HR 285 Introduced - Vulnerability Remediation
Earlier this month, Rep Jackson-Lee introduced HR 285, the bill would amend 6 USC 659 to allow the National Cybersecurity and Communications Integration Center (NCCIC) to “identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities”. A report to Congress is also required. No funding is authorized in this bill.
The language is very similar to the version of HR 2980 that was passed in the House last session. That bill was also introduced by Jackson-Lee. It was amended by the House Homeland Security Committee. The reported version of the bill included language that specifically included control systems in the systems to be addressed in the protocols to mitigate vulnerabilities developed by CISA. It passed in the House on July 20th, 2022 as part of an en bloc vote on a number of bills that had been debated earlier under the suspension of the rules process.
This new version of the bill does not include the technical corrections (§5) to the numbering of sections in the Homeland Security Act of 2002 found in the earlier bill. Those corrections were subsequently included in separate legislation that was signed by the President.
Changes to §659
The major change to 6 USC 659 made in this bill is the addition of a new sub-section (t):
“(t) Protocols To Counter Certain Cybersecurity Vulnerabilities. The Director may, as appropriate, identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities to information systems and industrial control systems, including in circumstances in which such vulnerabilities exist because software or hardware is no longer supported by a vendor.”
Report on Vulnerabilities
Section 3 of the bill requires CISA to prepare a report to Congress on how it coordinates vulnerability disclosures under §659(m), Cybersecurity outreach, and how it “disseminate actionable protocols to mitigate cybersecurity vulnerabilities” under the new subsection (n). The report will include:
A description of the policies and procedures relating to the coordination of vulnerability disclosures,
A description of the levels of activity in furtherance of such subsections (n) and (t) of such section 2209,
Any plans to make further improvements to how information provided pursuant to such subsections can be shared (as such term is defined in such section 2209) between the Department and industry and other stakeholders.
Any available information on the degree to which such information was acted upon by industry and other stakeholders.
A description of how privacy and civil liberties are preserved in the collection, retention, use, and sharing of vulnerability disclosures.
Moving Forward
Jackson-Lee has not yet been assigned to any committees. This means that it is too early to tell if she will have sufficient influence to see the bill considered by the House Homeland Security Committee to which this bill was assigned for consideration. The bill would receive significant bipartisan support were it considered by the Committee and would again probably move to the floor of the House under the suspension of the rules process.
Commentary
The development of remediation protocols authorized by this bill is another example of Congress authorizing actions already being taken by CISA. This is, however, going to become more important because of changes made to the House rules for the consideration of spending bills. H Res 5 provides a point of order rule for spending bills to call out “for an expenditure not previously authorized by law”. It is unlikely that this particular activity by CISA would be the subject of a point of order objection, but it remains a possibility.