The Biden administration’s budget proposal unveiled Monday calls for $10.9 billion in spending on cybersecurity priorities, an 11% increase that would include raises to cyber budgets across the federal civilian government.
The 2023 budget request, which also outlines $65 billion in IT investments across the civilian federal government, includes another $300 million for the Technology Modernization Fund.
“These investments will transform authentication for the Federal Government, and provide for multi-factor authentication across the board. They will also fund the development of an identity proofing solution that prevents fraud, ensures equitable access to government services, and protects individual privacy,” the budget noted.
The fund, established in 2017, received a $1 billion infusion of cash as part of the American Rescue Plan Act last year and has been increasingly leveraged by the Biden administration to invest in cybersecurity modernization.
While that represents the most one-time funding ever funneled through the program, the additional $300 million requested will likely also be snapped up in short order: the budget notes that about 40 different federal agencies have submitted a combined $2.5 billion in IT security funding proposals for TMF since the passage of the American Rescue Plan Act. Thus far, the fund has invested about $400 million total in 20 projects across twelve different agencies.
“With the continuously evolving IT and cyber landscape, these investments are an important down payment on delivering modern and secure services to the American public, and continued investment in IT will be necessary to ensure the United States meets the accelerated pace of modernization,” the budget request stated, later noting “The Administration is maximizing the flexibility of the TMF to modernize high-priority systems, elevate the foundational security of Federal agencies, accelerate the growth of public-facing digital services, and scale cross-Government collaboration and shared services.”
It also highlights the mission across government to get find, entice and inject more qualified cybersecurity workers into the federal bloodstream, with the administration saying it is committed to revisiting hiring, pay and retention policies to make it easier to keep top-flight security talent while exploring more flexible work policies in the wake of the COVID-19 pandemic.
Beyond compensation, cybersecurity officials in government have sought to expand the pool of potential hires through concerted campaigns to create a more welcoming and inclusive environment for women and people of color that have historically been underrepresented in the information security community.
Last week Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency at DHS, laid out an ambitious goal of gaining relative parity between the number of male and female cybersecurity workers by 2030, and within CISA by 2025. The agency has partnered with non-profits like Girls Who Code while others like the NSA have participated in social media campaigns like #ShareTheMic, wherein high-profile officials like Cybersecurity Director Rob Joyce hand over control of their Twitter accounts for a day to allow cybersecurity professionals from underrepresented communities to communicate with new audiences.
Cyber, IT highlights in 2023 Biden budget request
The request includes $1.9 billion for CISA, which play an outsized role managing the larger federal civilian cybersecurity ecosystem along with the Office of Management and Budget, and Office of the National Cyber Director.
The budget would also set aside at least $100 million through 2028 for the “Cybersecurity Response and Recovery Fund.” The fund, which was created through the 2021 Infrastructure Investment and Jobs Act of 2021, can be tapped upon declaration of a “significant incident” impacting federal cybersecurity by the secretary of Homeland Security and used by CISA to fund unforeseen cyber incident response expenses like the kind encountered during the SolarWinds breach.
The nascent Office of the National Cyber Director would receive $21 million through September to continue filling out staff. Director Chris Inglis said recently that the office has about 30 personnel on staff and will likely have around 85 employees to total when initial hiring efforts are complete.
At the Office of the Management and Budget, the Information Technology Oversight and Reform account would receive $13.7 million, part of which would be used to expand OMB’s work with the Federal Acquisition Security Council, an interagency panel created by Congress in 2018 to examine and root out potential foreign cybersecurity threats in the government’s IT purchasing and procurement. It will also support the sharing of supply chain risk information across government.
The Federal Emergency Management Agency would get $3.5 billion, and set aside $1 billion through 2025 for cybersecurity grant funding to state, local and tribal governments, as well as critical infrastructure. It also includes $80 million for a critical infrastructure cyber grant program that provides financial assistance to public and private entities who implement risk certain reduction strategies and capabilities.
As part of its $10.7 billion request for salaries and other expenses, the FBI is asking for an additional $52 million to bolster hiring in its cyber investigative program, $42 million for counterintelligence activities, $37 million for general cybersecurity operations, and another $17 million to enhance the resilience of the bureau’s IT networks. The Drug Enforcement Agency, meanwhile, is seeking $8 million for cyber investigative support and another $3 million to implement Cybersecurity Maturity Model improvements.
The National Institute for Standards and Technology is slated to get $975 million, which will in part continue to fund projects by NIST like developing new “quantum-proof” forms of encryption, improving software supply chain security and security labeling for internet of things devices while also funding newer security priorities this year around 5G, identity management and the supply chain.
The Department of Energy’s Office of Cybersecurity, Energy, Security and Emergency Response (CESER) would be in line to receive $202 million, part of which would go towards a raft of cyber-related investments, including enhanced information sharing, new risk management tools for speed up threat and vulnerability sharing and emergency cyber incident response. The Infrastructure Investment and Jobs Act will also provide additional resources for CESER to carry out rural and municipal utility cyber grants and grid security programs. Under the spending plan, the Energy Chief Information Office would also make “significant investments” in 2023 designed to respond to the 2020 SolarWinds hack and implement cybersecurity executive order mandates around zero trust, enhanced logging, security licensing, universal encryption and multi-factor authentication.
The Department of Transportation section details $48 million through 2024 for cybersecurity spending, including upgrades to network and IT infrastructure, new identity management and authentication capabilities, data protection and enhanced cybersecurity controls for mobile devices.
At Treasury, $215 million would be set aside through 2025 for the Cybersecurity Enhancement Account, which can be used to pay for strategic cybersecurity investments and support the implementation of the Biden administration’s cybersecurity executive order.
The chronically under-funded IRS would get approximately $310 million through 2025 for its business systems modernization plan, a five-year initiative started under the Trump administration that seeks to fundamentally overhaul the tax agency’s ancient IT infrastructure. Officials at the agency have said the investments are badly needed not only to bring the agency’s operations into the twenty-first century but also to improve cybersecurity and deal with an aging and retiring workforce.