The Cybersecurity and Infrastructure Security Agency (CISA) will receive a $568 million windfall from last year’s funding level should the $1.5 trillion omnibus spending bill to underwrite the government through the fiscal year ended September 30, 2022 gain President Biden's signature as expected next week.
The legislation, which made it out of the Senate by a 68-31 tally, carries an overall $2.6 billion budget for CISA. The measure also includes provisions that require businesses in U.S. networks and critical infrastructure sectors to report to CISA evidence of possible hacking activity within 72 hours and ransom payments within 24 hours.
Cyber Funding: Nearly $120 million is tucked into the bill for cyber threat hunting and another $64 million to manage risks. Roughly $17 million is allocated to support state and local governments to deter hacking.
The additional funding comes amid a potential uptick in Russian cyberattacks against the U.S. following the stringent sanctions imposed by NATO member countries to support Ukraine against the Kremlin’s invasion.
CISA Director Jen Easterly said the incident reporting will give the agency the “data and visibility” needed to better protect the nation’s critical infrastructure and private sector from cyber attacks. “Put plainly, this legislation is a game-changer,” said Easterly. “We are also grateful to Congress for the unprecedented level of funding provided for CISA in the Fiscal Year 2022 Omnibus. This investment represents a recognition of the importance of our mission and the confidence of the Congress in our ability to defend our nation’s networks and critical infrastructure.”
The cyber incident reporting provisions in the legislation are based in part on Senate Homeland Security and Governmental Affairs Chair Gary Peters’ (D-MI) Cyber Incident Reporting Act. “Critical infrastructure operators defend against malicious hackers every day, and right now, these threats are even more pronounced due to possible cyber-attacks from the Russian government in retaliation for our support of Ukraine,” Peters said. “It’s clear we must take bold action to improve our online defenses. This provision will create the first holistic requirement for critical infrastructure operators to report cyber incidents so the federal government can warn others of the threat, prepare for widespread impacts, and help get our nation’s most essential systems back online so they can continue providing invaluable services to the American people.”
