Analysis of Cyber Provisions in the Fiscal Year 2022 Omnibus
President Joe Biden signed the Consolidated Appropriations Act of 2022 into law on March 15. The omnibus package included $1.5 trillion in discretionary spending for all 12 appropriations bills, along with an assistance package for Ukraine. Notably, the bill includes significant cyber provisions, including a cyber incident reporting requirement for critical infrastructure operators and other resources within the Homeland Security division of the bill to ramp up Cybersecurity and Infrastructure Security Agency (CISA) activities related to cyber. Included below is our analysis of the most notable cyber provisions in the Fiscal Year 2022 (FY22) omnibus.
Division Y: Cyber Incident Reporting for Critical Infrastructure Act
The FY22 omnibus includes a provision that was originally part of the Strengthening American Cybersecurity Act, championed by Sen. Gary Peters (D-MI) and Rob Portman (R-OH), on hack and ransomware reporting requirements. The provision requires that critical infrastructure operators report significant cyber incidents within 72 hours and ransomware payments within 24 hours. CISA will now be tasked with implementing this provision.
In the meantime, Sen. Peters is continuing to work on advancing other components of the Senate-passed cyber package that did not hitch a ride on the omnibus, including new requirements for federal agencies to carry out certain cybersecurity programs and report on major cyber incidents within 72 hours, as well as a reauthorization of the Federal Risk and Authorization Management Program (FedRAMP).
Analysis of Allocations and Legislative Text of Division F: Department of Homeland Security Appropriations Act
Overall, the omnibus provides CISA with $2.6 billion. This is $568.7 million more than the FY21 enacted level and $460 million more than what was included for CISA in President Biden’s FY22 budget request. The bill specifically includes $271. 9 million for CISA cybersecurity operations.
The legislative text makes clear that funds appropriated for CISA operations and support may be used for procuring or providing access to cybersecurity threat feeds for branches, agencies, independent agencies, corporations, establishments, and instrumentalities of the U.S. Government; state, local, tribal, and territorial government entities; fusion centers; and Information Sharing and Analysis Organizations.
The bill also includes a total of $47.7 million for CISA infrastructure security and integrated operations, including $17.1 million that can be used for additional cybersecurity support.
The omnibus includes $78.6 million for emergency communications, including a $46.7 million increase for Next Generation Networks Priority Services and a $20 million increase to begin efforts for a Next Generation 9-1-1 (NG911) Ecosystem Program.
The division includes a provision stipulating that no funds made available to the Department of Homeland Security (DHS) may be used to maintain or establish a computer network unless the network blocks the viewing, downloading, and exchanging of pornography.
Beyond CISA programs, the bill increases Coast Guard funding to make additional investments in cybersecurity, among other priorities.
Analysis of Division F Explanatory Statement
The explanatory statement directs:
$8.4 million in funding for CISA cyber investigations to enhance covert computer networks, Dark Web platforms, undercover platforms, and the Network Intrusion Program;
$16.3 million in funding for CISA to develop a cyber threat platform, update hardware and software for computer forensics, and provide targeted child exploitation investigations training;
$2.5 million to create a new cyber threat intelligence service offering through CISA’s Cybersecurity Shared Office to ensure efficient and effective use of cyber threat intelligence resources, with a report on these activities is due within 180 days;
$11.8 million for cybersecurity education, training, and other programs to address the shortfall in national cyber professionals, with a briefing on these efforts due within 120 days;
$16.2 million for the Joint Cyber Defense Collaborative to hire personnel, fund equipment, and develop analytic capabilities;
$38 million to sustain and expand the Multi-State Information Sharing and Analysis Center (MS-ISAC);
$24 million to increase cyber threat hunting in support of federal civilian agencies and non-federal networks, including state and local government and critical infrastructure operator networks, with a briefing due to the Appropriations Committees within 180 days;
$2.2 million for CISA’s Joint Cyber Defense Collaborative to conduct exercises to increase understanding of threats to critical infrastructure;
$3.4 million for national cyber exercises with state governments, the private sector, and international observers;
$2.9 million to establish the Cyber Safety Review Board (CSRB) in support of the Executive Order on Improving the Nation’s Cybersecurity;
$1.5 million to establish the Cybersecurity Advisory Committee created by the FY21 National Defense Authorization Act (NDAA);
$4 million for CISA to support the Federal Emergency Management Agency (FEMA) with subject matter expertise on cyber and infrastructure security matters as FEMA implements state, local, tribal, and territorial preparedness grant programs;
$32.3 million for investments in management and security tools for the mobile device landscape across federal civilian executive branch agencies;
$1 million to enhance protection of federal networks and expand CISA’s ability to defense against nation-state threats and critical vulnerabilities;
$2 million in research and development (R&D) funding for CISA to work with a university partner to evaluate cybersecurity training materials and the social and behavioral impacts on protecting local law enforcement entities and their operations;
$2 million in R&D funding for CISA, in partnership with a national laboratory, to conduct research on the critical infrastructure testbed for cybersecurity;
$20 million for NG911, including efforts to align NG911 systems with National Institute of Standards and Technology (NIST) cybersecurity standards;
$4 million for the Transportation Security Administration (TSA) to conduct additional pipeline cybersecurity activities, and directs TSA to provide a spending plan for these funds within 30 days;
$18.6 million for TSA for low probability of false alarm algorithm screening;
$6 million for the Coast Guard to perform cyber compliance upgrades to training center simulators and trainers; and
$11.9 million for Coast Guard cyber readiness.
The committee report language requires the Office of the Chief Human Capital Officer, in coordination with the Office of the Chief Information Officer (CIO) and CISA to brief the Appropriations Committees on the status of DHS’s cybersecurity hiring goals within 60 days.
The explanatory statement directs the Coast Guard to brief the Appropriations Committees within 120 days on its compliance with DoD information network cybersecurity requirements.
The explanatory statement indicates the omnibus provides funding request by DHS to maintain command and control, communications, computer, cyber, and intelligence (C5I) capabilities.
The report language directs the Secret Service to brief the Appropriations Committees on the efforts of its Cyber Fraud Task Force within 120 days.
The explanatory statement makes clear that the bill does not provide any additional funding for the Cyber Response and Recovery Fund (CRRF) created by the Bipartisan Infrastructure Framework (BIF). However, there is a report language provision requiring CISA to provide a plan for the CRRF within 180 days.
The report language directs CISA to engage with private sector providers, universities, and Department of Defense (DoD) entities to identify software solutions for nullifying cybersecurity attacks within 180 days. A report on this engagement is due to the Appropriations Committees within 210 days.
The explanatory statement requests a briefing on the Cybersecurity Shared Services Office’s marketplace services within 120 days.
The committee report notes that funding was provided above the request for CyberSentry and other efforts focused on voluntary threat detection by critical infrastructure operators through use of sensors between operational technology and information technology systems.
Within 60 days, CISA and the Office of Management and Budget (OMB) are required by the explanatory statement to brief the Appropriations Committees on the federal government’s compliance with FISMA cybersecurity goals and prioritization of cybersecurity investments. This provision would require this report annually within 60 days of the release of the president’s budget request (PBR).
The explanatory statement indicates that $1.86 million is intended to be used by DHS to meet directives including within the president’s Executive Order on Improving the Nation’s Cybersecurity.
The report language requires a briefing to the Appropriations Committees on DHS’s implementation of the Endpoint Detection and Response initiative required by the Executive Order on Improving the Nation’s Cybersecurity within 180 days.
The explanatory statement requires DHS to brief the Appropriations Committees within 210 days on investment milestones to integrate the full range of cybersecurity data sets collected across CISA programs.
The explanatory statement includes a provision requiring CISA to brief the Appropriations Committees on factors that have made the U.S. vulnerable to ransomware attacks on critical infrastructure over the past two years and CISA’s efforts to raise awareness of the threats posed by ransomware within 180 days.
By the end of FY22, the report language requires the National Cybersecurity Preparedness Consortium to provide the Appropriations Committees with a comprehensive report on multiyear curricular to improve cybersecurity preparedness.