By Cynthia Brumfield
On December 23, the House and Senate Appropriations Committee agreed to a $1.7 trillion omnibus spending bill that funds government operations through the fiscal year 2023. On December 29, President Biden signed it. The 4,155-page bill reflects an already agreed-upon $858 billion for defense spending and an additional $800 billion for non-defense spending, including several prominent cybersecurity items.
US Senator Chris Murphy (D-CT), chair of the Subcommittee on Homeland Security, said, “This bill is a reasonable compromise, and I’m proud of the investments it would make in the responsible management of our border, the protection of our nation from cyber threats, and the protection of our coastlines and airports.”
On the House side, Homeland Security Subcommittee Chairwoman Lucille Roybal-Allard (D-CA) said, “This year’s appropriations bill for the Department of Homeland Security makes historic investments in America’s domestic, maritime, and border security while also protecting critical cyber and physical infrastructure and supporting disaster relief.”
Cybersecurity is referenced dozens of times in the bill, highlighting how routine cybersecurity spending has become in the federal government. The following cybersecurity provisions in the spending bill are noteworthy for their prominence, the dollar amounts involved, their first-time appearance in the annual appropriations process, or the emphasis lawmakers place upon them.
Despite ongoing efforts by China’s ByteDance to forge a compromise agreement with the Committee on Foreign Investment in the US (CFIUS) to assuage the national security concerns surrounding its popular TikTok video app, the spending bill prohibits the use of TikTok on executive agency phones. The legislation requires the Office of Management and Budget (OMB), in consultation with the administrator of general services, the director of CISA, the director of national intelligence, and the secretary of defense, to develop within two months standards and guidelines for executive agencies requiring the app’s removal.
Following the bill’s enactment, the chief administrative officer of the US House of Representatives banned TikTok from the phones of House members and staff effective immediately. A TikTok spokesperson said, “We’re disappointed that Congress has moved to ban TikTok on government devices — a political gesture that will do nothing to advance national security interests — rather than encouraging the administration to conclude its national security review. The agreement under review by CFIUS will meaningfully address any security concerns that have been raised at both the federal and state level.”
The bill stipulates that no government agency may use their funds to buy telecom equipment from Chinese tech giants Huawei or ZTE for “high or moderate impact information systems,” as determined by the National Institute of Standards and Technology (NIST).
It further states that agencies cannot use any of their funds for technology, including biotechnology, digital, telecommunications, and cyber, developed by the People’s Republic of China unless the secretary of state, in consultation with the USAID administrator and the heads of other federal agencies, as appropriate, determines that such use does not adversely impact the national security of the United States.
Moreover, no agency can spend funds on entities owned, directed, or subsidized by China, Iran, North Korea, or Russia unless the FBI or other appropriate federal entity has assessed any risk of cyber espionage or sabotage associated with acquisitions from these entities.
The bill incorporates the Ransomware Act, which requires the Federal Trade Commission (FTC) to deliver to Congress in 2025 and 2027 a report that spells out the number and types of ransomware incidents or other cyberattacks from China, North Korea, Iran, or Russia. It also invites the FTC to share information on litigation related to these incidents and recommend new laws and business practices to strengthen the resilience of US organizations against digital threat actors.
Finally, the bill amends the Federal Food, Drug, and Cosmetic Act to make medical device makers meet specific cybersecurity standards. Among the requirements is submitting a plan to the secretary of the Food and Drug Administration to monitor, identify, and address post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.
The manufacturers must also ensure their devices and associated systems are secure and release post-market software and firmware updates and patches. The device makers are further required to provide a software bill of materials (SBOM) to the secretary of the FDA that includes all off-the-shelf, open-source, and critical components used by the devices.
The bill further requires the FDA to provide additional resources and information on improving the cybersecurity of medical devices within 180 days and annually thereafter, including information on identifying and addressing cyber vulnerabilities for healthcare providers, health systems, and device manufacturers. Within one year, the Government Accountability Office (GAO) is required to issue a report that identifies the challenges faced by healthcare providers, health systems, patients, and device manufacturers in addressing vulnerabilities and how federal agencies can strengthen coordination to improve the cybersecurity of devices.
Copyright © 2022 IDG Communications, Inc.
Copyright © 2023 IDG Communications, Inc.