The best place for drilling is in the Department of Homeland Security’s section where the Cyber and Infrastructure Security Agency (CISA) now lives.
In this region of DHS, lawmakers allocated CISA $322.8 million for “procurement, construction, and improvements.”
To get the oil out of that field, you have to start boring some holes, first in the continuous diagnostics and mitigation (CDM) program. CDM received two funding allocations: The first is for deployment of capabilities where DHS received a total of $115.8 million, which is $3.7 million more than the Trump administration requested and $13 million more than CDM received in 2018.
But that’s a minor gusher compared to the money DHS received for the procurement of tools. Congress allocated $160 million for DHS to buy agencies new tools under CDM, which is $34.4 million more than the White House requested, but almost $87 million less than what the program received in 2018.
Now with Congress acting as the investors in this CDM Spindletop-of-sorts, they want updates on how DHS is pumping out their profits.
“CISA is directed to provide a briefing, not later than 90 days of the date of enactment of this act and semiannually thereafter, on the updated timelines and acquisition strategies for the National Cybersecurity Protection System (NCPS) program and the Continuous Diagnostics and Mitigation (CDM) program, including the accelerated deployment of CDM Phase 4 data protection management (digital rights management, data masking, micro-segmentation, enhanced encryption, mobile device management, etc.) across all ‘.gov’ civilian agencies,” the omnibus spending bill states.
While the CDM field continues to flow millions of gallons of oil, the NCPS program, which includes the Einstein intrusion and prevention tools, is starting to dry up for tool procurement.
Lawmakers allocated $96 million in total funding for this year, down from $115 million last year and $5 million less than what the administration requested.
“A reduction of $15 million to the NCPS acquisition program is included due to contract delays,” lawmakers write.
But at the same time, lawmakers increased NCPS funding to $297 million for deployment of NCPS tools, up $10 million over 2018 and about $600,000 more than the administration requested.
The third piece of the federal cybersecurity funding came to the Federal Network Resilience group at DHS. It received $50.1 million for 2019, which is $7.3 million more than in 2018 and slightly over the administration’s request.
Lawmakers also told DHS to redirect some of their extra funds for “facility construction, expansion and renovations necessary to support CISA’s growing cybersecurity workforce; expanding operations, laboratory, and logistics support activities; and Continuity of Operations functions at the agency’s existing support facility. In fiscal year 2018, $500,000 was appropriated for facility design purposes.”
The DHS oil fields are well known for their gushers, but the 2019 spending bill also had some lesser known fields for some deeper drilling.
Legislators told those agencies, including NASA and the National Science Foundation, they can’t buy any technology for high or moderate impact systems unless:
They have reviewed the supply chain risk for the information systems against criteria developed by the National Institute of Standards and Technology and the Federal Bureau of Investigation (FBI) to inform acquisition decisions;
They have reviewed the supply chain risk from the presumptive awardee against available and relevant threat information provided by the FBI and other appropriate agencies; and
They have consulted the FBI or other appropriate federal entity, conducted an assessment of any risk of cyber-espionage or sabotage associated with the acquisition of such system, including any risk associated with such system being produced, manufactured, or assembled by one or more entities identified by the United States government as posting a cyber threat, including but not limited to, those that may be owned, directed or subsidized by the People’s Republic of China, the Islamic Republic of Iran, the Democratic People’s Republic of Korea, or the Russian Federation.
Additionally, lawmakers say these agencies must not buy technology for high or moderate risk systems unless the agency has “developed, in consultation with NIST, the FBI, and supply chain risk management experts, a mitigation strategy for any identified risks; determined, in consultation with NIST and the FBI, that the acquisition of such system is in the national interest of the United States; and reported that determination to the Committees on Appropriations of the House of Representatives and the Senate and the agency Inspector General.”
These provisions follow a long history of concerns at these agencies over supply chain risks. In 2014, former Rep. Frank Wolf (R-Va.), added a similar provision in that year’s spending bill.
Treasury, Transportation get cyber funds
Two other regions ripe for bringing in rigs for drilling is in the Treasury and Transportation sections of the bill.
First, the Treasury Department received $25.2 million for enhanced cybersecurity services and personnel. Lawmakers instructed Treasury’s bureaus to send the agency’s chief information officer a spending plan for approval.
In the Transportation Department sector, you had to drill a little deeper to find $15 million in cyber oil.
Lawmakers told Transportation to use the money for “necessary expenses for cybersecurity initiatives, including necessary upgrades to wide area network and information technology infrastructure, improvement of network perimeter controls and identity management, testing and assessment of information technology against business, security and other requirements, implementation of federal cybersecurity initiatives and information infrastructure enhancements, and implementation of enhanced security controls on network devices.”
This is, by far, not a comprehensive review of all things cyber in the spending bill. Congress also allotted quite a bit of cyber money for election security, critical infrastructure protections and research and development. But the cyber spending highlighted above are what will impact agency security postures in real and immediate ways.