The Cybersecurity and Infrastructure Security Agency’s (CISA) fiscal year (FY) 2023 budget request came in at $2.5 billion – 18 percent more than requested in FY2022 – but CISA Director Jen Easterly told members of Congress that the agency’s funding needs will continue to increase if CISA hopes to meet the goal of being the nation’s cyber defense agency.
The President’s budget request also includes $80 million for the Federal Emergency Management Agency (FEMA) for a CISA-led competitive grant program. Easterly told the House Appropriations Subcommittee on Homeland Security April 28 that the agency sees that funding as a complement to the $1 billion state and local cybersecurity grant program included as part of the Infrastructure Investment and Jobs Act.
Easterly emphasized that as threats continue to change, CISA will need the necessary funding to adapt and scale to meet them.
“I frankly think the threat environment demands that we continue to increase our capability and our capacity,” Easterly told the subcommittee. “But that of course demands that I am able to keep full confidence of this committee that I can execute those funds. It’s incredibly important that as we get more money we are able to responsibly execute it.”
Easterly said that the increase in CISA’s budget request by the administration “really recognizes our growing role in the security and resilience of our nation, the confidence in our ability to execute, and the intent to ensure that we have the tools necessary to keep our communities safe and secure.”
The Infrastructure Investment and Jobs Act included $1 billion for the Department of Homeland Security to administer grants to state and local governments to improve their cybersecurity practices. Easterly said she sees the $80 million in funding for FEMA to create the CISA-led program as a complement to aid in targeting the best use of funding.
The cybersecurity of critical infrastructure and the need to increase resilience among the sector has been laid bare by the cyberattacks the nation has faced over the last two years. Among those are attacks on software supply chains, major food producers, the oil and gas sector, and water treatment facilities. The cybersecurity practices in critical infrastructure sectors, or the relative lack of, has concerned many.
“I see this $80-million program effectively as a complement to that to go after those target-rich, resource-poor critical infrastructure providers,” Easterly said. “I would draw your attention in particular to water entities that, frankly, are very target-rich – as we saw with Oldsmar (Fla.) in February of 2021 – but resource-poor. So being able to provide grant money to help them raise their cybersecurity baseline, I think is really important.”
Easterly said the agency is looking to release its first Notice of Funding Opportunity from the $1-billion State and Local Cybersecurity Improvement Grant funding, which would make the first $200 million available.
In terms of the long-term effects the FEMA collaboration may have, Easterly hedged her bets, and said she wasn’t prepared to postulate on the program’s future effectiveness.
“From an enduring capability [standpoint] … I want to make sure that we are developing this program with our FEMA colleagues, making sure that we are responsibly putting this in place so that it will make a difference,” she said. “And then we’ll come back to you and let you know whether in fact, we think it is right sized and directed at the right things.”