John Streufert, director of National Cyber Security Division at the Department of Homeland Security, participates in a panel discussion about cyber acquisitions at the Multiple-Award Government and Industry Conference at the Hilton Alexandria Mark Center, in Alexandria, Va., on Thursday. (Mike Morones/Staff)
Congress passed a full-year spending bill Thursday that provides $792 million for cyber efforts that better secure federal networks and fund the government’s continuous monitoring program.
The bill, which now heads to President Obama for his signature, funnels some of that money through the Department of Homeland Security’s Federal Network Resilience division. The money will fund governmentwide and agency-specific efforts “to provide adequate, risk-based, and cost-effective cybersecurity to address escalating and rapidly evolving threats to information security.”
This includes funding for acquisitions and operations under the Continuous Diagnostics and Mitigation (CDM) program, such as equipment, software and services offered by DHS, according to the legislation.
The governmentwide CDM program is managed by DHS and includes a $6 billion contract under which agencies can buy tools and eventually services for monitoring their networks and addressing their most severe problems first.
The National Protection and Programs Directorate, which houses the Federal Network Resilience division, is required to submit a report to both appropriations committees by April 1 and afterward on a quarterly basis, according to the legislation. The report must detail how funds are being spent. Agencies have to detail plans by July 1 for addressing known vulnerabilities to their information systems.
The legislation makes clear that data collected by continuous monitoring software and shared with DHS should not include personally identifiable information or content of network communications by agency personnel. John Streufert, director of DHS' Federal Network Resilience division, has said summaries of data collected by the monitoring tools will be reported to DHS and used to identify and address the government's most severe security problems.
Monitoring software must also comply with applicable privacy laws and agency-specific policies regarding network content, according to the legislation. Funding under the bill will not replace specific agency funds for protecting their systems.