Security news that informs and inspires

Breaking Down the CISA Budget Proposal: Critical Infrastructure, Federal Security Investments

By

The proposed budget for the Cybersecurity and Infrastructure Security Agency (CISA) in fiscal year 2023 reflects the targeted investments that the agency is focusing on as it continues to build out its operations to keep up with the complex threat landscape. Top investments supported by the budget include strengthened private-public sector partnerships and the expansion of security service offerings that aim to protect both federal and critical infrastructure networks against evolving security risks, as well as the ability to detect and respond to threats.

The budget proposed by the White House for fiscal year 2023 allocates $2.5 billion for CISA, an 18 percent ($377 million) increase over what was requested in fiscal year 2022. In a Thursday budget hearing, CISA Director Jen Easterly said that the amount requested this year for the budget “is sufficient with our mission” and reflects how CISA is expanding to grapple with sophisticated threat actors and vulnerable federal systems.

"Our nation faces unprecedented risk, and CISA is at the center of our national call to action," said Easterly. "In collaboration with our government partners, critical infrastructure entities, and international allies, and with the support of Congress, we will continue to make progress addressing this risk and maintaining the availability of critical services to the American people."

A large portion of the proposed allocation includes $1.5 billion for various cybersecurity programs and activities that enable CISA and its partners to detect, mitigate and respond to threats, which has been a pillar of CISA’s two-pronged strategy that revolves around defending government networks and securing the nation’s critical infrastructure. Part of this includes $71 million for CISA’s Joint Cyber Defense Collaborative (JCDC), launched last year, which brings together key government and private sector partners to build defense plans tackling ransomware, critical infrastructure security, and cloud security. This allocation represents an $18 million increase for JCDC over the previous fiscal year, pointing to how the collaborative has grown over the past nine months; in fact, CISA recently announced the addition of several new JCDC partners with expertise in identifying and mitigating threats to industrial control systems.

“Going forward, CISA will continue to build and mature the JCDC construct. We are focused on advancing our capability to create, exercise, and execute joint cyber defense plans."

“Going forward, CISA will continue to build and mature the JCDC construct,” said Easterly. “We are focused on advancing our capability to create, exercise, and execute joint cyber defense plans. Our upcoming planning efforts focus on pipeline infrastructure; critical dependencies between the financial, energy, and telecommunications sectors; and collaboratively supporting defense of the Nation’s election infrastructure in preparation for the midterm elections.”

The budget proposal also supports efforts around threat detection and mitigation, including $407 million for the National Cybersecurity Protection System (NCPS) and $425 million for the Continuous Diagnostics and Mitigation (CMD) program, programs that both aim to secure civilian executive branch agencies against threats; as well as $73 million to expand the Endpoint Detection and Response (EDR) initiative across executive branch departments and agencies and to support efforts to provide visibility into adversary activity targeting federal networks. A further allocation of $174 million would allow CISA to expand its cybersecurity service offerings for protecting federal networks against cyber threats. As part of this allocation, Easterly said the agency would have the capability to expand network protection across the federal civilian executive branch, as well as bolster various programs supporting cloud business applications, analytics and stakeholder engagement.

”Placing this funding into CISA’s base budget enables CISA and our partners to move forward knowing we can build on the progress made to date in critical operational and strategic cyber risk mitigation capabilities,” according to Easterly.

Critical infrastructure continues to be a top priority for CISA, with $175 million allocated for efforts to enhance critical infrastructure protection; $115 million for the National Risk Management Center (NRMC), a program that brings together sector and stakeholders to address the top significant threats to critical infrastructure and to coordinate ways to reduce risks; and $39 million for the CyberSentry program, a voluntary partnership with private sector critical infrastructure operators designed to detect malicious activity on these networks. CISA also requested an $80 million critical infrastructure cyber grant program that Easterly said would help entities “raise their cybersecurity baseline,” pointing to security challenges for water utilities in particular, as seen in the Oldsmar Florida utility cyberattack last year.

“If we’re going to charge [CISA] with being the quarterback of the federal agency team and the public-private collaboration they need this money.”

Other allocations include $187 million for integrated operations, which would help provide support to CISA stakeholders across the nation and $170 million for emergency communications to provide assistance and support for federal, state and local stakeholders.

Finally, an allocation of $250 million would support CISA’s “critical mission enabling initiatives,” including the establishment of CISA procurement operations, the implementation of key security improvements to the agency’s networks, the expansion of workforce assistance offerings and continued progress on building out CISA’s headquarters. The allocation, a $108 million increase over the FY 2022 budget, reflects how CISA has continued to build out its operations since its establishment in 2018 - and in particular over the past year - to match up against the looming threats over the past year, including the SolarWinds attack and Colonial Pipeline hack.

There are also a few programs that were funded in fiscal year 2022, but that now either have no line items or significantly lower budget allocations, noted Mark Montgomery, executive director of the Cyberspace Solarium Commission. These include investments in cyber exercises, sector risk management agency duties, vulnerability management infrastructure and a K-12 cybersecurity training program.

However, Montgomery said that the increase reflected in the fiscal year 2023 budget proposal is a “significant improvement” over fiscal year 2022 budget, which was a 5 percent increase over the previous year.

“This [budget increase] quantitatively is closer to the challenge,” said Montgomery. “If we’re going to charge [CISA] with being the quarterback of the federal agency team and the public-private collaboration they need this money.”