The just-passed infrastructure bill includes a $1.9 billion budget for cybersecurity, with more money pouring into the cybersecurity space as other bills like Build Better World pass.
On November 5, the U.S. Congress passed the trillion-dollar Infrastructure Investment and Jobs Act signed by Biden. Not only is the landmark bill expected to massively upgrade America’s aging infrastructure, it will also increase government cybersecurity spending by $1.9 billion.
The bill includes a $1 billion grant to help protect U.S. state, local, tribal and territorial governments from malicious hackers and modernize systems to protect sensitive data, information and public critical infrastructure. For four years beginning in fiscal year 2022, the Federal Emergency Management Agency (FEMA), which operates the existing Department of Homeland Security (DHS) grant program under the direction of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as an industry expert This funding will be provided on an ongoing basis.
The bill also incorporates the Cyber Response and Recovery Act of 2021, which authorizes $100 million over five years to help the U.S. government quickly respond to cybersecurity breaches. Another initiative worth mentioning is a $21 million grant for the newly created Office of the National Cyber Director (NCD) to hire qualified personnel to support its essential cybersecurity missions. The bill also requires the U.S. Environmental Protection Agency (EPA) and Cybersecurity and Infrastructure Security Agency (CISA) to determine whether the situation will have a significant impact on public health and safety if a public water system is degraded or unavailable due to a cyberattack. .
While the infrastructure bill awaits the president’s signature, another major piece of legislation backed by Biden, the 1,700-page Build Back Better bill for social spending, is expected to further increase cybersecurity spending. The bill includes at least $500 million in cybersecurity funding for CISA, including $100 million to protect federal civilian systems not considered “national security systems.”
The Build Back Better bill also includes $50 million for cloud security, $50 million for industrial control system (ICS) security, and support for state, local, and tribal governments to migrate to. $20 million for the gov domain name. However, the prospect of passage of the measure is unclear, with two senators vehemently opposed to passing it, threatening to jeopardize its passage, as they believe it goes too far in expanding the social safety net.
Only one other cybersecurity bill was enacted
In addition to the above important legislation, the U.S. Congress has been busy discussing various cybersecurity bills since the last congressional change. Overall, since the 117th Congress of the United States was sworn in in January this year, 321 bills have been introduced that address cybersecurity in whole or in part.
Of those bills, only one cybersecurity bill, the 2021 K-12 Cybersecurity Bill, has been approved for legislation. The bill, introduced by Senator Gary Peters (D-Mich.) and signed by President Biden on Oct. 8, would require CISA to “research the cybersecurity risks faced by elementary and secondary schools and recommend measures, including measures designed to help schools respond to Cybersecurity Guidelines for These Risks”.
Other cybersecurity proposals to watch
Since late July, lawmakers have introduced about 70 new bills covering cybersecurity. Among them are the following items to pay close attention to:
HR 5186, CISA Leadership Act. The measure, sponsored by Rep. Andrew Garbarin (R-N.Y.), is aimed at preventing turmoil at CISA (Trump fired its first director, Chris Krebs, for reaffirming presidential election security) . The proposed bill establishes a five-year term for the CISA director position and reiterates that the position should be nominated by the president and approved by the Senate.
S. 2875, Cyber Incident Reporting Act of 2021. Senator Gary Peters (D-Miss.) sponsored the bill to set a cyber incident reporting timeline, including requiring certain organizations to report ransomware payments within 24 hours. The bill also requires owners and operators of critical infrastructure to report cybersecurity incidents to CISA within 72 hours.
HR 3599, Federal Rotational Cyber Workforce Program Act of 2021. The bill, sponsored by Rep. Ro Khanna (D-Calif.), passed the House of Representatives on September 30, and is now pending approval by the Senate. The bill seeks to establish a cyber workforce rotation program that would give certain federal employees a realistic view of what other agencies’ cyber workforce rotation positions are doing.
S. 2902, Federal Information Security Modernization Act of 2021. Senator Gary Peters (D-Mich.) sponsored the legislation to improve U.S. federal cybersecurity in light of multiple cyberattacks earlier this year. In addition, the bill clarifies CISA’s role in cybersecurity incident response and requires federal agencies to report major attacks to CISA and Congress, ensuring that CISA is the lead agency for cybersecurity incident response efforts.
HR3919, Secure Equipment Act. Rep. Steve Scalise (R-Los Angeles) introduced the measure, which was overwhelmingly passed by the House on Oct. 20 and unanimously sent to the Senate without amendment. The bill requires the Federal Communications Commission (FCC) to create rules that say the agency will no longer review or approve any applications for authorization of devices on the covert communications device or service list. This list identifies devices or services that the FCC has determined to pose an unacceptable risk to national security or the safety of U.S. citizens.
HR4067, Communications Security, Reliability, and Interoperability Council Act. The bill, sponsored by Rep. Elissa Slotkin (D-Mich.), requires the FCC to permanently create a committee to make recommendations on improving the security and reliability of telecommunications networks. The House passed the bill on October 20.
HR 4611, DHS Software Supply Chain Risk Management Act of 2021. The bill, sponsored by Rep. Richard Torres (D-N.Y.), passed the House of Representatives on October 20 and was accepted by the Senate for submission to the Homeland Security and Governmental Affairs Committee. The motion calls for the DHS Governing Council to issue guidance on new and existing contracts related to the procurement of information and communications technology or services. In addition, the proposed bill would require federal contractors to submit bills of materials and certification to the Department of Homeland Security that each item on the bill of materials is free of specific security vulnerabilities or defects that would not affect the safety of the final product or service. The bill also requires notification of any discovered vulnerabilities or deficiencies and a plan to mitigate, fix, or resolve any discovered vulnerabilities or deficiencies.
HR 5491, Securing Systemically Important Critical Infrastructure Act. The bill, sponsored by Rep. John Katko (R-N.Y.), seeks to establish a process to help designate Systemically Important Critical Infrastructure (SICI). The bill further directs CISA to value the real interests of SICI owners and operators by enhancing risk management coordination between them and the federal government without imposing additional burdens.
S. 3099, Federal Secure Cloud Improvement and Jobs Act of 2021. The bill, sponsored by Senator Gary Peters (D-Mich.), seeks to codify the Federal Risk and Authorization Management Program (FedRAMP) to help agencies accelerate the adoption of cloud services. The bill also requires the General Services Agency to begin automating FedRAMP security assessments and reviews within a year and to continuously monitor cloud computing products and services.
HR 3462, SBA Cyber Awareness Act. The bill, sponsored by Rep. Jason Crow (D-Colorado), would require the Small Business Administration (SBA) to issue a report on its cybersecurity capabilities and notify Congress when a cybersecurity incident could compromise sensitive information. The House unanimously passed the bill on November 3.
HR 4515, Small Business Development Center Cyber Training Act of 2021. The bill, sponsored by Rep. Andrew Garbarino (R-N.Y.), would require the Small Business Administration (SBA) to develop a plan to qualify at least 5% or 10% of SBC employees to provide cybersecurity planning assistance to small businesses. The House passed the bill on November 2.