- Through the American Jobs Plan, $2 billion to modernize and secure federal, state, and local IT networks, protect critical infrastructure and utilities, and support public or private entities as they respond to and recover from significant cyberattacks and breaches.
- $1 billion toward the GSA information Technology Modernization Fund (TMF) through 2025.
- $650 million for CISA through 2023 to modernize its cybersecurity risk mitigation mechanisms, notably, the National Cybersecurity Protection System, EINSTEIN, and the Continuous Diagnostics and Mitigation program.
- $200 million for the U.S. Digital Service through 2024.
- $150 million for the Federal Citizen Services Fund through 2024.
- These funding levels falls short of President Biden’s initial proposal for $10 billion in cybersecurity.
Enhancing Accountability and Multi-stakeholder Collaboration
- Executive Order to America’s Supply Chains: This executive order is closely aligned with the administration’s economic competitiveness policy priority. In June 2021, the administration announced the findings of its 100-day review on how to strengthen critical supply chains of medicines, batteries, minerals, and semiconductors.
- Executive Order on Improving the Nation’s Cybersecurity: This executive order mandates a minimum cybersecurity standard for all software procured by the federal government and notably calls for enhancing software supply chain security. It also establishes a Cyber Safety Review Board, which will serve as the primary method for coordinating between and among federal agencies in response to a significant cyber incident. The Board’s establishment comes following the Colonial Pipeline incident, where the company did not notify CISA of the ransomware attack but did notify the FBI. Secretary of Homeland Security Alejandro Mayorkas, in consultation with Attorney General Merrick Garland, will manage the board and the execution of the recommendations provided by it.
- National Security Memorandum, Improving Cybersecurity for Critical Infrastructure Control Systems: This memo establishes the Industrial Control Systems Cybersecurity Initiative to promote communication between the federal government and private industry in protecting critical infrastructure against cyberattacks. It establishes cybersecurity performance goals and seeks to protect several infrastructure sectors, beginning with the electricity industry, natural gas pipelines, and water systems. The initiative will be run through the U.S. Department of Homeland Security.
- Existing forums at the national level for cooperation include the Critical Infrastructure Partnership Advisory Council, InfraGard, the Digital Connectivity and Cybersecurity Partnership (DCCP), and the Biennial National Cyber Exercise, among others.
Notable Cyber Legislation in Congress
- Cyber Diplomacy Act: The U.S. House of Representatives Committee on Foreign Affairs passed a bill in April 2021 requiring the Department of State to develop a strategy for promoting norms in cyberspace, create a cyber-diplomacy ambassador role, and establish a Bureau of International Cyberspace Policy. The goal of the act is to cultivate stronger partnerships between the U.S. and its allies to combat cyberattacks and address cybersecurity with “a unified approach.”
- Endless Frontiers Act: A bipartisan, bicameral piece of legislation that seeks to invest in U.S. domestic technology and cyber security education, manufacturing, and the establishment of a new Supply Chain Resiliency and Crisis Response Program with the mission of strengthening critical technology supply chains in the U.S. and with allies and partners.
- Strategic Competition Act: In June 2021, the Strategic Competition Act was passed by Congress. The act focuses on U.S.-China relations with a goal of strengthening American competitiveness via investments in science and technology, global infrastructure development, digital connectivity, and cybersecurity partnerships to counter Chinese influence.
- Federal Breach Notification Bill: The Senate has drafted legislation that would require federal agencies, contractors, and businesses that have oversight of critical infrastructure to report significant cyberthreats to CISA within 24 hours of discovery. Security experts warn that the notification deadline would not give organizations enough time to fully assess the severity of an attack and that the lack of specificity in the request will make it difficult for the private sector to parse out what constitutes a “significant cyberthreat” and when to notify CISA that such an event has occurred.
- State and Local Cybersecurity Improvement Act: Establishes a $400 million DHS grant program that incentivizes states to increase funding for cybersecurity in their budgets, requires CISA to develop a strategy to improve state and local security, and establishes a state and local Cybersecurity Resiliency Committee comprising state, local, tribal, and territorial governments to advise and provide situational awareness to CISA regarding the cybersecurity needs of those governments. Local governments, in particular, have been targets of ransomware attacks, with analysts estimating that the cost totaled $18.88 billion in downtime and recovery costs in 2020.
- Cybersecurity Vulnerability Remediation Act: This legislation authorizes CISA to disseminate information to the public about vulnerabilities in software and hardware of information systems. It notably also establishes an award program to encourage researchers to disclose such vulnerability to the agency and strengthens the requirements of private companies to report cyber breaches to the government.
- Cyber Sense Act of 2021: The bill directs the U.S. Department of Energy to establish a voluntary “Cyber Sense” program that would identify and promote cyber-secure products for use in bulk power systems. It also establishes a testing process for the products, along with a reporting process for cybersecurity vulnerabilities. The bulk power systems include facilities and control systems necessary for operating an interconnected energy transmission network and electric energy needed from generation facilities to maintain transmission system reliability.
- The DHS Industrial Control Systems Capabilities Enhancement Act: This legislation instructs CISA to lead federal efforts to better identify and respond to threats against Industrial Control Systems (ICS), which are critical to managing critical infrastructure networks. It also requires that CISA provide technical assistance to public- and private-sector entities on how they can work to identify and mitigate vulnerabilities to their operational technology (OT) systems. The bill passed in the U.S. House as part of the July 2021 package of homeland security legislation.