What does the outcome of the 2022 midterm elections mean for Federal IT and cybersecurity issues over the next two years?
The shortest answer to that question appears to be a fairly positive outlook based on congressional temperament, interest, and necessity. After that, the landscape gets more complex and nuanced depending on the issues and the personalities involved.
To get closer to reasonable consensus on that big question, we’ve spoken – mostly on background and off the record – with trusted and knowledgeable policy and legislative sources, considered the public record and sentiments of key figures in Congress, and held a gauge to the importance of these issues on the national landscape.
One big caveat: even though Election Day was Nov. 8, it took four days of vote counting to determine that Democrats will retain effective control of the Senate, but it won’t be until next month when the size of that margin becomes clear. At the same time, it may take several more days to be sure which party will control the House – the current assumption is that Republicans will end up in control with a very narrow majority.
The outlook is strong for continued and relatively bipartisan work on both Federal IT and cybersecurity topics.
Both of those categories continue to be considered by many in Congress to be practical, mostly non-ideological, and clearly necessary to improve the performance of government.
In other words, few if any members appear to be against the goals of: 1) improving the government’s ability to use technology in order to serve citizens and accomplish core missions; and 2) the imperative to improve security of those all of those systems and the functions that they support.
The bottom line is that ideology and political rancor won’t likely derail work on either of those fronts. However, finding robust new funding for Federal IT and cybersecurity issues may become more of an uphill climb with Republicans controlling the House.
At the same time, both sides of the aisle are hungry to learn more about the scale of improvements that can be expected from the last two years of investments in IT and security improvements, so the next two years are a good bet to feature more intensive oversight.
As the 118th Congress takes office on Jan. 3, 2023, some of the larger wrinkles in how and whether significant legislative pushes emerge on Federal IT and cybersecurity issues are likely to turn on funding and enthusiasm.
On the policy side of the equation, much of the roadmap for Federal IT and cyber has already been sketched out by the White House through executive orders on cybersecurity and customer experience. Progress on both of those fronts over the next two years at the agency level will depend in part on how much money legislators put behind them.
Funding: Even before the 117th Congress expires, legislators in November and December have in front of them the big tasks of considering fiscal year (FY) 2023 full-year appropriations, and the FY2023 National Defense Authorization Act (NDAA). The latter is widely considered to be “must-pass” legislation, with the former not far behind. Currently, the government is funded through Dec. 16 of this year through a continuing resolution agreed to in late September that keeps funding at mostly FY2022 levels.
Special funding sources aside, the regular appropriations process is where Federal agencies get the vast majority of their money for IT and cybersecurity improvements.
One factor impacting funding for agency tech and cyber work will be whether the Republican majority in the House brings with it some fiscal restraint of the type not much seen over the past couple of years. Chances are that it will, and as a result, prospective increases in non-defense IT funding could be a bit more at risk than defense-related tech spending.
The proof will start to show up in the FY2023 appropriations bill, and the FY2024 bill that Congress will work on later in 2023. For FY2023 funding, much of the detail work has already been done earlier this year by House and Senate committees, and that bread is mostly already baked. FY2024 funding remains a much more open question.
In either case, one key marker to look for on the security front will be additional amounts for agencies pursuing zero trust security. The Office of Management and Budget (OMB) has been working to build those into agency budgets over the next two years, and considers them key to funding the policy mandates of the past two years.
One agency that may be in a position to buck the fiscal restraint trend is the Cybersecurity and Infrastructure Security Agency (CISA), which leads cyber defense efforts for the Federal civilian sector and has become a well-regarded go-to for Congress for security leadership, with a much higher budget over the past few years.
Special funding vehicles like the Technology Modernization Fund (TMF), despite the $1 billion infusion into the fund from the American Rescue Plan Act in 2021, have for the past several years been a tough sell in Congress for much new money, especially from the Senate side. Look for that trend to continue for as long as the fund remains well capitalized, probably with smaller annual contributions far below the 2021 level.
Enthusiasm: Federal IT and cyber issues typically are not dinner-table topics, like inflation, fuel prices, or contentious social issues. That is, until news breaks that turns them into front-page headlines.
In cases like the Colonial Pipeline cyberattack that showed long lines at gas stations, or when Federal websites don’t work well enough to serve the public in major programs such as with the rollout of the Affordable Care Act, legislators are driven to action because constituents demand it. The concept of “event risk” in Federal IT and cyber is always lurking on the near horizon, and has the potential to juice congressional interest.
One emerging driver of cybersecurity interest is likely to be a focus on oversight of some of the big Federal coronavirus-driven funding programs over the past few years, and in particular the large rates of fraud that some of those programs have been plagued with. Further on the oversight front, members of Congress will want to know how much bang for the buck cybersecurity and IT investments have been generating so far.
Other factors to watch on the cyber front include House members who may emerge to latch onto security issues at the CISA level – perhaps at the Einstein and CDM program levels – and in the process begin to restock the issue leadership ranks left thinner by the retirement of Rep. Jim Langevin, R.I. The CDM program, in particular, has burnished its reputation in some quarters as a necessary enabler of zero trust security mandates.
Further through the oversight and accountability lens, it’s a good bet that the next Congress will be interested in knowing more about the current work of the intelligence community on cybersecurity, how zero trust migration plans are proceeding at Federal agencies, and the status of government efforts to force creation of more secure software.
Beyond that, the soon-to-be-released National Cybersecurity Strategy from the Office of the National Cyber Director ought to help stir vigorous debate on the proper security responsibilities of both the government and the private sector, although it’s difficult to say to what extent because its contents are still unknown.
Committees to Watch
Perhaps the most important gauge to monitor on the Federal IT and cyber legislative front is how well leaders of key committees appear to be working together to generate legislative results.
On the Senate side, the Homeland Security and Government Affairs Committee for the past two years has been a very active and effective creator and advancer of Federal IT and cyber-related legislation. Look for the committee to continue in that role over the next two years.
The effective working relationship between Chairman Gary Peters, D-Mich., and ranking member Rob Portman, R-Ohio, has contributed significantly to keeping numerous security bills – large and small – moving along to the full Senate. With Sen. Peters expected to remain as chairman of the committee, James Lankford, R-Okla., mentioned as a successor to the retiring Portman, how those new relationships emerge and evolve is worthy of close watching.
Below the chair and ranking member, the committee features a critical mass of senators with demonstrated and developing interest in both cyber and IT issues, including Sens Maggie Hassan, D-N.H., Jon Ossoff, D-Ga., Jacky Rosen, D-Nev., Josh Hawley, R-Mo., and Mitt Romney, R-Utah.
In the House, the Oversight and Reform Committee has been a busy center of activity on the Federal IT front, and with new leadership on the way from both the Republican and Democratic ranks, remains a key one to watch. Rep. James Comer, R-Ky., the committee’s current ranking member, is likely to become its new chairman, and Reps. Gerry Connolly, D-Va., and Jamie Raskin, D-Md., are among candidates for ranking member.
While Rep. Comer undoubtedly will devote some attention to more partisan issues, the panel’s subcommittee structure lends itself well to continued work on IT and cyber issues.
As one testament to the bipartisan nature of that kind of work, Rep. Connolly, chairman of the Government Operations Subcommittee, and Rep. Jody Hice, R-Ga., the panel’s ranking member, might not agree on many other issues, but they have more often than not shared broad agreement on aims for Federal IT performance improvement at their semi-annual FITARA hearings.
On the FITARA front in particular, look for further discussions about grading category changes to achieve a higher degree of Federal IT oversight.
Perhaps outside the lines of traditional IT and cyber funding debates, a couple of other avenues may get some airtime on the Hill, at least behind the scenes initially, but with further traction possible.
One of those involves repurposing some of the regular appropriations for Internal Revenue Service (IRS) tech spending that may be up for grabs following the recent $80 billion funding to the agency for a ten-year rebuilding effort. Redirecting some of that freed-up regular appropriations money to the General Services Administration (GSA) and the Federal Citizens Services Fund is one idea that’s been talked about.
Another item talked about is a possible effort by GSA, OMB, and the Office of Personnel Management to cooperate on a far-reaching effort to re-imagine Federal workplaces and work-location policies as the coronavirus pandemic continues to wane.