The Consolidated Appropriations Act–the bill agreed to by House and Senate negotiators that could avert another partial government shutdown–features more cybersecurity-related funding for the Department of Homeland Security (DHS) and its Cybersecurity and Infrastructure Security Agency (CISA), but also further obligations to report to Congress in the coming months on key security-related issues.
The House and Senate are expected to tee up the vote on the bill today, with passage expected by comfortable margins. President Trump has not indicated whether he will sign the bill, but numerous press reports citing unnamed sources say it’s likely he will.
A look below the bill’s top lines finds that DHS and CISA are in line for bumps in cybersecurity-related appropriations.
The bill provides $1.345 billion for CISA, $111 million above the agency’s budget request. The Senate summary of the legislation notes that the bill provides $1.037 for “cybersecurity operations and procurements” for DHS overall–$88 million more than the original request from DHS.
“This investment will help guard against the over 35,000 cybersecurity incidents experienced by federal agencies annually and the more than 53,000 incidents in the private sector,” the Senate summary notes.
Broken out into spending areas, the bill provides $272 million for protecting and responding to attacks on critical infrastructure, $718 million for intrusion detection and mitigation, $33 million for election security, and $18.5 million for cyber education.
The bill also provides some extra leeway for the newly reorganized CISA, at least for FY 2019.
“To provide greater flexibility, CISA PPAs [programs, projects, or activities] are included in the control table for purposes of reprograming and transfer thresholds at the second level PPA. It is expected that CISA will include in its budget request greater detail, to at least the third level PPA, so Congress can continue fiscal oversight and not have to return to a greater level of specificity in the control table,” the joint explanatory statement says.
The joint explanatory statement notes that DHS will need to brief Congress on the updated timeline and acquisition strategy for the National Cybersecurity Protection System, also known as EINSTEIN, and the Continuous Diagnostics and Mitigation (CDM) program within 90 days of the bill’s passage, and on a semiannual basis going forward. And the statement specifically calls for more information about the accelerated deployment of CDM Phase 4, data protection management.
The bill also directs the Government Accountability Office (GAO) to examine how CISA is responding to its election security duties, and provide a report within 180 days.
The legislation further directs CISA to work with the National Guard on infrastructure protection, look into the feasibility of an election security bug bounty program, and provide a detailed spending plan for the National Risk Management Center.
Outside of CISA, the bill also provides $397 million for the office of the CIO at DHS–$15 million above the department’s budget request. The extra funding includes $12 million for data center optimization, and $3 million for the Cybersecurity Internship Program. However, the office will need to report to Congress on cybersecurity initiatives at DHS, along with the Chief Human Capital Officer.
In contrast to the increased funding for other components, the bill removes funds for IT modernization efforts at the Transportation Security Administration (TSA), as DHS decided to discontinue the program.
The budget also provides $89 million for cybersecurity research, but keeps it under the control of the Science and Technology Directorate instead of moving it under CISA’s purview, as DHS requested.
The appropriations bill, as part of its provisions regarding border protection, also devotes an extra $100 million for border security technology, including “mobile surveillance capability and innovative towers,” as stated in the Senate summary.