below) in the proposed subsection (p) for 6 USC 659. This version changes subparagraph (1)(G) to read:

“(G) provide operational and technical assistance to SLTT entities to implement tools, products, resources, policies, guidelines, controls, and standards and best practices and procedures on information security;”

Moving Forward

Neguse is not a member of the House Homeland Security Committee to which this bill was assigned for consideration. This means that there is unlikely to be adequate influence to see this bill considered in Committee. I see nothing in this bill that would engender any specific opposition. If it were considered in Committee, I would expect it to receive significant bipartisan support.

Review - S 2520 Reported in Senate – State and Local Cybersecurity

Last month, the Senate Homeland Security and Governmental Affairs Committee published their report on S 2520, the State and Local Government Cybersecurity Act of 2021. The Committee took up the bill back in August and approved substitute language for the bill.

The new language for S 2520 includes changes in definitions, removes the proposed changes to 6 USC 652, and revises the proposed subsections (p) and (q) to be added to 6 USC 659. What does not change is that the existing CISA outreach programs to State and local governments remains in effect.

This bill is now available for consideration by the full Senate. Unfortunately, this bill is not important enough to take up the time needed for consideration under regular order. I would suspect that there would be no specific opposition to this bill, so it could conceivably be considered under the Senate’s unanimous consent process, but that is subject to all sort’s of unrelated political objections. The most likely way for this to move forward is to be combined with some ‘must pass’ legislation, probably the FY 2020 spending bill that is due next month.

For more details about the changes in the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2520-reported-in-senate - subscription required.

Review - S 2520 Introduced - State and Local Government Cybersecurity

Last week, Sen Peters (D,MI) introduced S 2520, the State and Local Government Cybersecurity Act of 2021. The bill would add additional responsibilities for CISA with regards to State and local governments. It would also provide additional coordination responsibilities for CISA’s National Cybersecurity and Communications Integration Center (NCCIC). No additional funding is authorized to support these additional responsibilities.

As I mentioned yesterday, this bill will be taken up tomorrow by the Senate Homeland Security and Governmental Affairs Committee in a markup hearing. It is hard to predict whether amendments will be considered, but I do expect to see bipartisan support for the bill. I do not, however, see this bill making its way to the floor of the Senate for consideration. There is not enough legislative meat here for the bill to take up the time to be considered under regular order. There is, however, still time to see this bill added as an amendment to HR 3684 before the final vote later this week.

For a more detailed analysis of the changes that would be made by this bill, including my suggestions for definitional changes, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2520-introduced - subscription required.

Committee Hearings – Week of 8-1-21

With just the Senate in Washington this week (and looking forward to their Summer Recess), there is a limited number of hearings being held. Two markup hearings may be of interest here.

Spending Bill Markup

The full Senate Appropriations Committee is scheduled to meet on Wednesday for a markup hearing on “FY 22 Energy and Water, Agriculture, and MilCon VA Appropriations Bills”. This is interesting since eight spending bills, including “Energy and Water Development and Related Agencies” (Title III) and “Agriculture, Rural Development, Food and Drug Administration, and Related Agencies” (Title I) were included in Division J of the substitute language for HR 3684.

Homeland Security Markup

On Wednesday the Senate Homeland Security and Governmental Affairs Committee will hold a markup hearing for nine bills. These include

S 2305, the Cybersecurity Opportunity Act,

S 2439, DHS Industrial Control Systems Capabilities Enhancement Act of 2021,

S 2520, the State and Local Government Cybersecurity Act.

NOTE: S 2520 was just published, I plan on publishing my review on that bill tomorrow.