Policymakers struggle to factor cybersecurity into federal funding programs
Policymakers struggle to factor cybersecurity into federal funding programs
Publish Date: 2026-06-22 16:05:00
Source Domain: federalnewsnetwork.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
A new policy report is urging Congress and the Trump administration to more effectively make cybersecurity a factor in grants and other federally funded projects, as power grids, water utilities and other critical systems are increasingly vulnerable to hacking threats.
In a policy memo first shared with Federal News Network, the Institute for Security and Technology says Congress has missed multiple opportunities in recent years to include stronger cyber requirements in infrastructure investments and other big spending legislation.
Agencies have also largely failed to implement and ensure cyber standards are upheld as they awarded billions of dollars in grants and other funding to state and local governments and the private sector for infrastructure upgrades, according to the report.
Nicholas Leiserson, senior vice president for policy at IST, said federal grant dollars increasingly finance IT and digital technologies relied upon by organizations ranging from hospitals and schools to power grids and water utilities.]]>
“There’s a broad consensus that it makes sense that those things should be secure, that you want to buy things that are secure by design,” Leiserson said in an interview. “However, what we don’t see is consistent application of cybersecurity requirements associated with these programs.”
The issue has stagnated despite repeated official warnings that foreign hackers, notably the China-connected group “Volt Typhoon,” have infiltrated U.S. critical infrastructure systems to disrupt them in the event of a future conflict.
Recent advancements in artificial intelligence tools could also “accelerate these significant challenges,” the IST report warns.
The report suggests that the forthcoming farm bill or the surface transportation reauthorization are near-term opportunities for Congress to consider stronger approaches to securing critical infrastructure systems.
Leiserson, a former Capitol Hill staffer who also served in senior roles in the Office of the National Cyber Director during the Biden administration, said he hopes lawmakers and government officials take some inspiration from the IST memo when crafting new policies and funding.
“Despite the fact that there is a consensus among policymakers that this is a good lever to pull, when you get down to the last mile, you’re not actually seeing that consensus at a strategic level translate into requirements operationally,” Leiserson said.
Many federal grants and acquisitions include requirements to protect sensitive government data, such as taxpayer data or law enforcement information.]]>
“What there aren’t necessarily requirements tied to is, what about systems?” Leiserson said. “We should expect that if we’re going to, as a federal government, make investments in infrastructure, that it will be maintained, it will be usable, and that someone is not just going to wander by and knock it offline or make that service unavailable to folks.”
‘Missed opportunities’
The IST memo asserts that the $1.2 trillion Bipartisan Infrastructure Law (BIL) is one of several “missed opportunities” for Congress in recent years.
While the law established a $1 billion grant program for state and local government cybersecurity, the memo notes that the law’s broader infrastructure spending required little in the way of cybersecurity planning or upgrades.
Still, Brian Scott, principal of Bright Shield Strategies LLC and former deputy assistant national cyber director for cyber policy and programs, said the Biden administration wanted to ensure the infrastructure awards included “appropriate resilience and cybersecurity measures.”
Officials from ONCD and the National Security Council developed plans to include cybersecurity planning and assessment requirements in the funding. But those efforts were challenging for multiple reasons, Scott recalled, including concerns that robust cyber requirements would discourage small businesses from competing for the funds.
Meanwhile, many grants-making agencies said they lacked the expertise to evaluate cybersecurity plans and assessments that would be submitted by grantees, Scott said.
Ultimately, the Biden administration included language about the importance of cybersecurity in BIL notices of funding opportunities (NOFOs). But the IST report notes that the language in the NOFOs was vague and difficult to enforce.
In 2024, ONCD published a “playbook” for strengthening cybersecurity across federal grant programs. The playbook sought to address the “shortcomings” of the earlier BIL approach.
“We went through a lot of iterations, but at the very end it was designed as a tool for agencies, state and local entities, and grant recipients,” Scott said. “That’s what we tried to do. We provided NOFO language, we provided terms and conditions language, so that it’s pretty simple and clear to understand, and then gave the respective grantees a template for how to do a risk assessment and how to do a plan.”]]>
The IST report suggests the ONCD playbook could be a starting point to set governmentwide cybersecurity risk mitigation requirements for federal awards.
Agency-specific versus universal requirements
Meanwhile, the infrastructure law did require the Energy Department to specifically factor cybersecurity into billions of dollars for energy infrastructure upgrades. Under that effort, DOE’s Office of Cybersecurity, Energy Security, and Emergency Response, or CESER, has been charged with reviewing cyber plans submitted by awardees, meaning that cyber experts oversee those plans.
Yet even that program is not mandatory, the IST report notes, and could benefit from more stringent oversight of whether the cyber plans are being executed.
“We point to what CESER is doing as the leading light, and the disturbing thing I think from my perspective is, we don’t see more things that are at least at that level,” Leiserson said.
The IST report says Energy’s implementation of the infrastructure law’s cyber requirements could be a model for an agency-specific approach. But policymakers “should consider making plans mandatory and incorporating the ability to audit and hold grantees accountable after funding is awarded,” the report continues.
The IST report also suggests policymakers could consider creating a cybersecurity set-aside in federally funded programs. It points to research that finds approximately 10% of IT budgets are spent on security.
The set-aside approach would give federal awardees more flexibility in how they build their cybersecurity plans. But it could also lead to inefficiencies when more or less funding is needed, depending on the risks of the specific project.
Leiserson said whatever approach policymakers choose, they should take steps to make cybersecurity investments on the front end of new infrastructure projects, rather than letting cyber risks diffuse over time.
“It is very difficult to hold in your head that this is a serious risk that we need to address as a national security issue, and in the same breath, say, we can’t devote any resources to it,” he said.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
