Is DHS’s Cybersecurity Agency Up for a Huge Budget Increase?

The Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS) has been charged with an expansive mission and CISA leadership continues to tie funding increases to mission success. This message is being echoed by members of Congress who are calling for a 20% increase in CISA’s $2 billion budget, potentially on the way to a doubling of its budget over the next few years.

CISA’s Top Mission Priorities

In a presentation at the recent FedScoop IT Modernization Summit, Matt Hartman, CISA’s Deputy Executive Assistant Director for Cybersecurity, outlined CISA’s recent and ongoing efforts to meet their mission to address federal cybersecurity challenges and secure federal networks. The following elements and others are driving CISA’s appeal for increased cybersecurity funding for itself and other agencies.

• Enterprise Approach – The federal government needs to view itself and operate as an enterprise. One of CISA’s goal is to ensure each agency manage cybersecurity risk in a way that is consistent with the broader federal enterprise. This was evident in the steps taken to modernize cybersecurity across federal agencies in the response to the recent SolarWinds and Microsoft Exchange incidents.
• Centralized Operational Visibility – An enterprise mentality also drives the need for greater centralized visibility into agency networks that includes the ability to rapidly detect threats at any one agency so to prevent adversaries from achieving their objectives at others.
• Information Sharing and Reporting – One of CISA’s roles is to serve as a hub for info-sharing and incident reporting for agencies. To be most effective CISA must be the recipient of threat and incident information from agencies (and the private sector) to leverage that information for government-wide security and beyond. They also provide operational technical assistance, including threat information dissemination, vulnerability assessments, and incident response services – aspect that were highlighted during the recent incidents.  
• Shared Services – Additional and more robust cybersecurity shared services will allow CISA to leverage cyber- subject matter expertise to define requirements a single time and roll them out across all of the 102 federal civilian departments and agencies. CISA is continuing plans to build upon its existing guidance, assistance and offerings (e.g. CDM and NCPS/EINSTEIN) to better manage vulnerabilities.
• Streamlined Cybersecurity Services – A major focus of CISA going forward is to streamline cybersecurity services across the federal enterprise to address the capability and capacity gaps between the large departments and small/independent agencies. CISA plans to use their Cyber Quality Service Management Office (QSMO) online government marketplace for shared cybersecurity services as part of a broader effort to streamline how these services are managed across the federal civilian enterprise. In 2021, CISA is on track to provide three services designated by OMB: 1) a vulnerability disclosure platform, 2) a protective Domain Name System (DNS) resolver, and 3) an optimized approach to delivering security operations services across the government. CISA also plans to integrate their QSMO offerings with their existing programs (CDM and NCPS) to provide a holistic set of cyber- services to agencies and centralized visibility for CISA analysts. All of this will follow an iterative process they hope to expand to non-federal entities.

Sustained Dual-Path Funding for Cybersecurity and IT Modernization

To meet the challenge of getting federal cybersecurity to where it needs to be Hartman underscored the need for sustained investment in cybersecurity and IT modernization over time, for CISA and all federal agencies. He advocates for an integrated and coordinated dual-path approach to security funding: 1) funding to provide a security foundation across civilian agencies, and 2) funding for each agency to modernize and further mature their IT infrastructures, i.e. via the Technology Modernization Fund (TMF).

Hartman’s message is consistent with what we have seen in the recent American Rescue Plan Act (ARPA) that included billions of dollars for federal IT. Even before the bill was passed CISA leadership was on the record saying that the COVID relief bill’s additional $650 million for CISA is “a down payment” on what is needed to make improvements to federal cybersecurity. The bill also included an additional $1 billion for the TMF that will likely go toward government-wide initiatives to improve agency cybersecurity.

CISA’s increased funding message has support among Cyberspace Solarium Commission leaders in Congress. Representatives Jim Langevin (D-RI) and Mike Gallagher (R-WI.) have written to the House Appropriations Committee leadership urging them to increase CISA’s fiscal year (FY) 2022 budget by at least $400 million. This would be a nearly 20% increase from its FY 2021 appropriation of just over $2 billion and is independent of the funds appropriated in ARPA.

This may be only a start, given Congress’s continued expansion of CISA’s authorities, responsibilities and requirements as shown in numerous provisions in the FY 2021 National Defense Authorization Act. Mark Montgomery, the Commission’s executive director, believes that CISA’s current $2 billion budget is significantly underfunded given their expanding mission. He thinks that CISA’s budget could easily grow to be between $3-4 billion in the next four or five years.