Senior Manager of Advocacy, Pooja Patel discusses the momentum surrounding cybersecurity initiatives in Congress and key opportunities for cyber policy and funding on the horizon.
Throughout the 117th Congress, there continues to be strong bipartisan, bicameral momentum to coalesce around key cybersecurity initiatives. This has been all the more enhanced by the Biden Administration’s prioritization of this issue. Especially in an increasingly tense and partisan atmosphere, where policymakers will continue to diverge from bipartisan agreements with an election on the horizon, cybersecurity issues will continue to be a strong opportunity for lawmakers to facilitate real impact through efforts that cross party lines.
Thus far in the 117th Congress, cybersecurity policies and funding have garnered attention in nearly every major funding package. This includes large funding infusions within the 2021 American Rescue Plan, the 2021 Infrastructure Investment and Jobs Act, and the FY 2022 omnibus package. Beyond inclusion in these broader packages, there has also been significant traction to move smaller, less controversial bills that can quickly move through the legislative process, which has been supplemented by strong advocacy efforts from influential cybersecurity leaders on both sides of the aisle.
Over the next few months when very little policy will get done due to the upcoming elections, cybersecurity policy remains one of the few areas where policy changes could occur – ranging from large funding opportunities to policy implications concerning jurisdiction of federal cybersecurity programs, and more. Cybersecurity remains well-positioned to receive strong attention over the next several months, and policymakers from both sides of the aisle will continue to act on opportunities to secure wins in this policy space.
Key Opportunities for Cyber Policy and Funding on the Horizon
FY2023 Funding: In late March, the Biden administration submitted their funding request to Congress for Fiscal Year 2023 federal funding. The administration’s request included $10.9 billion in funding for cybersecurity programs within federal civilian agencies, along with an additional $11.2 billion for cyber programs at defense agencies. While the administration’s request merely serves as an indication of the administration’s cyber priorities, the request is effectively a blueprint of what is important and what will be prioritized during upcoming funding negotiations. We can expect to see enhanced funding for cyber programs across the federal government, especially in order to bolster federal systems against the increased threats of malicious cyber activity and to support newly created programs and offices (such as the White House Office of the National Cyber Director).
China Competition Legislation: Throughout this Congress, there remains significant focus on finding a legislative solution for addressing the U.S.’s ability to compete with China, with the House and Senate currently engaged in the process to reconcile differences between the House-passed America COMPETES Act and the Senate-passed U.S. Innovation & Competition Act. This large funding package serves to boost supply chain resilience, increase domestic manufacturing opportunities, provide greater funding to innovation, address trade imbalances, and more. Notably, this conference process will resolve differences between the two bills related to cyber research efforts, cybersecurity standards, digital identity management, and workforce development initiatives. This will continue to be a large opportunity for cybersecurity stakeholders, and one that provides significant potential to gain more bipartisan cyber wins if the legislation is signed into law.
FISMA and FedRAMP: Earlier this year, acting on the elevation of tensions in Russia and Ukraine, bipartisan cyber leaders from the Senate acted quickly to pass the Strengthening American Cybersecurity Act (S.3600) to quickly respond to the rising threat of Russian cyberattacks. This legislative package included a trio of bills: 1) cyber incident reporting requirements for critical infrastructure, 2) reforms for the Federal Information Security Modernization Act (FISMA), and 3) modernization for the Federal Risk and Authorization Management Program (FedRAMP). While the cyber incident reporting component was included and signed into law in the FY2022 omnibus, there remain behind-the-scenes efforts in the House and Senate to resolve issues and pass a bicameral, bipartisan package that would modernize both the FISMA and FedRAMP programs.
Questions of Jurisdiction: There remains a focus across the federal government to provide greater structure to federal cybersecurity initiatives, especially in terms of which offices carry oversight power over key areas of impact. The key agencies that oversee these efforts are the Cybersecurity & Infrastructure Security Agency, the White House Office of the National Cyber Director, and the Federal Bureau of Investigation. There may be efforts to find a more solidified distinction of these duties, especially as the administration looks to implement the newly enacted cyber incident reporting rules.
Key Factors Driving the Cyber Security Policy Ecosystem
Notable Cyber Leaders Departing Congress: Leading up to the 2022 election, over 60 Members of Congress have announced that they will be departing at the end of the 117th Congress. Notably, these retirements also include House Homeland Security Committee Ranking Member John Katko (R-NY) and House Armed Services’ Cyber Subcommittee Chairman Jim Langevin (D-RI) – both of whom have been strong cybersecurity advocates throughout their tenure in the House of Representatives. Furthermore, Senate Homeland Security & Governmental Affairs Committee Ranking Member Rob Portman (R-OH) has announced that he will not seek reelection, and he has worked closely with HSGAC Chairman Gary Peters (D-MI) to move several cyber wins throughout their leadership of the committee. These departures will certainly shift the cyber paradigm next Congress, but in the remaining months before this November, we can expect that these members will be looking to secure legislative victories that will mark their legacy in Congress.
Continued Focus from the Biden Administration: Cybersecurity issues remain a significant priority for the Biden administration, especially given the impact of cyberattacks over the past few years – ranging from the SolarWinds incident to the ongoing Log4j vulnerability. President Biden signed a large cybersecurity executive order in May last year, and this policy is still being administered throughout the federal government. The order included strong requirements to implement zero trust architectures across federal systems, which will continue to be a priority until 2024.
Impact Across Government: Few issues impact every entity within government, and cybersecurity is certainly one such issue. Every federal agency receives funding for cybersecurity initiatives, and agencies face substantial risk should they not prioritize cybersecurity to a high enough degree. Even though a considerable amount of cybersecurity funding is concentrated on the Departments of Homeland Security and Defense, President Biden’s FY2023 budget requested sizeable funding for all federal agencies to bolster their cybersecurity architectures and to strengthen their workforces in order to be equipped against potential cyberattacks.
Looming Threats: There continues to be significant concerns surrounding cyberattacks from the Russian government, especially as a mechanism to act against the sanctions that have been implemented thus far by the U.S. government. As these concerns continue to threaten critical infrastructure and other entities, federal leaders will maintain their focus on increasing the strength of these systems to be able to withstand possible cyberattacks.
Strong Industry Advocacy: As our economy and national security increasingly transitions towards dependence on technology and cloud infrastructure, the potential for vulnerabilities have increased as well. The cybersecurity industry has maintained a strong footprint in Washington, DC and is coordinated in advocacy on a range of issues across the cybersecurity policy ecosystem. Even as lawmakers are focused on an array of issues, the cyber industry will remain strong to ensure that these issues continue to receive attention across the policy ecosystem.