The FY 2020 Budget Increases Cybersecurity Funding by Nearly $800 Million
Published: March 21, 2019
The Trump Administration is proposing increasing cybersecurity budgets to help protect and modernize federal information technology (IT) systems.
For the second fiscal year (FY) running, the FY 2020 President’s Budget Request included detailed government-wide data on the Administration’s intent to spend hundreds of millions of dollars more on cybersecurity across federal departments and agencies.
In the Analytical Perspectives section of the FY 2020 proposed budget which was released this week, the Office of Management and Budget (OMB) includes a chapter specifically on Cybersecurity Funding. The inclusion of this funding detail is required under provisions included in the FY 2017 Consolidated Appropriations Act (omnibus). OMB’s analysis addresses that legislative requirement and covers cybersecurity activities and funding for all federal agencies, not just those carried out by the Department of Homeland Security (DHS) and Department of Defense (DOD).
Total Federal Cybersecurity Funding
The FY 2020 budget requests a total of more than $17.4B for FY 2020, up $790M from the estimated $16.6B in the current 2019 fiscal year and an increase of nearly $2.5B over the FY 2018 actual level of about $15B. If the FY 2020 budget is enacted, the spending level would represent a 5% increase over FY 2019 and an 11% increase over FY 2018. However, OMB notes is that these amounts do not represent the entire cybersecurity budget “due to the sensitive nature of some activities.” Further, there is very little stated about DOD cyber activities beyond a top-line budget number, due to the sensitive and classified nature of these activities. Assuming that these classified areas also receive increases would mean that federal cybersecurity spending government-wide could see a one-year increase of much more than the 5% presented. (See chart below.)
Top Departments and Agencies
The bulk of federal cybersecurity funding in the FY 2020 budget is concentrated within the largest departments and among those with the largest cyber-related missions. These top ten departments account for nearly $15.6B in FY 2020 cybersecurity budgets, which is nearly 90% of the federal dollars in the public budget released by OMB. Further, these top ten in aggregate account for a 6% bump in cyber budgets. The other 14 CFO Act departments, (DOT, NSF, SSA, NASA, Ed, Interior, Labor, GSA, OPM, EPA, USAID, NRC, HUD and SBA) account for almost $1.5B in cyber funding for FY 2020, which represents 8.5% of the FY 2020 total, incur an aggregate budget decrease of -3% from the FY 2019 estimated enacted level. The non-CFO Act agencies, mostly small and independent agencies, account for a combined $372M (2.1%) in funding for FY 2020 and also together see a -3% decline from FY 2019. (See chart below.)
Top Five Civilian Department
Delving into the top five civilian departments shows where more than half of all civilian-segment budget dollars are allocated. DHS, Justice, Energy HHS and Commerce account for $4.2B (54%) of the total civilian cyber budget of nearly $7.8B. Homeland Security’s $1.9B alone accounts for 25% of civilian-wide cybersecurity budgets.
Probing further into the sub-department or bureau level allows us to see where nearly 80% or more of each department’s cyber budget is distributed. While not exhaustive, the table below depicts which bureaus get the most budget dollars at each department. These bureaus DHS, DOJ, DOE, HHS and DOC account for 79%, 95%, 85%, 83% and 87% of their department’s total cyber budget respectively. (See table below.)
NIST Framework Functions
OMB also provided a breakout of civilian CFO Act agency cybersecurity spending aligned to the NIST Cybersecurity Framework functions: Identify, Protect, Detect, Respond, and Recover. The $7.4B in combined civilian CFO Act agency cybersecurity budgets for FY 2020 are allocated among these functions at $2.3B (30%), $2.7B (36%), $962M (13%), $1.3B (18%) and $213M (3%) respectively.
OMB reports that they continue to work with agencies to collect and analyze information on fee-based cybersecurity costs as well as gross and net appropriations or obligational authority and outlays. However, since agencies have not historically reported their cybersecurity budgets in this manner it appears to be on ongoing effort.