Portman, Peters Introduce Bill to Require Federal Government to Improve Cybersecurity Budgeting

October 1, 2020 | Press Releases

WASHINGTON, DC — U.S. Senators Rob Portman (R-OH) and Gary Peters (D-MI) introduced the bipartisan Risk-Informed Spending for Cybersecurity (RISC) Act to require the federal government to make better investments in cybersecurity protections to keep Americans’ data safe. The legislation would require federal agencies to efficiently allocate limited cybersecurity resources to acquire capabilities that address the most pressing cyber threats. In June 2019, Senator Portman, as Chairman of the Permanent Subcommittee on Investigations, released a bipartisan report that found that the vast majority of agencies reviewed by the Subcommittee failed to implement effective and comprehensive cybersecurity frameworks. This included the failure to protect sensitive personally identifiable information and an overreliance on outdated legacy systems.

“Through the budget process, agencies make decisions about the tools they need to ensure they are addressing risks and closing capability gaps. Too often, insufficient information about threats and their associated risks inhibits their ability to make the best, most informed decisions. It is crucial that federal agencies know the return on investment for each cybersecurity capability acquired and whether those capabilities address existing security vulnerabilities. This bipartisan legislation will help give federal agencies the information they need to make informed decisions about their cybersecurity budgets.  I urge my colleagues in the Senate to support this important, bipartisan cybersecurity initiative,” Senator Portman said.

“It is incredibly concerning that an Office of Management and Budget study found that 74 percent of federal government agencies weren’t fully capable of identifying, responding, or recovering from cyber-attacks. As government operations increasingly move online, particularly during the current pandemic, we must ensure that our cybersecurity defenses are capable of guarding against attacks,” said Senator Peters, Ranking Member of the Homeland Security and Governmental Affairs Committee. “I am proud to introduce this commonsense, bipartisan legislation that will require federal agencies to understand the risks facing them, and prioritize their cybersecurity budgets based on those risks.”

“The Alliance for Digital Innovation (ADI) congratulates Senators Portman and Peters on the introduction of the ‘‘Risk-Informed Spending for Cybersecurity Act.’’ This important piece of legislation will greatly enhance Federal cybersecurity through the development of a data driven, risk based budgeting process for Federal information security programs and technological capabilities. The bill would push agencies to leverage better intelligence, data, and real time information to provide a more robust understanding their current cybersecurity performance and to improve the budget and appropriations process to ensure agencies have the resources they need to mitigate critical threats and vulnerabilities. ADI appreciates the leadership of Senators Portman and Peters on this critical step forward to improve FISMA and drive more effectively cyber hygiene across the Federal enterprise,” said Matthew Cornelius, Executive Director of the Alliance for Digital Innovation.

The Risk-Informed Spending for Cybersecurity Act would require the Office of Management and Budget to develop a risk-based budgeting model.  It would also require agencies to use the model once it is developed.