Saturday, July 22, 2017

Trump Administration Updates Unified Agenda – DHS

This week the Trump Administration’s Office of Information and Regulatory Affairs (OIRA) published an Update to the Unified Agenda. This provides a look at the results of the review of on-going regulatory actions previously addressed by the Obama Administration and new regulatory initiatives started by the new administration. The last Obama update of the Unified Agenda (Fall 2016 Unified Agenda) took place in November, 2016.

Trump’s OIRA described the current Unified Agenda this way:

“The Agenda represents ongoing progress toward the goals of more effective and less burdensome regulation and includes the following developments:
“Agencies withdrew 469 actions proposed in the Fall 2016 Agenda;
“Agencies reconsidered 391 active actions by reclassifying them as long-term (282) and inactive (109), allowing for further careful review;
“Economically significant regulations fell to 58, or about 50 percent less than Fall 2016;
“For the first time, agencies will post and make public their list of "inactive" rules-providing notice to the public of regulations still being reviewed or considered.”

DHS Active Rulemaking

As usual, I have gone through the list of active DHS rulemaking activities and came up with a list that may be of specific interest to readers of this blog. Table 1 lists those rulemaking activities.

Proposed Rule
Chemical Facility Anti-Terrorism Standards (CFATS)
Proposed Rule
Revision to Transportation Worker Identification Credential (TWIC) Requirements for Mariners
Proposed Rule
Surface Transportation Vulnerability Assessments and Security Plans
Table 1: Items on Current Unified Agenda

This is down from eight that were on the Fall 2016 Agenda. One (1601-AA56) action has been completed with the final rule being published last December. Four items (1601-AA76, 1625-AB94, 1652-AA55, and 1652-AA69) have been moved to the long-range portion of the Agenda (see below).

The pages for each of the rulemakings have been substantially changed in this update. This version does not include a regulatory history (listing of when various stages of the rulemaking process have been completed including a link to the Federal Register for each publication noted). The update also does not provide an expected date for the publication of the next stage in the rulemaking process. In the past those have proven to be grossly inadequate guesses, so there is really not much lost by not including that information.

Long-Term Actions

The long-term action section of the Unified Agenda contains the listing of on-going rulemaking efforts that the Administration does not expect to see reach the next publication stage for at least 12 months. The long-term action section for DHS is quite lengthy. The list includes the rulemakings shown in Table 2 that may be of specific interest to readers of this blog.

Ammonium Nitrate Security Program
Homeland Security Acquisition Regulation: Safeguarding of Controlled Unclassified Sensitive Information (HSAR Case 2015-001)
Updates to Protected Critical Infrastructure Information
Amendments to Chemical Testing Requirements
2013 Liquid Chemical Categorization Updates
Maritime Security--Vessel Personnel Security Training
Protection of Sensitive Security Information
Security Training for Surface Transportation Employees
Vetting of Certain Surface Transportation Employees
Table 2: Long-Term Actions for DHS

This list is longer than the one found in the Fall 2016 Unified Agenda. I have already noted that three items were moved here from the active agenda. Additionally, the Trump Administration added a new rulemaking (1625-AC36) that has been placed on the long-term action list. Finally, OIRA removed a rulemaking (1625-AB21) that had actually been completed (final rule published) well prior to the publication of the Fall 2016 Unified Agenda. The Obama OIRA apparently kept it on the list because the effective date was not until 2018.

Inactive Items

It is interesting to see the Trump Administration introduce the concept of the ‘Inactive Items’ list; rulemakings that have dropped off the Unified Agenda, but are still in the working files of the agency involved and action could possibly be expected at some future date. This list is also odd in that it is a .PDF document rather than an HTML table.

There are four rulemakings on the DHS portion of the list that may be of specific interest to readers of this blog. I have included in the list below a link to the last time that the rulemaking showed up in the Unified Agenda. It is very clear that the administration officials took their mandate to identify such latent rulemakings very seriously.

• 1625-AA12 – USCG – Marine Transportation--Related Facility Response Plans for
Hazardous Substances (Fall 2013);
• 1625-AA13 – USCG – Tank Vessel Response Plans for Hazardous Substances (Fall 2013);
• 1652-AA16 – TSA – Transportation of Explosives from Canada to the United States Via Commercial Motor Vehicle and Railroad Carrier (Fall 2011)
• 1652-AA50 – TSA – Drivers Licensed by Canada or Mexico Transporting Hazardous Materials to and Within the United States (Fall 2015)


While Trump vociferously campaigned on a stand against new regulations, this publication of the Unified Agenda update makes it clear that we can still expect to see regulatory actions being taken by this administration. In fact, with respect to those types of regulations that would be of specific interest here, there has been absolutely no indication of a reduction in the change in the number of regulatory actions being undertaken.

It is not entirely clear at this point that the one new rulemaking added to the Unified Agenda Long-Term Agenda in this update (1625-AC36) is really a new regulatory action initiated by the Trump Administration. This has been an on-going issue since the 2010 amendments to the Standards of Training, Certificate, and Watchkeeping Convention and Code, but this is the first time that it has been officially noted in the Unified Agenda.

NIST Cybersecurity Workforce RFI Comments – 07-22-17

This is the first in a series of blog posts looking at the comments that NIST has received on their request for information (RFI) on cyber workforce development. The comments are posted to the NIST National Initiative for Cybersecurity Education (NICE) web site. Comments posted this week came from:

 One commenter specifically responded to questions posed by NIST in their RFI. The others were long form explications of viewpoints about specific issues. One was a copy of an article published on addressing some different non-traditional cybersecurity-training activities that have been tried. Another suggested that we need to start looking at specialization training for cybersecurity personnel rather than generalist training. And the last one addressed the need for rapid changes in cybersecurity training programs to reflect changes in the environment.

The comments from Eric Baechle provided specific responses for the NIST questions. The views from Eric paint a very bleak picture of how cybersecurity specialists are utilized at one, unnamed agency (presumably government agency, but that is not exactly clear). Not unexpectedly they paint a picture of an agency management that does not understand the complexities of the cybersecurity problems being addressed by the specialized workforce nor the work actually being done by their cybersecurity team. While this is not directly a workforce development issue (other than apparently there is no effort in this organization being made to continue developing the skills of the team being employed) it does help to explain why there may be retention issues and employee burnout affecting cybersecurity operations.

HR 3198 Introduced – FAA R&D

Last week Rep. Knight (R,CA) introduced HR 3198, the FAA Leadership in Groundbreaking High-Tech Research and Development (FLIGHT R&D) Act. The bill sets forth the research and development agenda for the Federal Aviation Administration. It includes provisions for cybersecurity research, including:

§31. Cyber Testbed.
§32. Cabin communications, entertainment, and information technology systems
cybersecurity vulnerabilities.
§33. Cybersecurity threat modeling.
§34. National Institute of Standards and Technology cybersecurity standards.
§35. Cybersecurity research coordination.
§36. Cybersecurity research and development program.

Most of these provisions address cybersecurity for the FAA flight control system and general FAA IT systems. Two sections (§32 and §36) deal more directly with aircraft cybersecurity.

Cabin Cybersecurity

Section 32 requires the FAA to “evaluate and determine the research and development needs associated with cybersecurity vulnerabilities of cabin communications, entertainment, and information technology systems on civil passenger aircraft” {§32(a)}. The evaluation will address:

• Technical risks and vulnerabilities;
• Potential impacts on the national airspace and public safety; and
• Identification of deficiencies in cabin-based cybersecurity.

Within 9 months of passage of this bill the FAA would be required to report back to Congress on the results of the evaluation and “provide recommendations to improve research and development on cabin-based cybersecurity vulnerabilities” {§32(b)(2)}.

Future Cybersecurity Program

Section 36 directs the FAA to “establish a research and development program to improve the cybersecurity of civil aircraft and the national airspace system” {§36(a)}. There is no specific guidance as to what that plan should include beyond mandating that a study of the topic be conducted by the National Academies. A report to Congress is required in 18 months.

Moving Forward

Knight and his two co-sponsors {Rep. Smith (R,TX) and Rep. Babin (R,TX)} are members of the House Science, Space, and Technology Committee, one of the two committees to which this bill was assigned for consideration. Babin is also a member of the House Transportation and Infrastructure Committee, the other committee. This means that both committees could actually consider this bill. With Chairman Smith as a cosponsor, it will almost certainly be considered in the Science, Space and Technology Committee.

There are no monies authorized to be spent by this bill and there are no provisions (mainly due to the lack of specificity in the requirements) that would draw the specific ire of anyone, so there should be no organized opposition to the bill. I suspect that it will be recommended for adoption by the Space, Science and Technology Committee and if it makes it to the floor of the House for consideration (probably under the suspension of the rules procedures) it will pass with substantial bipartisan support.


It is strange that the cybersecurity of avionics control systems is never mentioned in this bill. The provisions of §32 and §36 are clearly intended to address the issue, but they never directly say that. I suspect that this is done so as not to raise the specific objection from aircraft vendors (and their avionics system suppliers) that no one has ever demonstrated a vulnerability of those control systems. The weasel wording allows those concerned to ignore the specific provisions and thus not oppose the entire bill. This is politics.

Friday, July 21, 2017

HR 3191 Introduced – Russia Cybersecurity

Last week Rep. Boyle (D,PA) introduced HR 3191, the No Cyber Cooperation with Russia Act. The bill would disallow the expenditure of any federal funds for any joint US – Russian cybersecurity initiative. This is a response to the announcement by President Trump after he returned from the G20 Summit that he and Putin had discussed forming a joint cyber-security unit to protect against election hacking.

Section 2 of the bill says simply:

“No Federal funds may be used to establish, support, or otherwise promote, directly or indirectly, the formation of[,] or any United States participation in[,] a joint cybersecurity initiative involving the Government of Russia or any entity operating under the direction of the Government of Russia.”

There are no qualifying definitions or explanations.

Moving Forward

Boyle is a rather junior member of the House Foreign Affairs Committee to which this bill was assigned for consideration. Three of his 13 Democratic cosponsors are also members of that Committee. In normal circumstances, this could provide for the possibility of the bill being considered in Committee. In this case, party membership probably trumps committee membership, so there is very little possibility of this bill being considered in Committee.


Even assuming that this is not a completely knee-jerk reaction to a “policy” announcement by Trump (as we frequently saw from Republicans during the Obama Administration) and that there are legitimate reasons to object to the specific policy proposal, the blunt wording of this proposal contains the seeds of many potential unintended consequences.

For example, if Interpol formed a task-force to take down criminal gangs operating botnets, and that unit included police from Russia (where at least some of these botnet operations are headquartered) then this bill would prohibit US participation in the effort. I highly doubt that that is what the crafters intended.

I suspect, however, that this bill (and the two others, HR 3259 and S 1544, that have not yet been printed by the GPO) was written to provide Democrats the opportunity to proclaim that they have introduced legislation opposing Trumps inopportune proposal. Even if the bill were to somehow be considered and approved by the House and Senate, it would certainly be vetoed by the President, if the unit had been a serious policy proposal in the first place (and that is an open question since the unit was proposed in a TWEET®).

HR 2997 Introduced – FY 2018 FAA Reauthorization

Last month Rep. Schuster (R,PA) introduced HR 2997, the 21st Century Aviation Innovation, Reform, and Reauthorization (21st Century AIRR) Act. This is the House version of the 2018 FAA authorization bill. The Senate version is S 1405. There is one cybersecurity provision in the bill and a number of drone provisions.


Section 601 of the bill addresses the FAA’s strategic cybersecurity plan. It would require an update of the existing plan required under §2111 of PL 114-190 (130 Stat 626). It would specifically require that plan to be modified to include the establishment of the American Air Navigation Services Corporation, the vehicle for the privatization of air traffic control. The obligatory report to Congress is included.

UAS Provisions

Section 432 of the bill modifies codifies a number of current UAS provisions of US law by adding a new chapter (Chapter 455) to 49 USC. One of particular interest here is the Model Aircraft exception established in §336 of the FAA Modernization and Reform Act of 2012 (PL 1125-95, 126 Stat 77). That would be addressed in a new §45509, Operation of small unmanned aircraft. While in many ways similar to the new §44808 proposed in the Senate bill, there are some significant differences. Those difference include:

• Failure to include limitations to line-of-sight operations;
• Adds a 55-lb aircraft weight limit {§45509(a)(3)}; and
• Adds restriction on flying over amusement parks {§45509(a)(5)}.

Both bills include an obligatory reference to ‘within the programming of a community-based organization’. This bill actually provides a definition of ‘community-based organization’ and a requirement for the FAA to establish guidelines for “recognizing community-based organizations” {§45509(e)}.

Moving Forward

On June 27th the House Transportation and Infrastructure Committee held a mark-up hearing for HR 2997. A number of amendments were made (none of particular interest here) and the bill was ordered reported favorably by a nearly party-line vote (one Republican voted Nay). That report has not yet been published.

This bill will move forward to be considered by the full House at some point. Based upon the vote in Committee, this bill is not likely to be considered under the suspension of the rules process since that requires a 2/3 vote to pass the bill. This means that there will be some sort of amendment process adopted by the House Rules Committee.

Once the House and Senate pass both of their versions of the bill, a conference committee will work out the differences and a combined version will be voted upon in both houses. If recent history is any kind of guideline, the final bill will be approved in late November or early December.


Both the House and Senate bills move to more narrowly cast the ‘model aircraft’ exemption to small UAS operation. It is becoming increasingly clearer that there never was any intention to exempt the general public from FAA UAS rules, only the relatively small group of individuals that belong to model aircraft clubs and societies. This would appear to open up a whole nest of problems for the FAA in moving forward with UAS regulations as the universe of potentially covered entities for the FAA regulations expands dramatically.

One way to avoid this general public regulation issue would be for manufacturers of small UAS destined for the consumer market to establish company sponsored UAS clubs with membership instructions included in every consumer UAS sold in the United States. Formal club rules with on-line meetings, training sessions and organized fly-ins would probably allow for recognition by the FAA. Especially since the Agency has no desire to get into consumer regulation enforcement.

I do have to admit that I was more than a little surprised and disappointed to see this bill add the amusement park restriction to the model aircraft section of the bill while continuing to ignore the potentially much more dangerous issue of the operation of UAS over critical infrastructure facilities such as chemical plants or electric grid infrastructure facilities. Critical infrastructure owners need to begin complaining vociferously about this issue.

Bills Introduced – 07-20-17

With both the House and Senate in session, there were 72 bills introduced yesterday. Of those, three may be of specific interest to readers of this blog:

S 1603 An original bill making appropriations for Agriculture, Rural Development, Food and Drug Administration, and Related Agencies programs for the fiscal year ending September 30, 2018, and for other purposes. Sen. Hoeven, John [R-ND]

S 1609 An original bill making appropriations for energy and water development and related agencies for the fiscal year ending September 30, 2018, and for other purposes.  Sen. Alexander, Lamar [R-TN]

S Con Res 22 A concurrent resolution expressing the sense of Congress on the use of the Intergovernmental Personnel Act Mobility Program and the Department of Defense Information Technology Exchange Program to obtain personnel with cyber skills and abilities for the Department of Defense. Sen. Rounds, Mike [R-SD]

The two spending bills will be watched for cybersecurity measures.

Another ‘sense of congress’ resolution on cybersecurity; I’m not sure what is going on here, but this will also be watched for definitions and wording.

Thursday, July 20, 2017

House Passes HR 2825 – DHS Authorization

Today the House passed HR 2825, the Department of Homeland Security (DHS) Authorization Act of 2017, by a substantially bipartisan vote of 386 to 41. The bill was considered under the suspension of the rules process that limited debate and did not allow any amendments to be offered. The bill easily met the 2/3 vote standard for passage under these rules.

A DHS authorization bill has yet to be introduced in the Senate during this Congress. It would be very unusual for the Senate to take up this bill without first considering an in-house version first.

The bill does include provisions addressing:

• Cybersecurity,
• Maritime security, and
• Surface transportation security

There has not been a DHS authorization bill sent to the President since the Department was originally created in 2002.
/* Use this with templates/template-twocol.html */