Cybersecurity Budgets Set for Strong Growth in FY 2022

One clear theme throughout the recently released FY 2022 President’s Budget Request is that strengthening the cybersecurity posture of federal agencies is among the highest IT budget priorities and an important component of the administration’s IT modernization efforts.

Civilian Department Cybersecurity

The budget request released by the Office of Management and Budget (OMB) includes nearly $9.9B for civilian agency cybersecurity-related activities. This would be a $1.2B increase from the FY 2021 enacted level – representing nearly 14% year-to-year growth. This would be a $2B (+25.9%) increase over the FY 2020 level.

OMB’s cybersecurity budget priorities for FY 2022 continue to build on the sustained efforts to improve civilian agency cyber- postures through existing programs such as Continuous Diagnostics and Mitigation (CDM) and federal cyber workforce initiatives. Other priorities to reduce risk to agency information assets include:

• Improve agency Supply Chain Risk Management (SCRM) programs, reduce enterprise risk through exclusion and removal of vulnerable technologies and establish SCRM acquisition standards.
• Increase cross-sector collaboration through agency Coordinated Vulnerability Disclosure (CVD) programs to resolve and disclose cybersecurity vulnerabilities in affected products and services.

Government-wide Cybersecurity Funding priorities include:

• $500M for the Technology Modernization Fund (TMF) to support agencies as they modernize and secure legacy systems. This is in addition to the $1B provided for TMF in the American Rescue Plan (ARP).
• $110M budget increase for the Cybersecurity and Infrastructure Security Agency (CISA) to reach $2.1B for FY 2022.
• $750M for a Cybersecurity Reserve fund to aid federal agencies adversely impacted by SolarWinds, etc.
• $20M for a new Cyber Response and Recovery Fund to improve national critical infrastructure cybersecurity response.

Top Ten Civilian Departments

The ten civilian departments with the largest cybersecurity budgets for FY 2022 account for $7.9B in funding and account for 80% of the total civilian cyber budget. At more than $2.4B and given its enterprise cybersecurity mission the Department of Homeland Security (DHS) doubles the next largest department, which is Justice at $1.2B.  (See chart below.)

When taken together these top ten departments have a combined average year-to-year growth rate of 16% for FY 2022, although the growth rate varies among departments. Other observations include:

• State, Justice, Treasury and HHS reflect the largest proposed budget gains from FY 2021 at 40%, 33%, 27% and 20% respectively.
• Not all departments see growth for FY 2022, although declines are rare. Among the top ten departments only Commerce and Veterans Affairs see reductions at -11% and -5% respectively.
• Although not among the largest 10 departments represented above, three other departments have double-digit cyber- budget growth for FY 2022: Education at $225M, +36%; NASA at $187M, + 21%; and Interior at $144M, +16%.

Department of Defense (DOD) Cybersecurity

Unlike previous budgets, OMB did not report a DOD cybersecurity budget for FY 2022. And while DOD has not yet released details of their FY 2022 IT and cybersecurity budgets, in their budget release highlights briefing DOD listed $10.4B committed to Cyberspace Activities (CA) for the new budget year. CA includes both traditional cybersecurity protections as well as broader cyber warfighting capabilities, so these budget dollars address a broader scope than civilian agencies. For comparison, last year’s DOD FY 2021 budget request stated an enacted budget for FY 2020 of $9.8B, so a FY22 CA budget of $10.4B would be a $600M (+6%) increase.

DOD’s FY 2022 CA priorities include increased capabilities in Identity, Credential and Access Management (ICAM); Comply-to-Connect (C2C); Automated Continuous Endpoint Monitoring (CAEM) to accelerate a Zero Trust Framework; improved integrated cyber capabilities to support Combatant Command cyber operations; more effective risk mediation of critical infrastructure vulnerabilities and the Defense Industrial Base (DIB). DOD also is expanding their Cyber Mission Force (CMF) by 4 teams from 133 to 137 and continues development of the Joint Cyber Warfighting Architecture (JCWA) to provide secure connect and integrated capabilities to the CMF.

Implications

White House cybersecurity priorities will continue to raise the profile and scope of the Cybersecurity and Infrastructure Security Agency’s mission with the federal landscape and beyond. Cross-sector efforts span policy and operational directives. Therefore, contractors should proactively stay informed of rapidly evolving federal cybersecurity efforts that impact agencies as well as private firms within and beyond the public sector. If you are not already doing so, engage with industry sector councils and other collaborative bodies to both stay informed and contribute to the direction of this changing landscape.

From looking at the budget it is clear that federal cybersecurity priorities will simultaneously span broad areas of basic cyber hygiene, infrastructure modernization and advanced detection and response capabilities. Zero Trust Architectures, identity solutions and machine-augmented capabilities will continue to advance. Vendor supply chain security will remain a focus and continue to transform federal acquisitions at all levels. Contractors should assess and adjust their supply chain security approaches to meet the increasing scrutiny and requirements from agencies to procure trusted solutions. Stay informed of changes to acquisition policies and rules as they emerge.

The budget also includes support for cybersecurity-related research and development, such as cybersecurity data analytics. Advancing new and more effective and efficient cyber- capabilities is a priority for the White House, DHS and others. This will present opportunities for innovation, collaboration and strategic partnerships.

Finally, the State Department and other international efforts will continue to raise the priority of cybersecurity, emerging technologies and U.S. competiveness as elements of U.S. foreign policy, impacting market opportunities domestically and abroad.