President Biden signed the fiscal year (FY) 2022 omnibus appropriations bill today that will keep the Federal government funded through Sept. 30.
The spending measure, among other high points, authorizes substantial funding boosts for the Cybersecurity and Infrastructure Security Agency (CISA), and other cybersecurity measures. The bill also includes cyber incident reporting legislation for critical infrastructure operators, as well as funding for research and development (R&D) and emerging technologies.
The bill passed the House March 9 and the Senate March 10. Federal funding was initially set to expire March 11, but both chambers also passed a four-day continuing resolution that expires today.
“With this bill, we’re going to send a message to the American people, and a strong message,” President Biden said today at a bill-signing ceremony. That message, he said, is that “Democrats and Republicans can actually come together and get something done … to fulfill our most basic responsibilities – to keep the government open and running for American people.”
Cyber Funding Rundown
The bill gives bumps in cybersecurity funding to a few Federal agencies, with CISA’s budget being most notable.
The bill authorizes substantial increases to CISA’s budget for FY2022, with appropriators giving CISA $2.6 billion for the year. That figure is $568.7 million more than the agency received in FY2021 and $460 million more than requested by President Biden.
That funding includes increases for the agency’s cybersecurity operations, infrastructure security and integrated operations, emergency communications, and stakeholder engagement.
Among those increases, the agency received increases for a few programs that will benefit state and local governments, including:
- An $11 million increase for CISA’s Multi-State Information and Analysis Center, bringing funding for the information sharing and analysis center designed to share cyber threats, vulnerability, and analysis across state lines to $38 million for FY2022;
- An additional $20 million to begin to build out a Next-Generation 9-1-1 ecosystem program; and
- A $47.6 million increase in funding for Next-Generation Networks Priority Services.
Other CISA funding bumps include an additional $119.5 million for threat hunting, with the CISA CyberSentry program for critical infrastructure receiving an additional $95.5 million; a $64.1 million increase for its vulnerability management program; a $32.4 million increase to the Continuous Diagnostics and Mitigation (CDM) program budget, bringing the total CDM FY2022 budget to $357.8 million; an additional $47.7 million for infrastructure security and integrated operations; a $45.7 million bump for risk management operations; and a $19 million increase for stakeholder engagement and requirements programs.
Elsewhere in the budget, the departments of Energy (DOE) and Treasury (Treasury) each received funding increases to their cybersecurity programs.
DOE received a $29.8 million bump for Cybersecurity, Energy Security, and Emergency Response purposes, bringing the program total to $185 million. The agency also received more funding for energy and electricity resiliency.
Treasury received $80 million for its Cybersecurity Enhancement account, which represents a $62 million increase that appropriators said will deal with the effects of the SolarWinds supply chain security attack. Treasury also received $161 million for its Financial Crimes Enforcement Network (FinCEN), a $34 million boost over FY2021 levels as the unit goes harder after crimes involving cryptocurrency.
Incident Reporting
The bill also signals a huge win in the fight for comprehensive incident reporting legislation, as critical infrastructure owners operators will now be required to report any significant cyber events to the government within 72 hours.
Such requirements have been sought by those in Congress and Federal cyber defenders, who were stunned that the measure did not make it into the FY2022 National Defense Authorization Act.
R&D, Emerging Tech, and More
The bill also authorizes significant increases in R&D funding for the Department of Defense (DoD), DOE, and the Department of Health and Human Services (HHS). There are also increases in funding for rural critical infrastructure and broadband, and artificial intelligence tech.
DoD’s Defense Advanced Research Projects Agency will receive $3.87 billion and DOE’s Advanced Research Projects Agency will receive $450 million. The bill also includes $1 billion to create an Advanced Research Projects Agency for Health (ARPA-H).
Rural broadband and critical infrastructure will also receive investments in FY2022 including $7.9 billion in loan authority for rural electric and telephone infrastructure loans, and a $550 million investment to increase the availability of rural broadband.
DoD will receive $200 million for an Artificial Intelligence Development Fund and $50 million to build an AI-focused workforce.
Notably, Federal IT modernization accounts drew the metaphorical short straw. The General Services Administration’s (GSA) Technology Modernization Fund receiving $0 in FY2022 appropriations, the Office of Management and Budget’s IT Oversight and Reform (ITOR) Fund saw its funding cut to $8 million in FY2022, from $12.5 million in FY2021, and GSA’s Federal Citizen Services Fund received $55 million for FY2022, in line with the previous year.
