HR 4367 Introduced
FY 2024 DHS Spending
Earlier this week, Rep Joyce (R,OH) introduced HR 4367, the Department of Homeland Security Appropriations Act, 2024. The House Appropriations Committee also published their Report on the bill. The bill includes a relatively modest ($19 million) increase in spending for the Cybersecurity and Infrastructure Security Agency (CISA). While chemical security is not mentioned in the bill, there are a number of chemical security, cybersecurity, cyber workforce, and counter-UAS provisions outlined in the Committee Report.
Chemical Security
There are no discussions about chemical security issues in the bill or the report. There is a single line entry in the funding tables on page 170 of the report under Infrastructure Security. It shows that the Committee is funding ‘Chemical Security’ (including the CFATS program) at $37.949 million for FY 2024. That is $3.26 million less that FY 2023 and $3.3 million less than the President requested. The Appropriations Committee clearly expects the CFATS program to be continuing through FY 2024.
CISA Spending
Starting on page 41, the bill outlines the FY 2024 spending for CISA. The bill would provide $2.37 billion for the Agency. According to the Report (pg 4) this is $19.2 above the FY 2023 spending. The Committee noted that:
“Recognizing that the Cybersecurity and Infrastructure Security Agency (CISA) budget has grown 44 percent over the last three fiscal years, the bill provides $2,926,291,000 to sustain investments in securing federal civilian cyber networks and helping state and local governments and the private sector secure both cyber and physical infrastructure. The amount is $19,153,000 above the fiscal year 2023 enacted level. This strategic pause in significant budget growth provides CISA the opportunity to mature its operations commensurate with the enacted level.”
Six million of that shortfall comes from “expected payroll under-execution within Mission Support, and to slow administrative personnel growth while CISA lags behind in hiring to enacted levels in mission critical areas such as Cybersecurity” (pg 56).
On pages 96-7 of the bill, the Committee lists the funds that would be rescinded from the FY 2023 unobligated funding:
$3.5 million from the CISA Procurement, Construction, and Improvements’ account, and
$2 million from the CISA Research and Development account
Interestingly, the Committee is withholding $5 million in operations and support funding until “the reports and briefings directed under this heading in the explanatory statement accompanying Public Law 117–103 have been submitted to the Committees on Appropriations of the House of Representatives and the Senate” (pg 41). The missing reports and briefings are detailed and discussed in the Report.
Cybersecurity Programs
The following CISA cybersecurity programs are discussed in the Report:
Accreditation of Third-Party Cybersecurity Service Providers (pg 58),
Cyber Incident Reporting for Critical Infrastructure (pg 59),
Critical Infrastructure Cybersecurity Shared Services Pilot Program (pg 62), and
SLTT Resilience Technical Assistance (pg 65).
The Committee expresses concern about the progress CISA is making in completing the CIRCIA rulemaking within the legislative time limits. The notice of proposed rulemaking for the cybersecurity incident reporting rule is due in March of 2024. The Report notes that:
“The recommendation includes $72,240,000 associated with CIRCIA implementation, $25,469,000 below the request. The Committee believes the amount provided will adequately support the on-time implementation of CIRCIA.”
Commentary: A 26.1% reduction in funding for development of a regulatory program could only make sense to a cost-cutting Republican congress. This will either cause CISA to miss their deadline or reduce efficacy of the supporting infrastructure.
The following S&T cybersecurity programs are discussed in the Report:
Cyber Vulnerabilities in the Agriculture and Food Value Chain (pgs 81-2),
Forensics Center (pg 82),
Port and Maritime Resiliency and Security (pg 83),
Positioning, Navigation, and Timing (PNT) Services (pg 83), and
U.S.-Israel Cybersecurity Cooperation Enhancement Program (pg 84).
The discussion in the Report about PNT services provides an interesting insight into the Committee’s technological expertise. They note:
“The Committee encourages S&T to continue its work supporting Assured PNT systems research and development that informs best practices and provide tools to critical infrastructure owners and operators on how best to prepare for and protect PNT capabilities and electronic systems against an electromagnetic pulse, geomagnetic disturbance event, and other threats.”
Commentary: While EMP and GMP obviously pose a threat to PNT services, that is such a small portion of the scope of those potential threats that it probably does not deserve mention here. PNT services are going to experience more common threats from spoofing activities and interference issues, These ae the threats that should received the attention of S&T’s research support.
Cyber Workforce Issues
On overall spending level issues, the Committee notes (pg 56):
“The recommendation does not include the requested funding for reinstatement of the reduction for payroll under-execution in Public Law 117–328, due to CISA’s failure to provide accurate pay analysis and projections to warrant the reinstatement. The recommendation also includes a decrease of $6,000,000 from the requested amount for expected payroll under-execution within Mission Support, and to slow administrative personnel growth while CISA lags behind in hiring to enacted levels in mission critical areas such as Cybersecurity.”
The Report discusses the following workforce issues:
Cyber Defense Education and Training Program (CDET) (pg 58)
Cybersecurity Support for CISA (pg 60), and
Regional Security Advisors (pg 64),
The RSA program is one of the many areas where CISA is apparently delinquent in providing a report to Congress. It is not specifically clear whether this delinquency has affected spending levels, but the Committee notes:
“The Committee generally supports the use of existing funds for additional cybersecurity advisors in the ten CISA regional offices, as highlighted in the 2022–2026 Strategic Plan, to supplement regional capability in areas of high demand or national security importance.”
Counter-UAS Issues
The Report includes discussions about counter-UAS activities in the Department:
Center for Air and Marine Drone Exploitation (CAMDEx)(pg29),
Counter-UAS (CUAS) Systems for Fast Response Cutters (pgs 46-7), and
Border Threat of Small Unmanned Aerial Systems (sUAS) (pg 81).
Moving Forward
This, as with all spending bills, is a bill that has not been passed in the House for some time. In recent years disagreements over immigration and border issues have even stopped the Committee from attempting to publish/report a DHS spending bill. The Republican leadership has included their solutions this year over the opposition of the minority. The Minority Views section (pg 190) of the report outlines their problems with those solutions. What this means for the bill is that it may pass in the House, but it will be strictly on a party-line vote. That is, of course, if the Republican 11 are satisfied in the level of spending cuts included in the bill.
There is little in this bill that will pass mustard with the Democrats in the Senate. Their version of the bill will look a lot different. When the Senate takes up HR 4367 (if, a really big ‘if’, the House actually passes it) they will substitute language from the version being developed by the Senate Appropriations Committee. That version (much amended to appease at least 10 Republicans) may pass on a slightly bipartisan basis. Then a conference committee will work out the differences and maybe McCarthy will work a deal with Democrats to pass the bill in opposition to the right wing of his Party.
There are way too many ‘if’s’, ‘maybe’s’, and ‘may’s’ and other qualifiers in that description. I will not be surprised if this bill never makes it to the President’s desk.