HR 774 Introduced
MEANS Act
Last month, Rep Dingell (D,MI) introduced HR 774, the Manufacturing Economy and National Security (MEANS) Act. The bill would require the Department of Commerce to “develop and implement a strategy taking a whole-of-Government approach to support the resilience, diversity, security, and strength of supply chains.” The bill would authorize $35 billion for the programs outlined in the Act and $5 million for the DOC Inspector General audit of the program. The bill includes minor cybersecurity mentions.
Bill Overview
Section 2 of the bill outlines the congressional finding that support the need of the legislation.
Section 3 of the bill establishes the requirement for DOC to establish a strategy to counter threats to supply chains for critical goods. This includes outlining areas that the strategy will address.
Section 4 of the bill would establish within DOC an Office of Manufacturing Security and Resilience to oversee a Manufacturing Security and Resilience Program.
Cybersecurity Mentions
The bill only mentions cyber related concerns in passing. All mentions are found in §4(w), Definitions. The term is used in conjunction with the definition of two of the terms:
Key Technology Focus Areas – ‘Cybersecurity’ is part of one of the ten listed focus areas, and
Supply Chain Shock – ‘Cyberattack’ is one of nine items that can be considered to be supply chain shocks.
Moving Forward
Dingell and two of her three cosponsors {Rep Blunt (D,DE) and Rep Kelly (D,IL)} are members of the House Energy and Commerce Committee to which this bill is assigned for consideration. Typically, this means that there should be sufficient influence to see the bill considered in Committee. In the 118th, Congress, with the Republican focus on reducing spending, this bill will probably face significant opposition from Republican members of the Committee due to the cost associated with the programs outlined in the bill. It will be interesting to see if this bill makes it to Committee consideration.
Commentary
Cybersecurity is a very minor component of the supply chain security program outlined in this bill. Even so, I would have liked to have seen more mention of cybersecurity, particularly control system security, in the bill. For example, I would have written the definition of ‘industrial equipment’ in §4(w)(10) differently:
(10) INDUSTRIAL EQUIPMENT.—The term “industrial equipment” means any component, subsystem, system, information system (as defined in 6 USC 1501), equipment, tooling, accessory, part, or assembly necessary for the manufacturing of a critical good.
The §1501 definition of ‘information system’ specifically includes industrial control systems, but it would also include enterprise IT systems, communication systems, email systems, and other cyber systems that are used by manufacturing entities. This would help ensure that the planning activities outlined in §3(b) supporting the strategy “to support the resilience, diversity, security, and strength of supply chains” takes into account control system supply and security issues.
