Senators want federal cyber pros to detail how they’re going to modernize their agencies

The Senate Homeland Security and Governmental Affairs committee moved legislation Wednesday that would kickstart IT and cybersecurity modernization efforts at many federal agencies.

An amended version of the Legacy IT Reduction Act, sponsored by Sens. Maggie Hassan, D-N.H., and John Cornyn, R-Texas, was passed unanimously through the committee Wednesday. Under the version proposed by Hassan and Cornyn, chief information officers at the 24 CFO Act agencies would be required to compile an inventory of legacy software systems and other applications used at their agency, how they fit into the agency’s mission, their expected retirement dates and the price of replacing them with newer technologies  

Within two years, those agencies will need to have detailed modernization plans in place that prioritize replacing those systems over the next five years, as well as anticipated costs and sources of funding. It would also require that any new or updated systems acquired support modern security standards.

“Updating government technology will save taxpayer dollars, strengthen cybersecurity and improve Americans’ interaction with federal agencies,” Hassan said Wednesday. “This common sense bill will help ensure that the federal government isn’t wasting taxpayer dollars or risking cyber attack simply because it hasn’t updated the necessary technology systems and equipment.”

Another amendment by Hassan that dealt with how to fund the modernization efforts did not pass through. The civilian federal government spends around $100 billion a year on its IT needs, but much of that money goes to maintaining older systems and hardware. While Congress has often rhetorically supported the notion of modernization, it has historically been reluctant to dedicate significant new spending to do it, often foregoing large tranches of funding for agencies in favor of more piecemeal reforms done through working capital funds and underfunded programs, like the Technology Modernization Fund, that carry strict repayment terms.

That has changed over the past year, as the Biden administration successfully pushed for $1 billion in new funding for the TMF under the American Rescue Plan Act and put in place more flexible repayment terms for agencies to pay the money back.

They’ve also significantly focused the new dollars on modernizing the cybersecurity operations of agencies like the General Services Administration and Office of Personnel Management, as well as shared services like Login.gov, a single-sign-on service for the public to use when interacting with federal websites. Recently, the administration’s proposed budget calls for another $300 million for TMF, as Washington writ large has slowly started to come around to the idea that cybersecurity and IT modernization in the federal government are inextricably linked.

“I look forward to continuing to work on the important issue of funding IT modernization projects. It’s critical that we expand access to IT working capital funds and the technology modernization fund to help agencies fund their IT modernization projects in a fiscally responsible way,” Hassan said.

Bills addressing satellite and healthcare cybersecurity pass

Two other amended cyber bills passed through the committee Wednesday.

The Satellite Cybersecurity Act, introduced by Cornyn and committee chair Gary Peters, D-Mich., passed with amendments from Peters and Sen. Jon Ossoff, D-Ga. It would require the U.S. Comptroller General to study how effectively the federal government is supporting satellite infrastructure owners and operators in defending their systems and hardware from malicious hackers. The report, which will focus on taking stock of the resources federal agencies are currently providing, specify what statutory or regulatory authorities they bring to bear and detailing the extent that their own operations are reliant on such infrastructure, appears designed to tee up potential legislative action down the road.

Under the bill, the Comptroller General would coordinate the study with the departments of Homeland Security and Defense, the National Institute for Standards and Technology, the Federal Communications Commission, the National Oceanic and Atmospheric Administration and the Federal Aviation Administration.

The issue of satellite cybersecurity has been top of mind for many legislators in the wake of the ViaSat hack, which U.S. officials have said was carried by the Russian government, that took down satellite communications in Ukraine and other countries across Europe. While the bill passed out of committee Wednesday does little to address immediate threats, it does reflect the willingness of Congress to explore additional programs and resources to offer satellite owners and operators.

The committee also passed an amended version of the Healthcare Cybersecurity Act of 2022, which would require the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency to enter into a collaborative agreement around improving cybersecurity in the healthcare and public health sectors.

The work would include a study on specific cybersecurity risks facing the sectors or impacting health IT assets, what sort of challenges healthcare facilities face when securing their information systems and how to do so while dealing with a shortage of qualified cybersecurity workers. It will also authorize new trainings for healthcare asset owners and operators on a range of cybersecurity risks and how to mitigate them.