Thursday, December 31, 2015

OFAC Publishes Final Rule on Cybersecurity Sanctions

The Treasury Department’s Office of Foreign Assets Control (OFAC) published a notice in today’s Federal Register (80 FR 81752-81759) implementing the President’s Executive Order on Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities (EO 13694). According to the notice OFAC is publishing the regulations (new 31 CFR 578) ‘in abbreviated form’ for the purpose of providing immediate guidance to the public.

Since OFAC proceeded directly to a final rule in this matter this notice is missing much of the analysis that one normally finds in final rules. The Treasury maintains that since this rule involves a ‘foreign affairs function’ neither the notice and comment process nor does the Regulatory Flexibility Act. The Department reportedly has rolled the information collection request (ICR) requirements for this rule into an existing collection under 31 CFR 501 (RIN 1505-0164) though there is not currently a record on the OMB’s Office of Information and Regulatory Affairs web site of an update to that IRC for this rule.

The new §578 contains 7 Subparts that pretty much reflect the Subparts in other sanctions regulations. In fact, many of the definitions and other materials are direct copies from the other sanction regulations, and this is probably to be expected and perhaps necessary to maintain an effective sanctions program.

In fact, as you read through this rule, there is nothing in it that refers to anything cyber related beyond the basic reference to EO 13694. The designation of the affected ‘certain persons’ is done completely under EO 13694 and is thus beyond the scope of this rulemaking.

OFAC is not soliciting public comments on this final rule. The effective date for this rule is today; December 31st, 2015.

Wednesday, December 30, 2015

ISCD Updates Three CVI FAQ Responses

This afternoon the folks at the DHS Infrastructure Security Compliance Division (ISCD) updated the responses to three frequently asked questions (FAQ) on the CFATS Knowledge Center. There is no notice for these changes in the ‘Latest News’ section of the page, probably because there is no really new information involved in the updates. Links to two Chemical-terrorism Vulnerability Information (CVI) web sites have been updated though the old links still work (right now anyway).

There is also a dead link to the EPA RMP*Comp tool site on the CFATS Knowledge Center. And it appears that there may have been changes to that tool.

Revised FAQs

The three revised FAQs are:

FAQ #321 Where can I locate a copy of the CVI manual?

New Answer - The CVI manual ( regarding protection of information is available on the DHS website.

Previous Answer - The CVI manual ( (PDF, 59 pages -228 KB) regarding protection of information is available on the Chemical-terrorism Vulnerability Information website.

FAQ #516 Where can I take CVI training? 

New Answer - Go to the Chemical-terrorism Vulnerability Information (CVI) Authorized User Training website at [Actually goes to:]

Previous Answer - Go to the DHS Critical Infrastructure: Chemical Security website ( and click on the link "Complete Chemical-terrorism Vulnerability Information (CVI) Training."

FAQ #1551 Can individuals who are not US Citizens be CVI Authorized Users?

New Answer - Yes, non-U.S. citizens can be CVI Authorized Users as long as they can complete CVI Authorized User Training. To access CVI Authorized User Training, go to [Actually goes to:]

Previous Answer – Yes.

RMP*Comp Problems

The link to the EPA’s RMP*Comp has been changed by the EPA yet again and the link provided on the Knowledge Center does not lead to that changed site. This is the second time (see post here) that there has been a change to the EPA’s web site that was not ‘coordinated’ with the folks at ISCD. The EPA does not date their web page changes so there is no telling when it was changed. The last time that I accessed the site via the link on the CFATS Knowledge Center was for a post back in August.

Actually, I think that the EPA may have changed the RMP*Comp calculations themselves. In my August post I compared the RMP*Comp results to the new Pamphlet 74 from the Chlorine Institute. I don’t remember having to enter the information on the dike protecting the leaking tank. In any case a 150 lb spill of chlorine now produces a toxic end-point of 0.4 miles or 2112 feet. The same spill checked in August showed that the toxic end-point was 4224 feet or twice as far. This may only affect chlorine (see my August post).

Facilities with Release – Toxic COI may want re-run their toxic end-point calculations and compare them to their latest Top Screen submission. If there is a significant difference, I would contact the CFATS Help Desk to see if it is worthwhile submitting a new Top Screen.

PHMSA Withdraws Wetlines Rulemaking

Today the DOT’s Pipeline and Hazardous Material Safety Administration published a notice in the Federal Register (80 FR 81501-81503) withdrawing its rulemaking action with regards to tank truck wetlines. The notice of proposed rulemaking initiating this rulemaking was published in the Federal Register (76 FR 4847-4854). The rulemaking is being withdrawn at the direction of Congress {§7206 of the FAST Act (PL 114-94 which has not yet been printed)}.

The proposed rule would have prohibited the transportation of flammable liquids “in unprotected product piping (generally referred to as the ‘wetlines’) on the cargo tank of existing and newly manufactured DOT specification cargo tank motor vehicles”. The transportation of any material
that is a Division 6.1 (poisonous liquid) material, oxidizer liquid, liquid organic peroxide or corrosive liquid in wetlines is already prohibited by 49 CFR 173.33(e).

The notice does include most of the standard analysis that PHMSA would have done in support of a final rule on this rulemaking. It includes a review of the comments received on the NPRM as well as a revised cost-benefit analysis of the proposed rulemaking. Independently of the Congressional mandate PHMSA concluded that the proposed rule “prohibiting the transportation of flammable liquids in wetlines is unlikely to be cost beneficial”.

PHMSA does note that it “will continue to examine this issue, particularly by monitoring flammable liquid wetlines incidents, in consideration of any future actions”.

Because this was a Congressionally mandated action and PHMSA has no discretion in the matter, public comments were not solicited.

Tuesday, December 29, 2015

Seven Steps to Effectively Defend Industrial Control Systems

This afternoon the DHS ICS-CERT (in conjunction with the FBI and NSA) published a seven-page paper on protecting industrial control systems (ICS). Entitled “Seven Steps to Effectively Defend Industrial Control Systems”, the paper outlines seven steps, that if properly implemented, would have prevented 98% of the incidents reported to ICS-CERT in 2014 and 2015.

Seven Strategies

As most readers would expect, there is nothing really new or earth shattering in the seven steps. They have been preached pretty consistently by most ICS security experts over the last couple of years. They represent a fairly comprehensive defense-in-depth process for protecting control systems from attack. The seven strategies are:

• Implement application whitelisting;
• Ensure proper configuration/patch management;
• Reduce attack surface area;
• Build a defendable environment;
• Manage authentication;
• Implement secure remote access; and
• Monitor and respond

The paper provides a general description of each of the strategies and how they help to secure industrial control systems. Most valuable, it includes a ‘real world’ example of how failure to execute each strategy resulted in an incident to which ICS-CERT responded. Some ‘new’ examples that we have not heard publicly addressed. Unfortunately, not enough detail about these incidents to spark any real interest or really explicate the strategy.

Most Important Strategy is Missing

While the technical aspects of these seven strategies is well (if briefly) described, and they are all undoubtedly important, the most important part of any cybersecurity strategy is inexplicably ignored. There is no mention of training operators, engineers, or support staff in the fundamentals of cybersecurity. Without comprehensive training on the basics (and of course on the implementation of the strategies) there is no cybersecurity system that will survive contact with the real world for long.

Recommended Reading

Still, even with missing the critical eighth strategy, this is still a valuable paper that should be read by everyone in the control system security community. More importantly it should be read by every CEO and board member responsible for organizations that contain any level of industrial control system (including building control systems and security access systems). Additionally it should be required reading for every congressional staffer that could be required to help craft or advise about control system security legislation.

Monday, December 28, 2015

How The Multiple Options in PSP Can Work Together

This is part of a continuing series of blog posts about the recently released Federal Register notice about the implementation of the Chemical Facility Anti-Terrorism Standards (CFATS) personnel surety program (PSP). The notice outlines how the Infrastructure Security Compliance Division (ISCD) is planning to implement the vetting of covered chemical facility personnel and visitors against the FBI’s Terrorist Screening Database (TSDB) to determine if any covered personnel are suspected of having ties to terrorist organizations. Other posts in this series include:

The Four Options

ISCD’s new PSP program provides facilities with four specific options on how the facility will implement the requirements of 6 CFR 27.230(a)(12)(iv). Those four option (described in detail in the notice) can be briefly summarized this way:

Option 1 – Facility submits data and ISCD has TSA conduct screening;
Option 2 – Facility submits data on personnel with previous screening and ISCD has TSA confirm that screening is current;
Option 3 – Facility uses TWIC Reader to verify identity and screening status of Transportation Workers Identification Credential (TWIC) holder; and
Option 4 – Facility visually inspects TSDB based identity document to verify that person had been screened against TSDB.

The facility can use any of the four options or combinations of them to satisfy the terrorist ties vetting requirements of the CFATS program. In practice it looks like most facilities will be using some combination of the four options in their site security plan (SSP). As I mentioned in the previous post, adding the facility’s terrorist screening program to the SSP will be the first step in achieving compliance with the new portion of the PSP.

Option 4 – Visual Verification

I am going to start this more detailed review with what ISCD describes as the option providing the lowest amount of security, Option 4. This option provides for using visual screening of existing TSDB based identification credentials. This would include the TWIC, the Hazardous Material Endorsement to a CDL and various traveler based vetting programs. The notice provides a more detailed discussion of the problems associated with this option, but does note that it has a legitimate (and Congressionally mandated) place in the vetting program.

Actually, this option is pretty well suited to the vetting of commercial truck drivers making deliveries to the facility or picking up shipments from the facility. There is a fairly high likelihood that over-the-road drivers will already possess a TWIC or HME. MTSA covered facilities already have established the requirement that drivers coming to their facilities must possess a TWIC or the load will be refused or not allowed to be picked-up. CFATS facilities implementing Option 4 will have to notify their vendors and transportation companies of the need for TWIC or HME for all drivers entering the facility.

Facilities can increase the security of this option by requiring that vendors and trucking companies provide advance notice of the name and ID number of drivers coming to the facility.

There is a downside to this option for the trucking industry. There is already something of a shortage of long-haul truck drivers. Further limiting those be requiring a HME or TWIC (which both have criminal background check requirements) is going to further aggravate the driver shortage.

When using this option ISCD is almost certainly going to require the facility to spell out in its site security plan how facility personnel are going to be trained to visually verify the validity of the document (recognize and detect counterfeit documents) and verify the identity of the document holder. Requiring advance notice (perhaps with copy of ID) will help with that training requirement.

Option 3 – TWIC Reader

The TWIC was designed to be verified (both the document and personal identity) with a TWIC Reader. Unfortunately the Coast Guard and TSA have had problems with the TWIC reader implementation process and there is still not an approved rule for the implementation of TWIC Readers in the MTSA program. The TSA reports that it has published a list of approved TWIC Readers, but I have not been able to find such a list in an internet search, typical for all things related to TSA.

There are a couple of problems currently associated with the use of a TWIC Reader. First, and foremost, they are relatively expensive. Second they must at least periodically be connected to the Internet (or a phone line?) to update the list of expired/revoked TWICs. Finally, individuals must apply for (and pay the application fee for) the TWIC which requires a trip to one of the limited number of TWIC issuing facilities.

The TWIC Reader does not need to be used at facility entrances to be effectively used as part of the PSP. The facility could require TWIC holders to periodically (that period to be established in the SSP) present themselves to a designated office (possibly an off-site 3rd party office) where the TWIC and identity could be verified.

This option would be valuable for facilities that have a high percentage of personnel that already have a TWIC. This would also be valuable for corporations that also have MTSA covered facilities and have personnel that move between facilities. Contractors doing periodic maintenance or facility turnarounds that also serve MTSA covered facilities will have very high TWIC densities and would probably want to use this option.

The notice provides a limited amount of guidance on what ISCD would expect to see in the facility SSP for implementing the TWIC Reader option. It also outlines the security downside to the use of the TWIC, is a TWIC holder is subsequently identified as having possible terrorist ties there is nothing that will trigger an investigation of that person at the covered facility or allow for notification of the facility until the next time the periodic check is made.

Option 2 – Data Submission on Previously Vetted Personnel

This has long been the most controversial of the vetting options proposed by ISCD. Industry has always assumed that previously vetted (via TSDB) individuals would not require data submission to DHS. ISCD has always maintained that such data submission is required to ensure that periodic vetting is accomplished and that the facility can be notified if a previously vetted individual is subsequently added to the TSDB.

ISCD also likes this option because it reduces their costs of submitting data to TSA for vetting against the TSDB. They do not have to ‘pay’ for a full initial TSDB scan, they just have to verify that the previous vetting was done. Ironically, this also means that the facility will have to provide more data for this option because they need to provide data on the previous screening program (program name, ID number, and expiration date).

Facilities using this option are going to have to include a description of the training program that they use to train the personnel that are visually verifying the legitimacy of the presented document and the identity of the person submitting the document. Not specifically mentioned in the notice, but almost certainly to be required in the SSP, is a discussion of what will be done when the existing document expires.

Facilities that have a relatively high population of personnel that have been vetted by another agency against the TSDB are going to have to weigh the higher security benefits of Option 2 against the simpler process for Option 4. ISCD would much prefer to see Option 2 used, but was required by Congress to provide option 4. I suspect that this might mean that Option 2 might not receive as close a level of scrutiny in the SSP review as would Option 4.

Option 1 – Data Submission and Screening

There is no doubt that this is the method that ISCD would prefer to see all facilities implement as it provides the best ability for the Department to conduct vetting of covered personnel and tie the resulting information back to individual facilities. I suspect that this will be translated into a very wide latitude in how the Department views SSP submissions implementing this option.

ISCD will allow data submissions from either the corporate level or the facility level (or both) and will have some system set up for mass data submissions, probably via spread sheets. Third party data submissions will also be allowed so that companies can use personnel management agencies or background check agencies to do the actual data submissions. The use of the agency that the facility is already using to do the other background and identity verification checks currently required in the PSP will obviate the need for detailed information in the SSP about the training of the personnel collecting and verifying the data being submitted to ISCD.

A Blended Program

All but the smallest facilities are probably going to find that they are going to use all four options in their SSP. Explaining how each option would be used in the implementation of the new terrorist ties vetting program will provide the facility with the widest latitude in how they start and maintain the program over the coming years. Even if the facility does not intend to initially adopt one or more of the options, putting them all in the SSP will make it easier to start using an option as situations change (no subsequent change to the SSP will be required).

Facilities are going to have to take a close look at the employees, contractors and visitors before they decide how they are going to implement the terrorist ties vetting in their personnel surety program. They are going to have to balance the security needs of the facility to prevent access by people with suspected terrorist ties with the complexity of the program that will be used to identify those people.

ISCD has committed to working closely with each Tier 1 and Tier 2 facility while they design and implement this final phase of the PSP. That means that there will be a risk-based staggering of the initial SSP update requirement. The time to start working on this, however, is now, not when ISCD provides the facility with notification of the date by which the revised SSP will have to be provided to Department.

Saturday, December 26, 2015

S 2410 Introduced – Cyber Board Membership

Earlier this month Sen. Reed (D,RI) introduced S 2410, the Cybersecurity Disclosure Act of 2015. According to a press release from Reed’s office the “bill seeks to strengthen and prioritize cybersecurity at publicly traded companies by encouraging the disclosure of cybersecurity expertise, or lack thereof, on corporate boards at these companies”.

Cybersecurity Reporting Requirements

The bill would require the Securities and Exchange Commission to issue regulations requiring companies required to issue either an annual report {under 15 USC §78m or §78o(d)} or a proxy statement {under 15 USC §73n(a)} include in such reports a disclosure that{§2(b)}:

• A member of the governing body, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience; or
• If no member of the governing body of the reporting company has expertise or experience in cybersecurity, to describe what other cybersecurity steps taken by the reporting company were taken into account by such persons responsible for identifying and evaluating nominees for any member of the governing body, such as a nominating committee.

The SEC is given one year to establish such regulations. In the meantime, it is required to work with the National Institute of Standards and Technology (NIST) to define “what constitutes expertise or experience in cybersecurity, such as professional qualifications to administer information security program functions or experience detecting, preventing, mitigating, or addressing cybersecurity threats” {§2(c)}

Moving Forward

Reed is a high ranking member of the Senate Banking, Housing and Urban Affairs Committee, the Committee to which this bill was referred for consideration. Reed probably has the political pull within that Committee to have the bill considered. Whether or not he and his co-sponsor {Sen. Collins (R,ME)} have the pull to get this bill considered in the full Senate remains to be seen.

If this bill does make it to the floor of the Senate, there should be no organized opposition to its passage. I suspect that the bill will be (if considered at all) taken up under the Senate’s unanimous consent procedures.


It is interesting that in the definitions section of this bill the term ‘information system’ includes specific mention of “industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers” {§2a(9)(b)}. Unfortunately, the inclusion of control systems does not seem to extend to the definition of ‘cyber threat’ as that continues to rely on the old IT standard of “an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system” {§2(a)(2)(A)}.

I’m pretty sure that this does not reflect a refusal to extend the definition of ‘cyber threat’ to control systems. It is much more likely that this is just a symptom of the continuing congressional misunderstanding of the differences between information systems and industrial control systems.

While the bill does not actually require cybersecurity representation on the boards of the covered companies, it will essentially have that effect on most of the reporting organizations. This means that there will be a surge of corporations of varying sizes looking for cybersecurity personnel to serve on boards or as specific advisors to boards. This isn’t going to cause a great expansion in the number of cybersecurity personnel, but it will increase the public visibility of many of those experts.

At this point we can only hope that the ranks of these new board members will include a substantial number of control system security experts. Particularly at those companies with a strong process background (energy and chemical sectors come quickly to mind) we should expect to see control system experts outnumbering information system security experts. It would be nice to see a significant number of control system experts making their way onto boards from device manufacturers (aircraft, automobile and medical manufacturers come to mind).

All of this will be influenced by the SEC and NIST as they define the cybersecurity expertise to be used in the new regulations. While it might be nice to see vanilla definitions that do not distinguish between information system and control system security backgrounds, I think that it might be more appropriate to specifically define each separately. Then the SEC could write their regulations to report on the specific types of cybersecurity expertise on the boards of covered organizations. This would give investors the best picture of the level and specificity of the cybersecurity expertise helping to guide the organization through the currently expanding cyber-threat landscape.

Tuesday, December 22, 2015

ICS-CERT Updates Two Advisories and Publishes New Siemens Advisory

This afternoon the DHS ICS-CERT published two updates to previously issued control system security advisories for products from Siemens and Infinite Automation. They also published a new advisory for a Siemens product.

Please note that neither update was identified on the ICS-CERT landing page. You would only have been notified of them by seeing them on TWITTER (Siemens here and Infinite Automation here). If you had signed up for ICS-CERT update emails you will likely receive them tomorrow. All of the ones that I have received to-date have come in the next day.

Siemens Update  

This update establishes the version numbers of the affected ROX II based products affected by the TLS POODLE vulnerability and announces that the firmware update for the ROX II devices is now available. All Siemens products affected by the vulnerability now have updates available.

The Siemens CERT announced their update last Friday morning on TWITTER.

Infinite Automation Update

This update announces the availability of a new version that mitigates all of the identified vulnerabilities, including the cross-site scripting vulnerability that the previous update did not address. The advisory reports that the researchers who identified the vulnerabilities have verified the efficacy of the fix.

Version notes for the latest version (2.7.0) are not yet available on the Infinite Automation web site.

Siemens Advisory

This advisory describes four new vulnerabilities related to the NTP daemon in the Siemens RUGGEDCOM ROX-based devices. The vulnerabilities were apparently self-identified. Siemens has produced firmware updates to mitigate the vulnerabilities.

The vulnerabilities are:

• Authentication bypass issues - CVE-2015-7871; and
• Three input validation vulnerabilities - CVE-2015-7855, CVE-2015-7704, and CVE-2015-5300.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to affect the ability of the devices to properly update time.

These new NTP vulnerabilities do not appear to be directly related to the general NTP vulnerability issues that ICS-CERT addressed last year. What is not clear from this advisory is whether the vulnerabilities are found in just the RUGGEDCOM implementation of NTP or if this is also a problem that may affect devices from multiple manufacturers. I suspect that the vendors identified in the previous NTP advisory should probably check their implementations to see if their devices might also be affected.

The Siemens CERT announced their advisory last Friday morning on TWITTER.

EPA Sends Accidental Release NPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs announced that it had received from the EPA a notice of proposed rulemaking (NPRM) to modernize the accidental release prevention regulations under Clean Air Act. The listing for this rulemaking (RIN: 2050-AG82) in the Fall 2015 Unified Agenda makes it clear that this is being initiated in response to the President’s Executive Order on Improving Chemical Facility Safety and Security (EO 13650).

While the EO is specifically mentioned in the Unified Agenda listing, the EPA’s 2014 request for information (RFI) on their Risk Management Program (almost certainly to be addressed in this NPRM) supporting that EO is not mentioned. We could still see that RFI mentioned in the Preamble to the NPRM (and I really suspect that we will), but I suspect that it was not mentioned in the Unified Agenda is that the RFI was much more wide-ranging in its program coverage than the coverage of this rulemaking.

In identifying the legal basis {42 USC 7412(r)(7)} for this rulemaking, the EPA has made it clear that they are only going to address the RMP regulations pertaining to “release prevention, detection, and correction requirements”. Since the list of covered chemicals triggering the RMP status for facilities is provided under §7412(r)(3), it does not appear that this rulemaking will include any changes to that list.

It also appears that two other potential RMP modifications strongly suggested by public comments to the RFI will not appear in this rulemaking. Those are the inclusion of inherently safer technology (IST) standards based upon the General Duty Clause of §7412(r)(1) or expanding the off-site consequence information sharing requirements of §7412(r)(7)(H).

It will be interesting to see how long this NPRM takes to wend its way through the OIRA process. I expect that it will be months (at least) before this NPRM is published. If RMP program revisions are too controversial it is unlikely that this NPRM will make it through to a final rule before the end of the Obama Administration in January of 2017. This may argue for a more moderate update of the regulations that could possibly get through the regulatory process next year. Otherwise, the ultimate fate of this rulemaking would rest with the on-coming President.

Monday, December 21, 2015

HR 4188 Amended and Passed in Senate – CG Authorization

On Friday, in the closing hours of the first session of the 114th Congress, the Senate amended and passed HR 4188, the Coast Guard Authorization Act of 2015. There was no debate offered on the substitution of the Thune Amendment (CREC-2015-12-18, pg 8890) for the text of the House passed version of the bill. The bill passed by voice vote (in a nearly empty Senate chamber).

Like the House version of the bill, there are no provisions in the bill that address the Maritime Transportation Security Act (MTSA), chemical safety, or chemical transportation issues.

When the House returns next year, they will have to decide whether they should accept the Senate amendment or request a conference. There appears to be a decent chance that they will just accept the Senate version.

Saturday, December 19, 2015

New TSA SSI Web Page

Back in August I did a blog post about the disappearance of the old TSA web site covering the Sensitive Security Information program. Every week since then I have been checking the old site URL hoping that the TSA had finally gotten a handicapped friendly version of the site back up. Today I decided, after striking out once again, to go look for the site and I found it.

Unfortunately, the new site is very vanilla with little real information. It does have links to two (here and here) relatively generic .PDF handouts about the program. It does not even have a working link to the section of the Code of Federal Regulations (49 CFR 1520) that sets out the standards for the program.

It would be more helpful if it had a user manual outlining the program requirements like the Chemical-terrorism Vulnerability Information (CVI) program or a detailed web site with details about the program like the Protected Critical Infrastructure Information (PCII) program does. I suppose that TSA is relying on the details in the CFR being enough, but if that is the case, they ought to at least provide links to each of the portions of the program in §1520; like this:

Section 1520.1 - Scope.
Section 1520.3 - Terms used in this part.
Section 1520.5 - Sensitive security information.
Section 1520.7 - Covered persons.
Section 1520.9 - Restrictions on the disclosure of SSI.
Section 1520.11 - Persons with a need to know.
Section 1520.13 - Marking SSI.
Section 1520.15 - SSI disclosed by TSA or the Coast Guard.
Section 1520.17 - Consequences of unauthorized disclosure of SSI.
Section 1520.19 - Destruction of SSI.

I do not know how long this ‘new’ site has been operational; the TSA does not date their web pages.

Bills Introduced – 12-18-15

Yesterday the House and Senate introduced 48 bills. Only one of those bills may be of specific interest to readers of this blog:

H Con Res 104 Providing for the sine die adjournment of the first session of the One Hundred Fourteenth Congress. Rep. Price, Tom [R-GA-6]

This bill provides for the adjournment sine die of both houses of congress. The resolution was passed in both houses and they both adjourned under provisions of the resolution. So the First Session of the 114th Congress has come to a close. The Second Session will start on January 4th with pro forma sessions in both houses.

Friday, December 18, 2015

DHS Publishes CFATS PSP Notice

Today the DHS National Protection and Programs Directorate (NPPD) published a notice in the Federal Register (80 FR 79058-79066) concerning the “Implementation of the CFATS Personnel Surety Program”. This explains how Tier I and Tier II facilities under the Chemical Facility Anti-Terrorism Standards (CFATS) program will implement the portion of the personnel surety program pertaining to vetting facility personnel and visitors with unaccompanied access to CFATS facilities against the Terrorism Screening Database (TSDB).

Requirement for Vetting

The requirement for vetting facility personnel and unescorted visitors wishing to gain access to restricted or critical areas of a CFATS covered facility can be found in 6 CFR 27.230(a)(12). Facilities with approved site security plan (SSP) have already been completing the requirements under subparagraphs (i) thru (iii). This notice pertains to the requirements under subparagraph (iv); measures designed to identify people with terrorist ties.

Additional congressional guidance on the implementation of the CFATS Personnel Surety Program was provided last year with the passage of the Protecting and Securing Chemical
Facilities from Terrorist Attacks Act of 2014 (PL 113-254). The provisions regarding the PSP were codified at 6 USC 622(d)(2).

In August of this year the OMB’s Office of Information and Regulatory Affairs (OIRA) approved the CFATS Personnel Surety ICR (1670-0029) that ISCD had used to outline how it intended to implement the PSP. The version of the ICR approved by OMB included the addition of a fourth option for implementation of the vetting program that was required by the new congressional direction.

Who Must Be Vetted

Today’s notice reiterates the position of ISCD as to what the regulation means when it says “facility personnel, and as appropriate, for unescorted visitors with access to restricted areas or critical assets”. In effect the term ‘facility personnel’ mean all facility employees and those contractor personnel designated in the SSP as facility personnel for the purpose of the PSP. Visitors are only required to be vetted if they have ‘unaccompanied access’ and the facility is given certain latitude in defining in the SSP what constitutes ‘accompanied access’.

The notice also goes into some detail about specific categories of personnel that do not require vetting under any portion of the PSP (including the terrorist ties requirement outlined in today’s notice). They include:

• Federal officials who gain unescorted access to restricted areas or critical assets as part of their official duties;
• State and local law enforcement officials who gain unescorted access to restricted areas or critical assets as part of their official duties; and
• Emergency responders at the state or local level who gain unescorted access to restricted areas or critical assets during emergency situations.

TSDB Vetting Options

The notice describes four specific options that facilities have to conduct the TSDB vetting of personnel. Facilities may use any combination of the four options that they desire; they just have to be outlined in the Site Security Plan approved by ISCD (more on that later). Those options are:

Option 1 - The high-risk chemical facilities (or designee(s)) submits certain information about affected individuals to the Department through a Personnel Surety Program application in the CSAT Tool.

Option 2 – The high-risk chemical facilities (or designee(s)) submits certain information about affected individuals to the Department through the CSAT Personnel Surety Program CSAT application on personnel that have already been vetted by another Federal TSDB vetting program (TWIC, HME, SENTRI and FAST for example).

Option 3 – The high-risk chemical facilities (or designee(s)) does not submit information to ISCD, but will rather electronically verify and validate the affected individuals' TWICs through the use of TWIC readers (or other technology that is periodically updated with revoked card information).

Option 4 - The high-risk chemical facilities (or designee(s)) does not submit information to ISCD, but will rather visually inspect a credential from a Federal screening program that periodically vets individuals against the TSDB.

Facilities are reminded that they have an additional option of proposing some alternative vetting process in their SSP that may be approved by ISCD if it is found to provide an equivalent process.

The notice also provides a discussion of the relative level of security provided by each of the options described above.

When Will Vetting Have to be Completed?

The notice explains that before the vetting process can begin, the facility will have to revise their approved SSP to include a description of their terrorist screening process (more on this later). ISCD will notify each Tier I and Tier II facility when they must complete that SSP revision (ISCD is going to stagger this so that they can provide assistance from Chemical Security Inspectors throughout this process). Once that revision is approved, facilities will generally have 60-days to complete the vetting process (submitting data for Options 1 and 2) on existing employees. New employees and all visitors requiring unaccompanied access will require vetting (again, submitting data for Options 1 and 2) before they are given access to restricted or critical areas within the facility.

Privacy Notice

The notice outlines the Privacy Act provisions (and other applicable privacy regulation provisions) that the Department has complied with in developing this program. From the perspective of the Facility Security Manager, probably the most important will be the May 1st, 2014, update to the CFATS Personnel Surety Program Privacy Impact Assessment. That is because it provides a suggested copy (at Attachment 1) of the Privacy Act notification that should be provided to each person about which the facility is submitting information under Option 1 or Option 2.

The notice mentions a new update (that presumably includes mention of Option 4) that was supposed to have been printed today, but it has not yet been posted to the NPPD PIA web site.

Site Security Plan Revisions

CFATS Facilities that already have had their site security plan authorized or approved will have to revise their plan to include the terrorist screening process. The notice provides some detailed information about the types of information that they are going to expect to see in that revision.

When ISCD individually notifies each Tier 1 and Tier 2 that it is required to update their SSP, it will also include a date by which that update must be submitted for authorization/approval.

Moving Forward

I have heard that ISCD intends to work very closely with at least the first few facilities as they go through the process of changing their SSP and then submitting data (for those that intend to utilize Options 1 and/or Option 2) for the PSP. Given that the Christmas holidays are upon us, I would not be surprised to hear that ISCD will not send out the first notifications until after the first of the year. I also suspect that they may actually informally contact the early facilities to arrange times when their CSI are available before they send out the notification letters.

ISCD still has a CSAT manual to publish for the PSP data submissions and perhaps a revision to the Account Management User Guide if they are going to come up with a new data submission user role for 3rd party PSP data submissions.

We are going to see an interesting couple of months in the CFATS program as the PSP implementation moves forward.

Bills Introduced – 12-17-15

There were 26 bills introduced in the House and Senate yesterday. Of those there was one that may be of specific interest to readers of this blog:

S 2410 A bill to promote transparency in the oversight of cybersecurity risks at publicly traded companies. Sen. Reed, Jack [D-RI]

According to various news reports it is likely that this bill will require some sort of ‘cybersecurity’ representation on corporate boards. It will be interesting to see if there is anything that specifically addresses ICS coverage.

Thursday, December 17, 2015

ICS-CERT Publishes Three Advisories

This afternoon the DHS ICS-CERT published three advisories for control system vulnerabilities. The advisories affected products from eWON, Motorola, and Schneider.

eWON Advisory

This advisory describes multiple vulnerabilities in the eWON sa industrial router. The vulnerabilities were reported by Karn Ganeshen. eWON has developed a firmware update to mitigate the vulnerabilities, but there is no indication that Ganeshen has been provided the opportunity to verify the efficacy of the fix.

The vulnerabilities include:

• Weak session management - CVE-2015-7924;
• Cross-site request forgery - CVE-2015-7925;
• Weak RBAC controls - CVE-2015-7926;
• Stored cross-site scripting - CVE-2015-7927;
• Passwords not secured - CVE-2015-7928; and
• Post/get issues - CVE-2015-7929

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability.

A more detailed explanation of the individual vulnerabilities can be found on the eWON Security Enhancements page.

NOTE: This advisory has a much more detailed ‘Impact’ description than you find on most ICS-CERT advisories. Since these explanations would usually be the same for that given vulnerability across most platforms these explanations could be canned and served up with the appropriate vulnerability.

Motorola Advisory

This advisory describes twin vulnerabilities in the Motorola MOSCAD IP Gateway. The vulnerabilities were reported by Aditya K. Sood. Since support for this product was discontinued in 2012 there will be no patches or updates for this product.

The vulnerabilities are:

• Remote file inclusion - CVE-2015-7935; and
• Cross-site request forgery - CVE-2015-7936

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to perform actions with the permissions of a valid user.

Schneider Advisory

This advisory describes a buffer overflow vulnerability in the Schneider Modicon M340 PLC. The vulnerability was discovered by Nir Giller. Schneider has produced a firmware pathe to mitigate the vulnerability but there is no report that Giller has been provided the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability crash the device and perhaps run arbitrary code.

The Schneider Security Notification provides a very detailed explanation of how this vulnerability works.

ISCD Publishes CFATS PSP Information

This afternoon the DHS Infrastructure Security Compliance Division (ISCD) published a link on the CFATS landing page to a new web site for their Personnel Surety Program (PSP). This is happening the day before the intended publication of their PSP notice in the Federal Register (a draft copy available here).

The new web page explains that three of the four personnel surety requirements in RBPS #12 have been in effect since the RBPS Guidance document was published six years ago. All facilities with authorized site security plans have addressed those three requirements in their SSP. The remaining requirement, vetting plant personnel and unescorted visitors for potential terrorist ties, has been held up while ISCD put together a program for screening these personnel against the Terrorist Screening Database (TSDB).

Readers of this blog will remember that back in August the OMB’s Office of Information and Regulatory Affairs (OIRA) finally approved the ISCD information collection request which authorized it to collect information from chemical facilities in support of the PSP. A little over a month later ISCD published a fact sheet outlining how the PSP program would operate for Tier I and Tier II facilities (Tiers III and IV will be added to the program at a later date).

Today’s publication of the PSP web site provides a brief overview of the four approved methods that facilities can use (alone or in combination) to complete the terrorist screening PSP requirement. Additional details will be laid out in the notice published in tomorrow’s Federal Register and the PSP User Manual that will be published in the near (hopefully) future.

I’ll have a more detailed post about the PSP notice tomorrow.

Cybersecurity Act of 2015

House and Senate negotiators, principally from the two intelligence and both homeland security committees, attached the Cybersecurity Act of 2105 to the Consolidated Appropriations Act, 2016 (HR 2029) that is being considered in the House this morning. Labeled as Division N (pgs 1728 thru 1863), the Act is a negotiated blend of S 754 (CISA), HR 1560 (Protecting Cyber Networks Act), and HR 1731 (National Cybersecurity Protection Advancement Act of 2015) that were passed earlier this year in their respective house of congress.

The Act consists of four Titles:

• Cybersecurity Information Sharing;
• National Cybersecurity Advancement;
• Federal Cybersecurity Workforce Assessment; and
• Other Cyber Matters

Industrial Control System Provisions

For the most part the three base bills that were merged together to form this Division dealt with information technology (IT) systems; not industrial control systems (ICS). This is even more obvious in the blended legislation. The one clear exception to this is found in the definition of ‘information system’ found in §102(9); it specifically includes “industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers” {§102(9)(B)}. Thus all of the information sharing provisions of Title I specifically apply to industrial control systems.

Unfortunately, the attention to ICS quickly breaks down in Title II of the bill where cyber incidents are discussed in relation to the operations of the National Cybersecurity and Communications Integration Center. The term incident is defined in the new §227(a)(3) as “an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system”.

This definition ignores the fact that a situation could involve an ICS in critical infrastructure and result in catastrophic results to a region or community (wide spread power outage, pipeline rupture and fire, or a toxic chemical release) without in any way harming the ICS or the information contained within the ICS. The basic misunderstanding of this situation can be clearly seen in §208 where DHS is required to report to Congress on “the feasibility of producing a risk-informed plan to address the risk of multiple simultaneous cyber incidents affecting critical infrastructure, including cyber incidents that may have a cascading effect on other critical infrastructure”. This was almost certainly seen as addressing control systems (the use of the term ‘cascading effect’ is clearly indicating power grid incidents), but the definition of ‘incidents’ almost excludes the intended situations.

This is seen again in §209 where another report to Congress by DHS is supposed to look at “cybersecurity vulnerabilities for the 10 United States ports that the Secretary determines are at greatest risk of a cybersecurity incident and provide recommendations to mitigate such vulnerabilities”. Again, the failure to include non-cyber consequences in the definition of ‘incident’ severely restricts its application to control system situations.

There is an interesting consequence to this expanded definition of ‘information system’ used throughout this division. In §228 the bill mandates that DHS “develop and implement an intrusion assessment plan to proactively detect, identify, and remove intruders in agency information systems on a routine basis” {§228(b)(1)(A)}. Since this Section uses the same ‘information system’ definition, this requirement also applies to agency ICS for such systems as building environmental controls, building access controls and security systems. In fact, an argument could be made that it also includes automotive control systems. I am pretty sure that this was not specifically intended by the staffs crafting this legislation.

Interestingly the ‘information system’ definition is not carried over to §405, Improving Cybersecurity in the Health Care Industry. This means that vendors of, and software developers for, medical devices are not included in the definition of ‘health care industry stakeholder’ found at §405(a). This makes no sense when the report required by this section from the Secretary of Health and Human Services is specifically required to address “challenges that covered entities and business associates face in securing networked medical devices and other software or systems that connect to an electronic health record” {§405(c)(1)(C)}.

Missing ICS Provisions

The three bills that were the precursor to this Division were also generally IT security bills, but they did include two specific ICS related provisions that did not make it into this legislation.

For example S 754 included a provision (§407) that required the DHS Secretary to “identify critical infrastructure entities where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security” {§407(b)}. It would then require a report to Congress “describing the extent to which each covered entity reports significant intrusions of information systems essential to the operation of critical infrastructure” {§407(c)} to either DHS or a regulating agency.

In HR 1731 we saw an amendment to 6 USC 148 that would have modified the mandatory composition of the National Cybersecurity and Communications Integration Center by adding the DHS ICS-CERT as a represented organization. It would have formalized the role of the ICS-CERT with the responsibility to {new §148(d)(1)(G)}:

∙ Coordinate with industrial control systems owners and operators;
∙ Provide training, upon request, to Federal entities and non-Federal entities on industrial control systems cybersecurity;
∙ Collaboratively address cybersecurity risks and incidents to industrial control systems;
∙ Provide technical assistance, upon request, to Federal entities and non-Federal entities relating to industrial control systems cybersecurity; and
∙ Shares cyber threat indicators, defensive measures, or information related to cybersecurity risks and incidents of industrial control systems in a timely fashion.

Moving Forward

Each of the component bills used to craft this negotiated compromise were passed by significant bipartisan votes in their respective house of Congress. Unfortunately, there are a number of privacy advocates that are dissatisfied with the privacy protection feature that were not included in this final version. For them to vote against the Cybersecurity Act of 2015, however, they have to vote against the whole package of spending bills to which it is appended. At this point (the House is currently debating HR 2029 as I write this) it is not clear if there is enough combined opposition to this (and other slightly less controversial provisions) to stop the bill from passing.

Bills Introduced – 12-16-15

Yesterday there were 27 bills introduced in the House and Senate. Only one of those may be of specific interest to readers of this blog:

HJ Res 78 Making further continuing appropriations for fiscal year 2016, and for other purposes. Rep. Rogers, Harold [R-KY-5]

HJ Res 78 was passed in both the House and Senate yesterday by voice vote. The bill extends the current FY 2016 temporary spending authority until December 22, 2015. This should provide Congress with the time to pass HR 2029, the ‘Consolidated Appropriations Act, 2016, which I discussed briefly yesterday.

FAA Publishes UAS IFR

Yesterday the DOT’s Federal Aviation Administration published an interim final rule (IFR) in the Federal Register (80 FR 78593-78648) providing an alternative, streamlined and simple, web-based aircraft registration process for the registration of small unmanned aircraft. The rule requires that all unmanned aircraft systems weighing between 0.55-lbs (250-g) and 55-lbs to be registered with the FAA prior to their being flown in the National Air Space (NAS).


The IFR adds the following definitions to 14 CFR 1.1:

Small unmanned aircraft system (small UAS): and

The definition of ‘model aircraft’ was specifically addressed by Congress in §336 of the FAA Modernization and Reform Act of 2012 (PL 112-95). Congress defined ‘model aircraft’ as an unmanned aircraft that is:

• Capable of sustained flight in the atmosphere;
• Flown within visual line of sight of the person operating the aircraft; and
• Flown for hobby or recreational purposes

Registration Requirement

Current law {49 USC 44101(a)} requires that “a person may operate an aircraft only when the aircraft is registered under section 44103 of this title”. Until this rulemaking the FAA has not applied this requirement to small UAS. The current regulations governing the registration of aircraft are found in 14 CFR Part 47 and generally require that an aircraft must be registered before it is flown in the United States.

The IFR amends 14 CFR by adding a new Part 48, Registration and Marking Requirements for Small Unmanned Aircraft. The IFR makes a distinction between two different registration types for UAS depending on the intended use of the UAS. For UAS that are intended to be operated as model aircraft, the registration is, in effect, a registration of the owner and each UAS owned by that owner would fall under that registration. For UAS that are not intended to be operated as model aircraft (commercial UAS for instance) each UAS must be registered separately.

Under §48.100(b) the registration requirements for small UAS intended to be used as model aircraft include submitting the following information on the new Web-based small unmanned aircraft registration system (the registration page will not be active until December 21st, 2015):

• Applicant name;
• Applicant's physical address and mailing address if different; and
• Applicant's email address.

The same registration system would be used for small UAS intended to be flown as other than a model aircraft under §48.100(a). The data submission requirements are somewhat different and include the following additional information:

• The aircraft manufacturer and model name; and
• The aircraft serial number, if available

A Certificate of Registration would be provided for each registration after the fee of $5.00 is paid. The Certificate would have to be in the possession of the operator whenever the small UAS is operated in the NAS. For model aircraft the registration certificate number would be marked on all UAS owned by the registered owner. For non-model small UAS either the registration certificate number or the aircraft serial number would be required to be displayed on each aircraft.

Registrations would be required to be renewed every three years (new fee required. Registration information would have to be updated whenever it changed (no fee required).

Effective Dates

The effective date of this interim final rule is December 21st, 2015. For model aircraft operated by the current owner before December 21st, registration must be completed under either Part 47 or Part 48 of 14 CFR by February 19th, 2016. All other model aircraft registrations must be completed before the small UAS is flown in the NAS.

For small UAS other than model aircraft must register their aircraft under the current Part 47 process used for conventional aircraft prior to operation in the NAS. Beginning March 31st, 2016 registrations for other than model aircraft may be completed using the new Part 48 process.

Public Comments

The FAA is soliciting public comments on this IFR. Comments may be submitted via the Federal eRulemaking Portal (; Docket # FAA-2015-7396). Comments should be submitted before January 15, 2016.


I have noted in a number of blog posts (most recently here) that Congress, in §336 of the FAA Modernization and Reform Act of 2012 (PL 112-95), specifically prohibited the FAA from promulgating “any rule or regulation regarding a model aircraft, or an aircraft being developed as a model aircraft”. And I maintained that this IFR would obviously violate that prohibition. I am not so sure now.

The preamble to this rule undertakes to explain the FAA’s reasoning as to why this IFR does not conflict with §336. The discussion is a tad bit convoluted and legalistic, but I think that it completely ignores the best defense. Because of the way that §48.100 of this rule is written, the regulation does not address, directly, model aircraft. Since under §48.100(b) the registration for model aircraft does not include information about the aircraft it is a registration of the owner. Thus it seems fairly clear to me that the regulation does not violate the letter of §336.

Whether or not it violates the congressional intent of the §336, is an area that is not quite so clear. The original language in this section comes from S 223 in §607(g) where it was added as a floor amendment considered en bloc with no debate (CREC-2011-02-17-pt1-Pg 830) and there is no discussion about the intent in the Conference Report. Lacking any clear explanation of intent, we are probably stuck with the FAA interpretation.

I expect that we will see a number of negative comments about this conflict with the intent of §336, but lacking a comment from Sen. Inhofe (who proposed the amended language in the Senate), I do not expect that the FAA will revoke this model aircraft small UAS registration provisions of this rule. 

Wednesday, December 16, 2015

House Passes HR 3878 – Port Cybersecurity

This afternoon the House passed HR 3878, the Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2015. There was only 17 minutes of debate under suspension of the rules and it was passed by voice vote.

As I mentioned in an earlier blog post amendments were made to this bill in Committee to make changes to 46 USC 70101 and 70103 to add ‘cybersecurity’ provisions to MTSA requirements for vulnerability assessments and security plans for facilities and vessels. This will be the first official mention of cybersecurity in the MTSA programs.

The bill is still missing any specific requirement for covered facilities or vessels to report cybersecurity incidents to the Coast Guard. There is very little chance that such reporting requirements will be made in the Senate since this bill will probably move directly to the Senate floor under the unanimous consent process.

DHS Publishes First NTAS Bulletin

Today DHS published their first terrorism bulletin under the National Terrorism Advisory System. In addition to providing information about the current “new phase in the global threat environment” this bulletin marks the addition of ‘Bulletins’ to the two levels of alerts (Elevated and Imminent) in the NTAS that replaced the old 9-11 based color coded alert system.

Today’s bulletin (that expires on June 16th, 2016) addresses “the rise in use by terrorist groups of  the Internet to inspire and recruit, we are concerned about the ‘self-radicalized’ actor(s) who could strike with little or no notice”. The bulletin is based in large part on data that has emerged from the investigations of recent terrorist attacks in Paris and San Bernardino.

The bulletin outlines four ‘details’ about the current threat:

• Though we know of no intelligence that is both specific and credible at this time of a plot by terrorist organizations to attack the homeland, the reality is terrorist-inspired individuals have conducted, or attempted to conduct, attacks in the United States this year.
• DHS is especially concerned that terrorist-inspired individuals and homegrown violent extremists may be encouraged or inspired to target public events or places.
• As we saw in the recent attacks in San Bernardino and Paris, terrorists will consider a diverse and wide selection of targets for attacks.
• In the current environment, DHS is also concerned about threats and violence directed at particular communities and individuals across the country, based on perceived religion, ethnicity, or nationality.

The bulletin also outlines actions that DHS and the law enforcement community are taking to address the threat outlined in the bulletin. There are also specific recommendations to individuals about the part that they play in reducing the risk from the current threat. These recommendations are broken down into three categories:

• How you can help;
• Be prepared; and
• Stay informed.

The addition of bulletins to the previous alerts in the NTAS is part of the modernization effort that DHS Secretary Jeh Johnson promised earlier this month. Those earlier reports sounded like there would be a new system to replace the never used NTAS. Instead, it looks like the Department has decided to upgrade NTAS instead of effecting a wholesale replacement.

NOTE: Long time readers of my blog will note a difference today in the DHS provided NTAS widget on my blog. It now lists ‘Bulletin’ and provides a link to today’s newly released bulletin. It will be interesting to see if that listing on the widget will remain there through June 16th. If so, it will do little good if a new bulletin is released in the meantime. I hope that DHS has thought that through. Perhaps they may want to revise that widget to also show the date of the most current bulletin or alert.

Rules Committee to Meet on Omnibus Spending Bill

This morning the House Rules Committee announced that it would be conducting a rules hearing this afternoon to establish the rule for the consideration of Senate amendment to H.R. 2029 - Military Construction and Veterans Affairs and Related Agencies Appropriations Act, 2016. What will actually be considered is a new amendment that would make this the “Consolidated Appropriations Act, 2016”.

A copy of the Rules Committee draft of this proposed amendment is available. The Rules Committee has also made available explanatory statements for the various divisions of this bill. Divisions of specific interest to readers of this blog include:

DivisionC – Defense; (NOTE: This link is currently not working) [21:16 CST, 12-16-15]

DHS Explanatory Statement

A quick review of the DHS explanatory statement shows the following topics that may be of specific interest to readers of this blog:

• Surface Transportation Security, pg 41;
• STS, Intelligence, pg 42;
• Infrastructure Protection And Information Security, pg 55;
• IPIS, Cybersecurity, pg 57;
• IPIS, Cybersecurity Strategy and Planning, pg 59;
• Office Of Health Affairs, pg 61;
• Federal Emergency Management Agency, pg 62;
• FEMA, Ensuring Rail Security, pg 64;
• Section 521, CBRNE Office, pg 79;

DOT Explanatory Statement

A quick review of the DOT explanatory statement shows the following topics that may be of specific interest to readers of this blog:

• Federal Railroad Administration, pg 24;
• Pipeline And Hazardous Materials Safety Administration, pg 33;
• PHMSA, Small scale liquefaction facilities; pg 33
• PHMSA, Emergency Preparedness Grants, pg 36

Cybersecurity Act Explanatory Notes

This only provides a one paragraph, very high-level summary of the Cybersecurity Act of 2015, a compilation of provisions from three bills passed in their respective house of congress; S 754 (CISA), HR 1560 (Protecting Cyber Networks Act), and HR 1731 (National Cybersecurity
Protection Advancement Act of 2015).

This will take some time to review in detail.

Moving Forward

The Rules Committee will formulate a structured rule for the consideration of HR 2029. There will be limited debate (one hour) and a vote. The back room dealing between the House and Senate leadership on both sides of the aisle almost ensures that this bill will pass (probably Thursday) in the House and then Friday in the Senate. There will be bipartisan opposition to the bill, but I don’t suspect that it will be substantial.

The current spending authority ends tonight at midnight, but the House just passed HJ Res 78 that will extend that deadline long enough to allow the votes on HR 2029. NOTE: the GPO has not yet received the resolution so I have not been able to see all of the provisions. I don’t expect to be able to see that until tomorrow morning.


Neither party will be totally satisfied with this bill and that is to be expected. While the Republicans arithmetically ‘control’ both the House and Senate, their majority in the Senate is not large enough to push controversial bills through without at least some support from Democrats. That is further aggravated by the fact that there is a minority of the Senate Republicans that have an aggressively partisan agenda that may not support the Republican leadership. With a Democrat in the White House, the Republicans also have the problem of not being able to override a presidential veto of a bill without support from Democrats in both the House and Senate.

So, at the end of the day, spending bills have to be a matter of compromise between the leadership of both parties. Neither side will get everything that they want. On the flip side of that, neither side will be forced to accept anything that they cannot live with. That is how democracies should work.
/* Use this with templates/template-twocol.html */