On December 23, the House and Senate Appropriations Committees agreed to a $1.7 trillion package of appropriations bills to fund government operations through fiscal 2023. On December 29th, President Biden signed it. The 4,155-page bill reflects the already agreed $858 billion in defense spending and $800 billion in non-defense spending, including several high-profile cybersecurity items.
Senator Chris Murphy (D-CT), chairman of the Homeland Security Subcommittee, said: Defend our country from cyber threats and protect our coastlines and airports. ”
On the House side, Homeland Security Subcommittee Chairman Lucille Royval Allard (D-California) said: Infrastructure and disaster relief support. ”
Key cybersecurity provisions of the bill
Cybersecurity is mentioned dozens of times in the bill, highlighting how routine cybersecurity spending in the federal government has become. , the amount involved, their first appearance in the annual appropriations process, or the focus that lawmakers have on them.
- CISA Fund: This measure allocates $2.9 billion to the Cybersecurity and Infrastructure Security Agency (CISA), $313.5 million or 12% above fiscal 2022 levels and $396.4 million above the president’s budget request surpassed. Some of the specific CISA funds flagged by lawmakers include:
- More than $1.7 billion in cybersecurity efforts, including “protecting private federal networks that also benefit State, Local, Tribal and Territory (SLTT) government networks”
- $214.2 million to further advance CISA’s cybersecurity operations. including, among others, his $17 million increase for the Joint Cyber Defense Collaborative (JCDC).
- $16 million increase for Multi-State Information and Analysis Center, totaling $43 million
- $46 million for “Threat Hunting and Response Capabilities” Across Federal, SLTT, and Critical Infrastructure Networks
- $17 million for “emergency communications readiness”
- An additional $32 million for “improving regional operational capabilities”
- Ukraine Additional Appropriations Act 2023The bill is included as part of a comprehensive spending package that allocates $50 million to address cybersecurity threats from Russia and other malicious actors.
- Personnel management room: Expenditure package provides $422 million for the Department of Human Resources to “address cybersecurity and employment initiatives,” representing an increase of $49.2 million.
- National Science Foundation: The legislation provided $69 million for the National Science Foundation’s CyberCorps program, an increase of $6 million from last year. The program offers scholarships to students if they agree to work for the government in the field of cybersecurity after graduation.
- Ministry of Finance: The measure allocates $100 million in additional funding for salaries and expenses to strengthen the cybersecurity of systems the department operates.
- Office of the National Cyber Director General: This measure provides $21,926,000 in funding for the National Cyber Director’s Office.
- secret service funds: This measure allocates $23 million and reauthorizes the Secret Service to continue operating the National Computer Forensics Institute. The National Computer Forensics Institute serves as a national training center for law enforcement officers to learn how to investigate and respond to cyber and electronic crime.
- Department of Commerce Funding: The law allocates $35 million specifically for technology modernization and cybersecurity risk mitigation for the sector.
- Funded by the Department of Homeland Security (DHS): This measure allocates $3 million to the DHS Intelligence and Cybersecurity Diversity Fellowship Program.
Banning TikTok on Government Phones
China’s ByteDance spends despite trying to strike a compromise deal with the Commission on Foreign Investment in the United States (CFIUS) to ease national security concerns over its popular TikTok video app The bill bans the use of TikTok on enforcement agency phones. The law requires the Office of Management and Budget (OMB), in consultation with the General Services Manager, the Director of CISA, the Director of the National Intelligence Service, and the Secretary of Defense, to develop standards and guidelines for enforcement agencies within two months. must be created. Need to delete the app.
Following the passage of the bill, the U.S. House of Representatives Chief Executive immediately banned TikTok from the phones of House members and staff. This is a political gesture that does nothing to advance national security interests, not to urge the government to end its national security review. The agreement under consideration meaningfully addresses security concerns raised at both the federal and state levels.”
China, North Korea and Iran Sourcing Restrictions
The bill, as determined by the National Institute of Standards and Technology (NIST), would allow government agencies to use their funds to buy “high or moderate impact information systems” from Chinese tech giants Huawei or ZTE. It stipulates that communication equipment must not be purchased for
In addition, agencies are prohibited from using funds for technologies developed by the People’s Republic of China, including biotechnology, digital, telecommunications, and cyber, unless the Secretary of State consults with USAID administrators and heads of other federal agencies. says it can’t. determines that such use would not adversely affect the national security of the United States, as appropriate.
In addition, no agency is owned by China, Iran, North Korea, or Russia, unless the FBI or other appropriate federal agency has assessed the risks of cyber espionage or sabotage associated with acquisitions from those agencies. Funds may not be spent on an institution that directs, directs, or sponsors.
Reports on cyberattacks such as ransomware by foreign countries
The bill incorporates ransomware law, and the Federal Trade Commission (FTC) will target the number and number of ransomware incidents or other cyberattacks from China, North Korea, Iran, or Russia in 2025 and 2027. A report detailing the types should be submitted to Congress. We also ask the FTC to share information on litigation related to these incidents and to recommend new laws and business practices to make U.S. organizations more resilient to digital threat actors.
Ensuring cyber security for medical devices
Finally, the bill would amend the Federal Food, Drug, and Cosmetic Act to require medical device manufacturers to meet certain cybersecurity standards. Among the requirements is to submit to the Commissioner of Food and Drugs a plan for monitoring, identifying, and addressing post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosures and related procedures. It contains.
Manufacturers must also ensure that their devices and related systems are secure and release post-market software and firmware updates and patches. Device manufacturers are also required to submit to the FDA Commissioner a software bill of materials (SBOM) containing all off-the-shelf, open source, and critical components used in their devices.
The bill would also provide additional resources and information within 180 days to improve cybersecurity for medical devices, including information on identifying and addressing cyber vulnerabilities for health care providers, health systems, and device manufacturers. and require FDA to provide annually thereafter. Within a year, the Government Accountability Office (GAO) will outline the challenges healthcare providers, healthcare systems, patients, and device manufacturers face in addressing vulnerabilities and how federal agencies can improve device cybersecurity. A report should be issued that identifies ways to enhance coordination. .
Copyright © 2022 IDG Communications, Inc.