A new spending bill allotted the Department of Homeland Security’s cybersecurity agency more than $2 billion for fiscal 2020, a $334 million increase over last year for the year-old agency tasked with protecting federal networks and critical infrastructure from cyberattacks.
The funding for the Cybersecurity and Infrastructure Security Agency includes substantial boosts in funding for several federal and election cybersecurity programs. Congress allocated CISA a $30 million bump in federal cybersecurity spending over last year. Additionally, the bill sets aside $25 million for the creation of a cybersecurity shared services office to bolster CISA’s ability to provide cybersecurity services throughout the federal government.
Budget documents accompanying the legislation also direct CISA to take a central role in tackling the government’s pervasive cyber workforce shortage. The minibus legislation included a $7.1 million increase above the CISA budget request for expediting cybersecurity education, training, workforce and development. Three months after the budget is signed, CISA must also deliver a report to Congress on potential solutions to the workforce shortage.
“CISA is directed to develop a consolidated plan that defines a path to educate the cybersecurity workforce of the future and develop content that includes partnering with at least two academic institutions of higher education to cultivate a non-traditional workforce, focused on reaching rural, minority, gender diverse, and veteran populations,” the members wrote.
The budget agreement also includes a $53.5 million bump for CISA’s Continuous Diagnostics and Mitigation program, appropriating $213.5 million for the CDM program, nearly $76 million above the agency’s FY2020 request for the program that’s supposed to give federal agencies better insight into their overall cybersecurity.
Central to CDM is its dashboard, which will give agency leaders to view their agency’s cybersecurity posture and allow them to compare themselves to other federal agencies. Congress allocated $13 million above the FY2020 request “to accelerate data protection and dashboard deployment.”
If approved, CISA will also receive a $58.5 million increase for vulnerability management to improve its ability to help government agencies at all levels, industrial control system operators and critical infrastructure owners identify vulnerabilities and develop a “coordinated” plan for vulnerability disclosure. CISA is currently drafting a directive that would require that federal agencies establish a vulnerability disclosure program, in which security researchers could submit vulnerabilities in agencies websites.
The massive funding increase for CISA is good news for the agency with a broad mandate that includes defending federal networks, to election infrastructure and physical security in crowded places.
As for its election security responsibilities, CISA will receive $43.5 million for its Election Infrastructure Security Initiative, about $19 million more than CISA requested in its FY2020 request, as Congress remains concerned about election security as the 2020 presidential election heats up. The money will go toward supporting state and local governments better election security and counter foreign influence through the Multi-State Information Sharing and Analysis Center and the National Risk Management Center.
CISA, which generally doesn’t have the ability to force entities outside of the federal government to act, is seeking to gain more power in the critical infrastructure realm. The agency has asked Congress to give it the power to subpoena internet service providers for users running critical infrastructure that it identifies as vulnerable. That bill was introduced last week by Sens. Ron Johnson, R-Wis., and Maggie Hassan, D-N.H.