New COVID Relief Bill’s $650M Cybersecurity Funds are Just a Down Payment, CISA Says

Published: March 11, 2021

Federal Market AnalysisAdministration TransitionCoronavirus (COVID-19) PandemicCritical Infrastructure ProtectionCybersecurityCISAPolicy and Legislation

Leadership of the Cybersecurity and Infrastructure Security Agency tells Congress that still more funding will be needed to fully achieve its mission.

The $1.9 trillion American Rescue Plan Act of 2021 (ARP) passed by Congress on March 10 focuses primarily on COVID-19 relief. However, the bill also appropriates funds for various other priorities, including $650 million for the Cybersecurity and Infrastructure Security Agency (CISA) for cybersecurity risk mitigation in the wake of the highly publicized SolarWinds breach and Microsoft Exchange Server vulnerability revelations. (Congress made these new funds available through September 30, 2023.)

The $650 million is in addition to the $2.0 billion Congress appropriated for CISA for FY 2021, including $1.2 billion for the protection of civilian federal networks and $716 million for the National Cybersecurity Protection System and Continuous Diagnostics and Mitigation program.

What Will Federal Civilian Cybersecurity Really Cost?

Is roughly $2.6 billion a year for CISA sufficient to the task of getting federal civilian agencies on a more solid cybersecurity footing? Not likely, given the challenge.

On the morning of the ARP vote, in a hearing of the Department of Homeland Security (DHS) Subcommittee of the House Appropriations Committee focusing on modernizing federal civilian agency cybersecurity, Brandon Wales, CISA’s Acting Director and Eric Goldstein, CISA’s Executive Assistant Director for Cybersecurity updated lawmakers on areas of needed agency cybersecurity growth in the aftermath of SolarWinds and the broader COVID-19 response.

In their responses to questions from lawmakers that ranged from EINSTEIN and the Continuing Diagnostics and Mitigation (CDM) program to SolarWinds and industrial control system security both Wales and Goldstein emphasized . . . multiple times throughout the hearing . . . that the new $650 million being provided in the ARP “is a down-payment” on what is needed to make improvements to federal cybersecurity. This new funding “accelerates the process, but agencies will need more resources to fully build out additional defenses.” 

When asked by Appropriations Committee Chairwoman Rosa L. DeLauro, who joined the subcommittee hearing, what would be the full cost and the schedule for getting civilian agencies up to snuff on cybersecurity Wales and Goldstein balked, understandably so, leaving the strong impression that even the experts are unsure exactly how much resources and effort it will take. Yet they assured the committee members that their efforts are making a significant positive impact and agencies are making steady progress in the midst of a rapidly and ever-changing technological environment.

To make matters more curious, on this same day the Government Accountability Office (GAO) released a report assessing CISA’s organizational transformation efforts entitled CISA: Actions Needed to Ensure Organizational Changes Result in More Effective Cybersecurity for Our Nation. As if the title alone does not say enough, in their assessment GAO found that more than half of CISA’s overdue tasks centered on “finalizing the mission-essential functions of CISA's divisions and issuing a memorandum defining incident management roles and responsibilities across CISA.” GAO concluded these tasks “appear to be critical to CISA's transformation initiative and accordingly its ability to effectively and efficiently carry out its cyber protection mission. [… and] impair the agency's ability to identify and respond to incidents, such as the cyberattack discovered in December 2020 that caused widespread damage.” (i.e. SolarWinds)

As Congress awaits the FY 2022 budget request from the Biden Administration and proceeds through the budget appropriations process, it seems more likely than ever that members will continue to ask the question, “How much money and effort is it going to take to secure federal agencies?” We will see what price tag CISA and the White House put forward.