The Cybersecurity and Infrastructure Security Agency (CISA) is slated to receive $2.8 billion in fiscal year (FY) 2024 under a government funding package lawmakers unveiled on Thursday – marking a more than $34 million cut from the FY2023 level and leaving some key cybersecurity programs funded at sharp discounts to amounts the White House proposed.
The House passed the second minibus package of six appropriations bills today, totaling $1.2 trillion, on a vote of 286 – 134. The Senate had not voted on the funding bills by late Friday, but was expected to approve them and largely avert a shutdown affecting 70 percent of operations when continuing resolution funding expires at midnight on Friday.
Under the Department of Homeland Security Appropriations Act of 2024, CISA will receive $823.1 million for the operation and modernization of cyber defense technology and tools; $819.3 million for cyber operations, including vulnerability management and threat hunting; and $130.2 million for operations, testing, and improvements to emergency communications.
According to the House Republicans’ summary of the bill, the $34.1 million reduction includes $25.8 million in “redundant or duplicative programs.”
The funding package is $183.3 million below what President Joe Biden requested for the cyber agency in FY2024. The White House’s latest proposed cybersecurity budget would pour an additional $103 million into CISA for next year, increasing its total allocation to $3 billion.
Top-line funding levels are hewing to the terms of the Fiscal Responsibility Act approved by Congress in June 2023.
That law increased the U.S. national debt limit through early 2025, allows for a 3.3 percent increase in defense spending for FY2024, caps Federal non-defense discretionary spending in FY2024 close to FY2023 levels, and limits non-defense spending increases to one percent in FY2025.
“House Republicans made a commitment to strategically increase defense spending, make targeted cuts to overfunded non-defense programs, and pull back wasteful spending from previous years. I am proud to say that we have delivered on that promise, and this bill is proof,” House Appropriations Chairwoman Kay Granger, R-Texas, said on March 21.
“We had to work within difficult fiscal constraints—but this bipartisan compromise will keep our country moving forward, and I hope all of my colleagues will work with us to get it signed into law as soon as possible. Let’s finish the job,” Senate Appropriations Committee Chair Patty Murray, D-Wash., said.
CDM, CADS, CIRCIA: Major CISA Initiatives Take Cuts
The FY2024 bill includes $73.9 million to implement requirements of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), a $23.8 million decrease from the White House’s request. Once in effect, CIRCIA will require critical infrastructure entities to report breaches to CISA within 72 hours and ransomware payments within 24 hours.
CISA is required to publish a notice of proposed rulemaking for the incident reporting requirements by the end of this month. The agency then has another 18 months to finalize the rules before they go into effect.
CISA’s Continuous Diagnostics and Mitigation (CDM) program was enacted in the latest bill at $60 million below the requested budget. Additionally, the agency’s Cyber Analytics Data System (CADS) was enacted $21.5 million below the budget request.
The agency’s zero trust architecture was funded just under $19 million, a $2 million decrease from the requested amount for FY2024.
In one of the few places CISA’s budget didn’t get slashed, the agency should expect a $2 million boost to support training and workforce development within the Cyber Defense Education and Training program.
The $34 million reduction for FY24 is nowhere near the 25 percent cut House Republicans wanted to make to CISA’s budget for this year, attempting to fund the agency below FY2022 levels around $2.6 billion – a move that CISA Executive Assistant Director Eric Goldstein said would be “catastrophic.”