Earlier
this month, Rep Slotkin (D,MI) introduced HR 7174,
the National Computer Forensics Institute Reauthorization Act of 2022. The bill
would reauthorize the Secret Service’s NCFI through 2032 and expand the scope
of responsibilities for the Institute. It would make several changes to 6
USC 383, including adding a list of definitions of key terms. The bill does
not include authorization for expenditures to support these changes.
Moving Forward
Slotkin and a number of her 14 cosponsors {including
Chairman Thompson (D,MS) and Rep McCaul (R,TX)} are members of the House
Homeland Security Committee to which this bill was assigned for consideration.
This means that there is certainly sufficient influence to see this bill
considered in Committee. This bill will certainly be approved in Committee by a
substantial bipartisan majority. The bill will likely be considered in the full
House under the suspension of the rules process.
Commentary
The addition the
three definitions to the bill ensures that the control system security
issues fall within the scope of the NCFI. But it does point out once again that
there is a disconnect in cybersecurity definitions in the US Code. Here, for
example, the bill uses the control system inclusive definition of the term
information system while also defining the term ‘incident’ by reference to a
section of 6 USC that uses the IT restrictive definition of that term.
Technically, that means that in this section wherever the term ‘information
system’ is used it includes control systems, but where the term ‘incident’ is
used control systems are excluded. I have discussed this problem many times before,
but most explicitly here.
For more details on the provisions of this bill, including a
look at the expanded responsibilities for NCFI, see my article at CFSN Detailed
Analysis – https://patrickcoyle.substack.com/p/hr-7174-introduced
– subscription required.
