16. INFORMATION TECHNOLOGY AND CYBERSECURITY …

1 16. INFORMATION TECHNOLOGY AND CYBERSECURITY FUNDING. Federal INFORMATION TECHNOLOGY (IT) provides (CPIC) Guidance, agencies determine if an IT investment Americans with important services and INFORMATION , is classified as major based on whether the associated and is the foundation of how Government serves the investment: has significant program or policy implica- public in the digital age. The Budget proposes spending tions; has high executive visibility; has high development, $65 billion on IT at civilian agencies in fiscal year (FY) operating, or maintenance costs; or requires special 2023,1 which will be used to deliver critical public ser- management attention because of its importance to the vices, keep sensitive data and systems secure, and further mission or function of the agency. For all major IT invest- the Administration's vision of an effective and efficient ments, agencies are required to submit Business Cases, Government.

2 The President's Budget also supports the which provide additional transparency regarding the cost, implementation of Federal laws that enable agency tech- schedule, risk, and performance data related to its spend- nology planning, oversight, funding, and accountability ing. OMB requires that agency Chief INFORMATION Officers practices, as well as Office of Management and Budget (CIOs) provide risk ratings for all major IT investments (OMB) guidance to agencies on the strategic use of IT on the IT Dashboard website on a continuous basis and to enable mission outcomes. It supports IT system mod- assess how risks for major development efforts are being ernization; migration to secure, cost-effective commercial addressed and mitigated. cloud solutions and shared services; the recruitment, CYBERSECURITY remains a top priority for this retention, and reskilling of the Federal TECHNOLOGY and Administration, as our adversaries continue to seek new CYBERSECURITY workforce to ensure higher value service and creative means to compromise Federal systems.

3 The delivery ; and the reduction of CYBERSECURITY risk across Administration has engaged top experts from across the the Federal enterprise. Nation to identify leading security practices and set a Cyber threats have become a top risk to delivering bold new course to overhaul the Government's approach critical Government services, and this Administration to securing Federal IT. The President's Budget includes is committed to addressing root cause issues and taking approximately $ billion of budget authority for civil- transformational steps to modernize Federal CYBERSECURITY ian CYBERSECURITY -related activities. This figure is an 11. defenses. The President's Budget includes approximately percent increase reported for 2022. CYBERSECURITY bud- $ billion for civilian CYBERSECURITY funding, which getary priorities continue to seek to reduce the risk and supports the protection of Federal IT and the Nation's impact of cyber incidents based on data-driven, risk- most valuable INFORMATION , including the personal infor- based assessments of the threat environment and the mation of the American public.

4 These investments will, current Federal CYBERSECURITY posture. Section 630 of in alignment with the Administration's priorities, focus the Consolidated Appropriations Act, 2017 (P. L. 115 31). on addressing root cause structural issues, promoting amended 31 1105 (a)(35) to require that an analy- stronger collaboration and coordination among Federal sis of Federal CYBERSECURITY funding be incorporated into agencies, and addressing capability challenges that have the President's Budget. The Federal spending estimates impeded the Government's TECHNOLOGY vision. in this analysis utilize funding and programmatic infor- mation collected on the Executive Branch's CYBERSECURITY Federal Spending on IT and CYBERSECURITY activities that protect agency INFORMATION systems, and also on activities that broadly involve CYBERSECURITY such As shown in Table 16-1, the President's Budget for IT as the development of standards, research and develop- at civilian Federal agencies is estimated to be $65 billion ment, and the investigation of cybercrimes.

5 Agencies in 2023. This figure is an 11 percent increase from the provide funding data at a level of detail sufficient to estimate reported for 2022. Chart 16-1 shows trending consolidate INFORMATION to determine total governmen- INFORMATION for Federal civilian IT spending from 2021 tal spending on CYBERSECURITY . Within each agency, FY. The President's Budget includes funding for 2021 actual levels reflect the actual budgetary resources 4,290 investments at 24 agencies. These investments sup- available in the prior year, FY 2022 estimates reflect the port the three IT Portfolio areas shown in Chart 16-2. estimated budgetary resources available in the current Of those 4,290 IT investments, 742 are considered ma- year, and FY 2023 levels are to reflect levels consistent jor IT investments. As outlined in OMB Circular A-11 with the President's Budget. Table 16-2 provides an and FY 2022 Capital Planning and Investment Control agency-level view of CYBERSECURITY spending.

6 Table 16-3. 1 The scope of the analysis in this chapter refers to agencies repre- provides an overview of CYBERSECURITY spending among sented on the IT Dashboard, located at agencies included in the Chief Financial Officers Act of This analysis excludes the Department of Defense. 1990 ( 101-576) (CFO Act agencies), as aligned to the 2 Note that as of the 2020 CPIC guidance, IT related grants made National Institute of Standards and TECHNOLOGY (NIST). to State and local governments are no longer included in agency IT. investment submissions. 233. 234. ANALYTICAL PERSPECTIVES. CHART 16-1. TRENDS IN FEDERAL CIVILIAN IT SPENDING. $70,000. $65, $60,000. $52, $49, $58, $55, $57, $50,000. $44, $51, $40, $40, $41, $48, $40,000 $44, $43, $41, $37, $37, $36, $38, $30,000. $20,000. Civilian IT Spending Without Grants $10,000 Civilian IT Spending With Grants $0. 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023. CYBERSECURITY Framework functions: Identify, Protect, A key goal of Executive Order 14028 is to modernize the Detect, Respond, and Recover.

7 Federal Government's approach to securing systems and The remainder of this chapter describes important as- data by adopting zero trust CYBERSECURITY principles. To pects of the latest initiatives undertaken with respect to meet that goal, the Administration released guidance for Federal IT policies and projects, as well as CYBERSECURITY agencies through OMB Memorandum M-22-09, Moving policy and spending. the Government Toward Zero Trust CYBERSECURITY Principles, in January 2022. This Memorandum estab- CYBERSECURITY lished a multi-year zero trust strategy and action plan that requires agencies to meet specific CYBERSECURITY stan- The President's Budget supports the Administration's dards and objectives by the end of FY 2024, in order to commitment to transforming Federal CYBERSECURITY by ad- bolster the Government's defenses against increasingly dressing root cause issues and pursuing leading security sophisticated and persistent threat campaigns.

8 Practices designed to defeat the methods of even sophisti- In addition to OMB Memorandum M-22-09, OMB had cated threat actors. In pursuit of these goals, the President previously taken a series of other actions to increase signed Executive Order 14028, Improving the Nation's the resiliency of the Federal Government's digital infra- CYBERSECURITY in May 2021. The Executive Order places structure, including the issuance guidance for agencies a strong emphasis on improving INFORMATION -sharing be- through OMB Memorandum M-21-30, Protecting Critical tween the Government and private sector, enhancing Software Through Enhanced Security Measures. This the security of Government-procured software, improving guidance requires agencies to inventory critical software detection of cyber threats and vulnerabilities on Federal and implement robust security requirements to ensure systems, and strengthening the United States' ability to the security of the software supply chain and protect the respond to incidents when they occur.

9 Use of software in agencies' operational environments. Following that, OMB released further guidance to agen- CHART 16-2. FY 2022 FEDERAL CIVILIAN IT INVESTMENT. PORTFOLIO SUMMARY. IT Infrastructure, IT Security, and IT Management Mission delivery Administrative Services and Support Systems 235. 16. INFORMATION TECHNOLOGY and CYBERSECURITY Funding . cies through OMB Memorandum M-21-31, Improving the rity policy and strategy. The National Cyber Director is Federal Government's Investigative and Remediation statutorily charged with working to ensure a cohesive Capabilities Related to CYBERSECURITY Incidents, requir- and unified cyber posture across the entire Federal en- ing agencies to implement security logging measures that terprise, and coordinating with OMB to ensure agency ensure greater visibility into potential threats, accelerat- budgets align with the Administration's vision and priori- ing incident response efforts and enabling more effective ties.

10 The efforts around the President's Budget supports defense of Federal INFORMATION and Executive Branch ONCD's efforts to improve national coordination in the departments and agencies. Further guidance to agen- face of escalating cyber-attacks on Government and criti- cies followed in OMB Memorandum M-22-01, Improving cal infrastructure. Detection of CYBERSECURITY Vulnerabilities and Incidents on Federal Government Systems through Endpoint Supply Chain Risk Management Detection and Response, which requires agencies to im- The Budget includes resources for agencies to invest plement real-time continuous monitoring and response in building agency capacity to evaluate and mitigate sup- capabilities on all endpoints ( , phones, desktops, ply chain risk. With the passage of the Strengthening printers, laptops, etc.). The President's Budget shows the and Enhancing Cyber-capabilities by Utilizing Risk Administration's commitment to ensuring these require- Exposure TECHNOLOGY Act (SECURE TECHNOLOGY Act) in ments are implemented across the Federal Government, 2018, agencies are required to assess the risks to their dedicating $ billion to support and upgrade Federal respective INFORMATION and communications TECHNOLOGY civilian CYBERSECURITY capabilities.