Double-Digit Growth for Cybersecurity Infrastructure Security Agency

In September, the Cybersecurity and Infrastructure Security Agency (CISA) issued its 2023-2025 Strategic Plan. The plan boils CISA’s strategy down to four operational priorities.

• Spearhead a national effort to ensure the defense and resilience of cyberspace
• Strengthen the resilience of America’s critical infrastructure
• Strengthen whole-of-nation operational collaboration and information-sharing with government, industry, academic, and international partners
• Integrate CISA functions, capabilities, and workforce

In February 2020, FBIQ identified “critical infrastructure resilience” as a 5-year federal funding and policy priority. Like FBIQ’s definition of that term, CISA’s mission includes cybersecurity, climate resilience, and supply chain security. Over the past 35 months, a series of Congressional actions validated that forecast with billions in new funding and a series of initiatives imbedded in the American Rescue Plan Act, the Infrastructure Investment and Jobs Act (IIJA), the Inflation Reduction Act, and annual appropriations bills. Since President Biden took office, Congress has consistently provided more for these critical missions than Biden’s budgets requested.

Over the past two years, Office of Management and Budget (OMB) Director Young issued a series of cybersecurity-related memorandums directing federal civilian executive branch (FCEB) agencies to employ Endpoint Detection and Response, implement the Administration’s federal zero trust architecture strategy, and improve software supply chain security. Together with National Cyber Director Inglis, OMB Director Young issued M-22-16 instructing FCEB agencies to develop FY24 budget initiatives focused on improving “Defense and Resilience of Government Networks, … Cross-Sector Collaboration in Defense of Critical Infrastructure,… and Strengthening the Foundations of Our Digitally-Enabled Future.”

While we expect progress on each of those fronts in President Biden’s FY24 Budget, Congress didn’t wait. The FY23 Consolidated Appropriations Act (P.L. 117-328) includes $2,907.1 million for CISA, $396 million more than the levels outlined in President Biden’s FY23 Budget, and a $313.1 million increase over FY22 levels (see Chart I below). Since FY21, CISA’s budget increased $882 million (43.6%). A significant portion of the increases Congress approved for FY23 were needed to sustain FY22 increases. Why? Because approval of FY22 funding was delayed to mid-March (5.5 months into the fiscal year), most of those increases were implemented late in FY22. FBIQ expects Congress to approve another double-digit budget increase for CISA in FY24.

Chart I. Source: P.L. 117-328, FBIQ

FY23 CISA funding would have been higher, but the Appropriations Committees included a series of one-time reductions “for projected under-execution of payroll-related funding.” The primary reason for that is CISA fell short of Congressionally-approved recruiting and retention targets. With the tight U.S. labor market, the skilled workers needed for CISA positions are in short supply. CISA is not alone. DOD, VA, other FCEB agencies, and state and local governments face similar challenges. Concern about this issue prompted the Appropriations Committees to require quarterly budget and staffing briefings from CISA with a $50,000 penalty “for each day after the respective due dates” CISA fails to comply.

In addition, Congress directs CISA to provide a series of briefings and reports. Two address the staffing issue outlined above for CISA and other federal agencies: 1) Accreditation of Third-Party Cybersecurity Service Providers, and 2) Development of an Interagency Cybersecurity Training and Education Strategy. The most important may be a FCEB IT System Vulnerability Review due by July 2023. While we expect the findings to be classified, Congress directs CISA to include “an unclassified summary.”