The $1 trillion infrastructure bill would put $20 million in the Cyber Response and Recovery Fund in fiscal 2022 and every year thereafter through fiscal 2027, a bipartisan group of senators revealed Sunday.
The fund supports the Cybersecurity and Infrastructure Security Agency‘s response efforts after the Homeland Security secretary, in consultation with the national cyber director, declares a significant cyber incident at the federal, state, local or tribal level.
Senators want to bolster the fund after significant cyber incidents like the compromise of the SolarWinds Orion software supply chain, which saw multiple federal agencies breached.
CISA can spend the funds on vulnerability assessments, technical incident mitigation, malware analysis, analytic support, threat detection and hunting, and network protections. Funds may also be used for grants or cooperative agreements that update or replace hardware and software or else to contract IT or cyber personnel.
Agencies may be required to reimburse the funds and must report on their use. Meanwhile, CISA must notify the national cyber director of the duration of the significant cyber incident and the reason for and coordination of any allotted funds. The Homeland Security secretary then has 180 to report how the funds were used and their effectiveness mitigating the incident.
The Senate bill would provide CISA an additional $35 million for risk management and stakeholder engagement operations and support, and the new national cyber director office would receive its first $21 million for salaries and expenses until fiscal 2022 appropriations are made.
The Department of Homeland Security Science and Technology Directorate would receive $157.5 million for non-cyber and cyber-related research and develop into critical infrastructure security and resilience, security testing of telecommunications equipment, industrial control systems and open-source software.