FY 2022 Omnibus – Key Information Technology and Cybersecurity Provisions

Congress recently passed the Consolidated Appropriations Act, 2022, providing $1.5T in total discretionary funding for federal departments and agencies for the entire 2022 fiscal year (FY), plus support to Ukraine during the current invasion crisis.

Among its comprehensive provisions, the omnibus includes funding for agency information technology (IT) operations and modernization as well as targeted funding for cybersecurity. In addition, the bill includes numerous government-wide and agency-specific policies directly impacting IT and cybersecurity across the federal government and beyond.

While not exhaustive, here are many of the noteworthy provisions that either directly relate to IT and cybersecurity or have relevance to agency technology programs and acquisitions.

Government-wide Provisions

IT Modernization

The omnibus provides “a mixed bag” for IT modernization, as described by FedScoop. The bill provides $8M for the Office of Management and Budget’s IT Oversight and Reform Fund, down $4.5M from FY 2021, and no new funding for the Technology Modernization Fund (TMF). The General Services Administration’s Federal Citizen Services Fund (FCSF) gets $55M, which is the same as in FY 2021.

Cybersecurity

• Cyber Incident Reporting for Critical Infrastructure Act of 2022 –  The omnibus was amended to include this bill, which requires private infrastructure owners and operators to report significant cyber incidents and ransomware attacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours after the company “reasonably believes that the covered cyber incident has occurred.” Companies would also have to alert CISA within 24 hours of the firm making any ransomware payments. Final determinations about key implementation rules now fall to CISA, where the process could take more than three years before its provisions are enforceable, according to Nextgov.
• Prohibitions on Huawei and ZTE Acquisitions – The omnibus continues the prohibition on the acquisition of telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation for a high or moderate impact information system, as defined by the National Institute of Standards and Technology (NIST), unless the agency has reviewed the supply chain risk against NIST criteria and against available threat information from the Federal Bureau of Investigation (FBI) and assessed the risk of cyber-espionage or sabotage. Agencies pursuing such acquisitions must develop a risk mitigation strategy and show the acquisition is in the vital national security interest.

Chief Information Officer Authorities

• Congress directed each executive branch agency head to ensure that their agency Chief Information Officer (CIO) “has the authority to participate in decisions regarding the budget planning process related to information technology.” Related CIO authority provisions are peppered throughout the bill.

Buy American Act

• Congress lifted the “restriction on purchasing nondomestic articles, materials, and supplies set forth in … the Buy American Act” to promote government access to commercial IT solutions. Buy American no longer applies to the federal acquisition of information technology.

Department and Agency Provisions

Agriculture

• Provides $1.2B for the Farm Service Agency, up to 50% of which may be used for IT related programs consistent with the Farm Service Agency IT Roadmap. Up to $20M may remain available through FY 2023 for IT expenses.
• Provides $4M for IT infrastructure at the Animal and Plant Health Inspection Service.
• Funds the Food Safety and Inspection Service with $1B, which includes an increase of $5M for information technology modernization.
• Provides $300M for Rural Development, including $2M for IT development, modernization, or enhancement. Up to $20M may remain available through FY 2023 for IT expenses.
• Allocates $85M for the Office of the Chief Information Officer, including $70M for cybersecurity requirements.
• Includes $1M for the National Institute of Food and Agriculture for Research and Education Activities to develop a public-private cooperative framework based on open data standards for neutral data repository solutions to preserve and share the big data generated by technological advancements in the agriculture industry and for the preservation and curation of data in collaboration with universities.           
• Congress authorized the Agriculture Secretary to transfer unobligated discretionary funds to the department Working Capital Fund (WCF) “for the acquisition of property, plant and equipment and for the improvement, delivery, and implementation of financial, and administrative information technology services, including cloud adoption and migration.”

Commerce

• Appropriates $30M for technology modernization projects and cybersecurity risk mitigation, of which up to $20M is for business application system modernization. These funds are good through FY 2024.
• Funds the U.S. Patent and Trademark Office (USPTO) with $4.1B, an increase of $363M, in support of technological and innovative advancements.

Defense

• The omnibus provided top-line amounts for the various large appropriations categories, i.e. Operations and Maintenance (O&M), Procurement, Research, Development, Test and Evaluation (RDT&E), etc. for Defense-wide and the military departments (MILDEP). While these categories encompass IT programs, the bill did not provide details of IT-specific allotments. For details on the Defense component appropriations, etc. see our FY 2022 Omnibus Market Brief.
• The omnibus restricts the DOD to using the new or prior appropriated funds “for the agile research, development, test and evaluation, procurement, production, modification, and operation and maintenance, only for the following Software and Digital Technology Pilot programs: (1) Defensive Cyber—Software Prototype Development (PE 0608041A); (2) Risk Management Information (PE 19 0608013N); (3) Maritime Tactical Command Control (PE 21 0608231N); (4) JSpOC Mission System (PE 1203614SF); (5) National Background Investigation Services (PE 0608197V); (6) Global Command and Control System-Joint (PE 0308150K); (7) Algorithmic Warfare Cross Functional Team (PE 0308588D8Z); and (8) Acquisition Visibility (PE 0608648D8Z). No funds may be used to initiate additional Software and Digital Technology Pilot Programs in FY 2022. (Emphasis added.)

Energy

• Funds the Advanced Research Projects Agency-Energy (ARPA-E) with $450M to support development of innovative energy technologies addressing national economic, environmental and security challenges.
• Supplies the Office of Cybersecurity, Energy Security and Emergency Response with $186M to reduce cyber risk, combat threat, and ensure security of U.S. energy infrastructure.

Health and Human Services

• Funds the Centers for Disease Control (CDC) at $8.5B, which includes $100M to modernize public health data surveillance and analytics and $180M for the National Center for Health Statistics.
• Food and Drug Administration (FDA) funding includes $1M for the Data Modernization and Enhanced Technology Initiative. Within crosscutting, agency-wide support initiatives, the bill provides $3M for data modernization and enhanced technologies.
• The Office of the National Coordinator for Health Information Technology (ONCHIT) receives $64M in funding, including grants, contracts, and cooperative agreements, for the development and advancement of interoperable health information technology.

Homeland Security

• Funding for Customs and Border Protection (CBP) includes $256M for border technology, $87M for non-intrusive inspection systems, and $10M for Port of Entry Technology.
• Transportation Security Agency (TSA) funding includes $131M for Computed Tomography (CT) screening equipment and credential authentication and standoff detection technology.
• Provides $2.6B for the Cybersecurity and Infrastructure Security Agency (CISA) split into the following investment areas:
  • $272M to support Cybersecurity Operations, including $120M more for threat hunting programs
  • $358M for the Continuous Diagnostics and Mitigation (CDM) program
  • $48M for Infrastructure Security and Integrated Operations
  • $79M for Emergency Communications
  • $46M for Risk Management Operations.
• Allots $886M for the Science and Technology Directorate (S&T).
• Congress established the DHS Nonrecurring Expenses Fund for IT system modernization and facilities infrastructure improvements, subject to approval by the Office of Management and Budget (OMB) and notification of the congressional appropriations committees. Beginning with FY 2022 and going forward, unobligated balances of expired DHS discretionary funds may be transferred to the fund (up to five FYs after originally appropriated).
• Congress also requires DHS to notify and submit detailed copies to the congressional appropriations committees of any DHS initial project proposals to the Technology Modernization Fund (TMF), with analysis of how the TMF funding would supplement or supplant funding requested in DHS’s most recent budget submission.

Housing and Urban Development (HUD)

• Provides $323M for department-wide and program-specific information technology systems and infrastructure, available through FY 2024, including $40M for development, modernization, and enhancement projects, including project planning.

Interior

• Allocates $91M for the DOI Working Capital Fund, for the operation and maintenance of a departmental financial and business management system, information technology improvements, cybersecurity, and the consolidation of facilities and operations.

Justice

• Provides $38M for DOJ information sharing technology, including planning, development, deployment and departmental direction. The bill also authorizes the Attorney General to transfer up to $40M in DOJ IT funds to this account for enterprise-wide information technology initiatives.
• Includes $50M for DOJ DC offices supporting legal activities, for litigation support contracts and information technology projects, including cybersecurity and hardening of critical networks.
• Contains $632M for FBI facilities construction activities, including equipment, furniture, and information technology requirements, and operation and maintenance of secure work environment facilities and secure networking capabilities.
• Supplies $5M for National Security Division IT systems.
• Requires the Attorney General to use $5M from FY 2021 to establish a task force on law enforcement oversight, with an additional $5M from FY 2021 to develop databases to track excessive use of force and officer misconduct.
• The bill restricts funding any new or enhanced IT program having total estimated development costs in excess of $100M unless the DOJ certifies to Congress that the IT program has appropriate program management controls and contractor oversight mechanisms in place, and that the program is compatible with DOJ’s enterprise architecture.
• Under supplemental funding for Ukraine assistance, the bill includes $44M to the FBI to heighten cyber threat response, counterintelligence and cryptocurrency activities including the creation of the Kleptocracy Asset Recovery Initiative (KARI) to detect violations of Russian sanctions. The bill allots $15M to Justice’s legal division, in part to develop data analytics to address complex sanctions cases. The bill also provides $1M to the National Security Division to support the DOJ Ukraine Task Force work on export control, sanctions and cybersecurity.

Labor

• Supplies $28M for DOL centralized infrastructure technology investment activities related to support systems and modernization.
• Congress authorized the Labor Secretary to transfer annually to the DOL Working Capital Fund (WCF) unobligated balances in the department’s salaries and expenses accounts and discretionary grants accounts to be used “for the acquisition of capital equipment and the improvement of financial management, information technology, infrastructure technology investment activities related to support systems and modernization, and other support systems.” $9M in unobligated balances from each account may be transferred to the WCF from previous yearly DOL appropriations and $18M in unobligated balances from each account may be transferred starting with this FY 2022 appropriation and going forward. The funds are then available for five fiscal years after the fiscal year of the transfer.

National Aeronautics and Space Administration

• Provides $1.1B to research, develop and maintain space technologies.
• Requires the Departments of Commerce and Justice, the National Aeronautics and Space Administration, or the National Science Foundation to assess the supply chain risk per relevant NIST standards before acquiring a high-impact or moderate impact information system.

State and US Agency for International Development (USAID)

• Contains $78M for programs to promote Internet freedom globally, including the continued development of open-source technologies that provide or enhance access to the Internet and anti-censorship technology and tools. Funds must support open-source technologies that undergo comprehensive security audits based on State Department requirements to ensure the technology is secure and has not been compromised.
• Under supplemental funding for Ukraine assistance, the bill provides an additional $125M for Diplomatic Programs, up to $50M of which may be transferred and used under the Capital Investment Fund for cybersecurity and related information technology investments.
• The bill requires “the concurrence of the Chief Information Officer” before FY 2022 funds may be used for any new major IT programs.

Transportation

• Contains $20M for the Office of the Chief Information Officer. Also includes $5M to upgrade departmental financial systems and re-engineer business processes.
• Provides $51M for the Office of the Assistant Secretary for Research and Technology.
• Allots $39M for cybersecurity initiatives, including necessary upgrades to network and information technology infrastructure, improvement of identity management and authentication capabilities, securing and protecting data, implementation of federal cyber security initiatives, and implementation of enhanced security controls on agency computers and mobile devices.
• Within Motor Carrier Safety Operations and Programs at the Federal Motor Carrier Safety Administration, the bill provides $14M for the research and technology program and $41M for development, modernization, enhancement, continued operation, and maintenance of information technology and information management. Both amounts are available through FY 2024.

Treasury

• Provides and $275M for Business Systems Modernization.
• Includes $80M for the department’s Cybersecurity Enhancement Account, an increases of $62M.
• Includes $34M to Treasury Departmental Offices to be used for the Treasury-wide Financial Statement Audit and Internal Control Program; information technology modernization requirements; the audit, oversight, and administration of the Gulf Coast Restoration Trust Fund; the development and implementation of programs within the Office of Cybersecurity and Critical Infrastructure Protection.
• The IRS is required to report quarterly to the congressional appropriation committees on the status of their major IT investments in the IRS Integrated Modernization Business Plan portfolio. The IRS must also include in its FY 2023 budget justification a summary of cost and schedule performance information for its major IT systems.

Social Security Administration

• Congress authorized that any unobligated balances at the end of FY 2022 will remain available to invest in SSA “information technology and telecommunications hardware and software infrastructure, including related equipment and non-payroll administrative expenses associated solely with this information technology and telecommunications infrastructure.” The bill appropriates $13.2B in total for SSA for all programs and activities.
• SSA’s Office of Inspector General receives $2M for IT modernization.

Veterans Affairs

• Appropriates $4.8B for information technology systems and telecommunications support, including developmental information systems and operational information systems; of which $1.4B is for pay and associated costs (up to 3% of which will be available through FY 2023); $3.1B is for operations and maintenance (up to 5% of which will be available through FY 2023) and $297M is for IT systems development, available through FY 2023.
• Allocates $2.5B for the Electronic Health Record Modernization program with continued strong oversight.

Other Agencies

• The Corporation for Public Broadcasting (CPB) receives $20M for replacing and upgrading the public broadcasting interconnection system and other technologies and services that create infrastructure and efficiencies within the public media system.
• The Government Publishing Office (GPO) receives $11M for their Business Operations Revolving Fund for information technology development and facilities repair.
• The Office of Management and Budget (OMB) receives an additional $8M for IT Oversight and Reform, “for the furtherance of integrated, efficient, secure, and effective uses” of IT across the government. OMB may transfer these funds to one or more other agencies to carry out projects to meet these purposes.
• The General Services Administration (GSA) receives $55M for the Federal Citizens Services Fund to support interagency e-Government projects that enhance their ability to conduct agency activities electronically through the development and implementation of IT innovation.
• The Office of Personnel Management (OPM) gets an additional $8.8M for IT infrastructure modernization and Trust Fund Federal Financial System migration or modernization.

_____

See our recent FY 2022 Omnibus Market Brief for a look at the overall bill and funding priorities of the top departments and agencies.