Infrastructure bill includes $1.9 billion for cybersecurity

Editor’s note: This article, posted earlier today, had been updated to include the passage of the Infrastructure Investment and Jobs Act.

On Friday, Congress passed one of President Biden’s signature pieces of legislation, the $1 trillion Infrastructure Investment and Jobs Act. This landmark bill promises not only massive upgrades to the nation’s aging infrastructure but also boosts government cybersecurity spending by $1.9 billion.

Among its provisions is a new $1 billion grant program to help state, local, tribal and territorial governments protect themselves from malicious actors and modernize systems to protect sensitive data, information, and public critical infrastructure. The Federal Emergency Management Agency (FEMA), which runs the Department of Homeland Security’s (DHS’s) existing grant programs, will provide the funds over four years starting in fiscal year 2022, with the Cybersecurity and Infrastructure Security Agency (CISA) serving as a subject matter expert.

The bill also incorporates the Cyber Response and Recovery Act of 2021, which authorizes $100 million over five years to help the government quickly respond to cybersecurity intrusions. Another notable provision is $21 million in funding for the newly created office of the National Cyber Director (NCD) to hire qualified personnel to support its essential cybersecurity mission. The bill further requires the Environmental Protection Agency (EPA) and CISA to identify public water systems that, if degraded or rendered inoperable due to a cyber-attack, would lead to significant impacts on the health and safety of the public.

As the infrastructure bill awaits the president’s signature, another major piece of legislation championed by Biden, the 1,700-page social spending-oriented Build Back Better bill, promises to increase cybersecurity spending even more. That bill contains at least $500 million in cybersecurity funding for the CISA, including $100 million for securing federal civilian systems not deemed “national security systems.”

The Build Back Better bill also includes $50 million for cloud security, $50 million for industrial control systems security, and $20 million to support migration to the dot-gov domain by state, local and tribal governments. However, forecasts for the bill’s passage are cloudy, given stiff resistance from two senators who threaten to derail it because they think it goes too far in expanding social safety nets.

Only one other cybersecurity bill has become law

Aside from these significant pieces of legislation, Congress has been busy on various cybersecurity bills since our last Congressional update. Altogether, since the current 117^th Congress began in January, 321 bills that deal in whole or part with cybersecurity have been introduced.

Of these bills, only one cybersecurity bill, the K-12 Cybersecurity Act of 2021, has become law. This bill, sponsored by Senator Gary Peters (D-MI) and signed by President Biden on October 8, requires CISA to “study the cybersecurity risks facing elementary and secondary schools and develop recommendations that include cybersecurity guidelines designed to assist schools in facing those risks.”

Other cybersecurity bills to watch

Since late July, lawmakers have introduced roughly seventy new bills that reference cybersecurity. The following summarizes the more prominent of these pieces of legislation worth watching closely:

H.R. 5186, CISA Leadership Act. Sponsored by Representative Andrew Garbarino (R-NY), the bill aims to prevent the kind of turmoil that afflicted CISA after Donald Trump fired its first chief, Chris Krebs, for reaffirming the security of the presidential election. The proposed Act establishes a five-year term for the CISA director position and reaffirms that the position is presidentially nominated and Senate approved.

S. 2875, Cyber Incident Reporting Act of 2021. Sponsored by Senator Gary Peters (D-MI), the bill establishes timelines for cyber incident reporting, including giving certain organizations 24 hours to report if they paid the sum demanded in a ransomware attack. It also requires owners and operators of critical infrastructure to report cybersecurity incidents to the CISA within 72 hours.

H.R. 3599, Federal Rotational Cyber Workforce Program Act of 2021. This bill was sponsored in the House by Representative Ro Khanna (D-CA) and passed by the House on September 30. It is now awaiting action in the Senate. The bill establishes a rotational cyber workforce program under which certain federal employees may be detailed among rotational cyber workforce positions at other agencies.

S. 2902, Federal Information Security Modernization Act of 2021. Senator Gary Peters (D-MI) sponsored the legislation, which aims to improve federal cybersecurity given the spate of multiple cyberattacks earlier this year. In addition, the bill clarifies CISA’s role in responding to cybersecurity incidents and requires federal agencies to report significant attacks to both CISA and Congress, ensuring that CISA is the lead organization in responding to these incidents.

H.R.3919, Secure Equipment Act. Sponsored by Representative Steve Scalise (R-LA), the House overwhelmingly approved the bill on October 20 and passed it to the Senate without amendment by unanimous consent. The bill requires the Federal Communications Commission (FCC) to establish rules stating that it will no longer review or approve any authorization application for equipment on the list of covered communications equipment or services. This list names equipment or services that the FCC determines pose an unacceptable risk to national security or the security and safety of US persons.

H.R.4067, Communications Security, Reliability, and Interoperability Council Act. Sponsored by Representative Elissa Slotkin (D-MI), the bill would require the FCC to permanently establish a council to help make recommendations on increasing the security and reliability of telecommunications networks. The House passed the bill on October 20.

H.R. 4611, DHS Software Supply Chain Risk Management Act of 2021. Sponsored by Representative Richard Torres (D-NY), the bill was passed in the House on October 20 and received in the Senate and referred to the Committee on Homeland Security and Governmental Affairs. The bill requires the Management Directorate of the DHS to issue guidance regarding new and existing contracts relating to the procurement of information and communications technology or services. Among other things, the proposed legislation requires federal contractors to submit to DHS a bill of materials and a certification that each item in the bill of materials is free from particular security vulnerabilities or defects affecting the security of the end product or service. The bill further requires notification of any identified vulnerability or defect and a plan to mitigate, repair, or resolve any identified vulnerability or defect.

H.R. 5491, Securing Systemically Important Critical Infrastructure Act. Sponsored by Representative John Katko (R-NY), the proposed legislation helps establish a process for designating systemically important critical infrastructure (SICI). The bill further directs CISA to prioritize meaningful benefits to SICI owners and operators of enhanced risk management coordination between them and the federal government without imposing additional burdens.

S. 3099, Federal Secure Cloud Improvement and Jobs Act of 2021. Sponsored by Senator Gary Peters (D-MI), the bill codifies the Federal Risk and Authorization Management Program (FedRAMP) to help agencies more quickly adopt cloud services. It also requires the General Services Administration to begin automating FedRAMP security assessments and reviews within a year and continuously monitor cloud computing products and services.

H.R. 3462, SBA Cyber Awareness Act. Sponsored by Representative Jason Crow (D-CO), the bill requires the Small Business Administration (SBA) to issue a report on its cybersecurity capabilities and notify Congress in the event of a cybersecurity breach potentially compromising sensitive information. The House unanimously passed it on November 3.

H.R. 4515, Small Business Development Center Cyber Training Act of 2021. Sponsored by Representative Andrew Garbarino (R-NY), the bill requires the SBA to establish a program to certify at least 5% or 10% of the total number of small business development center employees to provide cybersecurity planning assistance to small businesses. The House passed the bill on November 2.