Legislative Branch

In case you missed it, the Fiscal Year 2023 Omnibus includes a provision (at section 524B, p.3537) that gives the Food and Drug Administration the authority to require certain medical device applications to provide information demonstrating the cybersecurity of those devices, including a software bill of materials.

Buried in the rules package for the 118th Congress is a provision that would give the House Homeland Security Committee clearer jurisdiction over cybersecurity bills when the parliamentarian is considering which committees should get referrals. It remains to be seen how this plays out particularly in terms of the House Committee on Oversight and Reform, which has generally benefitted from the rules as they stood in prior Congresses.

Executive Branch

On December 19, the Federal Acquisition Regulation (FAR) Council sent two proposed cyber contracting rules to the Office of Information and Regulatory Affairs (OIRA) within the Office of Management and Budget (OMB). These proposed rules are: (1) FAR Case 2021-017 Cyber Threat and Incident Reporting and Information Sharing; and (2) FAR Case 2021-019 Standardizing Cybersecurity Requirements for Unclassified Information. Both proposed rules are related to the cyber Executive Order 14028. Once OIRA clears these proposed rules, they will be published in the Federal Register and there will be an opportunity to comment. Most FAR Council-cleared rules have undergone extensive vetting before they are sent to OIRA so while it’s hard to speculate on a publication date we would expect the OIRA process to be expedited. We will continue to monitor the progress of both.

On December 21, the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a technical rule to improve and modernize aspects of the Protected Critical Infrastructure Information (PCII) Program, which provides legal protections for cyber and physical infrastructure information submitted to DHS. This technical rule consists of organizational revisions in various sections of 6 CFR part 29 intended to correct errors, change addresses, update titles, and make other non-substantive amendments that improve the clarity of the PCII Program regulations. These revisions will help critical infrastructure owner/operators, state and local governments, and other important stakeholders more effectively use the PCII Program. A complete description of the revisions in the technical final rule, can be found HERE.

The Transportation Security Administration extended the comment period for the Advanced Notice of Proposed Rulemaking (ANPRM) on cybersecurity and resiliency in the pipeline and rail sectors. With the extension, comments on the ANPRM are now due February 1, 2023.

Looking Ahead

Sources tell us the National Cyber Strategy (Strategy) is likely to be going back to the Deputies Committee next week. That leads us to conclude that it could be finalized by mid-February. In addition, it has been reported that the current National Cyber Director, Chris Inglis, will be stepping down from this position; we expect that he will do so once the Strategy is public.

Book a consultation with Julie Dunne using the link below to explore how emerging cybersecurity policy issues may impact your organization and how to effectively engage on these issues.