{"id":235306,"date":"2026-06-22T16:05:00","date_gmt":"2026-06-22T20:05:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/22\/policymakers-struggle-to-factor-cybersecurity-into-federal-funding-programs\/"},"modified":"2026-06-22T16:10:12","modified_gmt":"2026-06-22T20:10:12","slug":"policymakers-struggle-to-factor-cybersecurity-into-federal-funding-programs","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/22\/policymakers-struggle-to-factor-cybersecurity-into-federal-funding-programs\/","title":{"rendered":"Policymakers struggle to factor cybersecurity into federal funding programs"},"content":{"rendered":"<p><a href=\"https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/06\/policymakers-struggle-to-factor-cybersecurity-into-federal-funding-programs\/\">Policymakers struggle to factor cybersecurity into federal funding programs<\/a><\/p>\n<p><a href=\"https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/06\/policymakers-struggle-to-factor-cybersecurity-into-federal-funding-programs\/\">https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/06\/policymakers-struggle-to-factor-cybersecurity-into-federal-funding-programs\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-22 16:05:00<\/a><\/p>\n<p>Source Domain: <a href=\"federalnewsnetwork.com\">federalnewsnetwork.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>                    A new policy report is urging Congress and the Trump administration to more effectively make cybersecurity a factor in grants and other federally funded projects, as power grids, water utilities and other critical systems are increasingly vulnerable to hacking threats.<br \/>\nIn a policy memo first shared with Federal News Network, the Institute for Security and Technology says Congress has missed multiple opportunities in recent years to include stronger cyber requirements in infrastructure investments and other big spending legislation.<br \/>\nAgencies have also largely failed to implement and ensure cyber standards are upheld as they awarded billions of dollars in grants and other funding to state and local governments and the private sector for infrastructure upgrades, according to the report.<br \/>\nNicholas Leiserson, senior vice president for policy at IST, said federal grant dollars increasingly finance IT and digital technologies relied upon by organizations ranging from hospitals and schools to power grids and water utilities.]]><\/p>\n<p>\u201cThere\u2019s a broad consensus that it makes sense that those things should be secure, that you want to buy things that are secure by design,\u201d Leiserson said in an interview. \u201cHowever, what we don\u2019t see is consistent application of cybersecurity requirements associated with these programs.\u201d<br \/>\nThe issue has stagnated despite repeated official warnings that foreign hackers, notably the China-connected group \u201cVolt Typhoon,\u201d have infiltrated U.S. critical infrastructure systems to disrupt them in the event of a future conflict.<br \/>\nRecent advancements in artificial intelligence tools could also \u201caccelerate these significant challenges,\u201d the IST report warns.<br \/>\nThe report suggests that the forthcoming farm bill or the surface transportation reauthorization are near-term opportunities for Congress to consider stronger approaches to securing critical infrastructure systems.<br \/>\nLeiserson, a former Capitol Hill staffer who also served in senior roles in the Office of the National Cyber Director during the Biden administration, said he hopes lawmakers and government officials take some inspiration from the IST memo when crafting new policies and funding.<br \/>\n\u201cDespite the fact that there is a consensus among policymakers that this is a good lever to pull, when you get down to the last mile, you\u2019re not actually seeing that consensus at a strategic level translate into requirements operationally,\u201d Leiserson said.<br \/>\nMany federal grants and acquisitions include requirements to protect sensitive government data, such as taxpayer data or law enforcement information.]]><\/p>\n<p>\u201cWhat there aren\u2019t necessarily requirements tied to is, what about systems?\u201d Leiserson said. \u201cWe should expect that if we\u2019re going to, as a federal government, make investments in infrastructure, that it will be maintained, it will be usable, and that someone is not just going to wander by and knock it offline or make that service unavailable to folks.\u201d<br \/>\n\u2018Missed opportunities\u2019<br \/>\nThe IST memo asserts that the $1.2 trillion Bipartisan Infrastructure Law (BIL) is one of several \u201cmissed opportunities\u201d for Congress in recent years.<br \/>\nWhile the law established a $1 billion grant program for state and local government cybersecurity, the memo notes that the law\u2019s broader infrastructure spending required little in the way of cybersecurity planning or upgrades.<br \/>\nStill, Brian Scott, principal of Bright Shield Strategies LLC and former deputy assistant national cyber director for cyber policy and programs, said the Biden administration wanted to ensure the infrastructure awards included \u201cappropriate resilience and cybersecurity measures.\u201d<br \/>\nOfficials from ONCD and the National Security Council developed plans to include cybersecurity planning and assessment requirements in the funding. But those efforts were challenging for multiple reasons, Scott recalled, including concerns that robust cyber requirements would discourage small businesses from competing for the funds.<br \/>\nMeanwhile, many grants-making agencies said they lacked the expertise to evaluate cybersecurity plans and assessments that would be submitted by grantees, Scott said.<br \/>\nUltimately, the Biden administration included language about the importance of cybersecurity in BIL notices of funding opportunities (NOFOs). But the IST report notes that the language in the NOFOs was vague and difficult to enforce.<br \/>\nIn 2024, ONCD published a \u201cplaybook\u201d for strengthening cybersecurity across federal grant programs. The playbook sought to address the \u201cshortcomings\u201d of the earlier BIL approach.<br \/>\n\u201cWe went through a lot of iterations, but at the very end it was designed as a tool for agencies, state and local entities, and grant recipients,\u201d Scott said. \u201cThat\u2019s what we tried to do. We provided NOFO language, we provided terms and conditions language, so that it\u2019s pretty simple and clear to understand, and then gave the respective grantees a template for how to do a risk assessment and how to do a plan.\u201d]]><\/p>\n<p>The IST report suggests the ONCD playbook could be a starting point to set governmentwide cybersecurity risk mitigation requirements for federal awards.<br \/>\nAgency-specific versus universal requirements<br \/>\nMeanwhile, the infrastructure law did require the Energy Department to specifically factor cybersecurity into billions of dollars for energy infrastructure upgrades. Under that effort, DOE\u2019s Office of Cybersecurity, Energy Security, and Emergency Response, or CESER, has been charged with reviewing cyber plans submitted by awardees, meaning that cyber experts oversee those plans.<br \/>\nYet even that program is not mandatory, the IST report notes, and could benefit from more stringent oversight of whether the cyber plans are being executed.<br \/>\n\u201cWe point to what CESER is doing as the leading light, and the disturbing thing I think from my perspective is, we don\u2019t see more things that are at least at that level,\u201d Leiserson said.<br \/>\nThe IST report says Energy\u2019s implementation of the infrastructure law\u2019s cyber requirements could be a model for an agency-specific approach. But policymakers \u201cshould consider making plans mandatory and incorporating the ability to audit and hold grantees accountable after funding is awarded,\u201d the report continues.<br \/>\nThe IST report also suggests policymakers could consider creating a cybersecurity set-aside in federally funded programs. It points to research that finds approximately 10% of IT budgets are spent on security.<br \/>\nThe set-aside approach would give federal awardees more flexibility in how they build their cybersecurity plans. But it could also lead to inefficiencies when more or less funding is needed, depending on the risks of the specific project.<br \/>\nLeiserson said whatever approach policymakers choose, they should take steps to make cybersecurity investments on the front end of new infrastructure projects, rather than letting cyber risks diffuse over time.<br \/>\n\u201cIt is very difficult to hold in your head that this is a serious risk that we need to address as a national security issue, and in the same breath, say, we can\u2019t devote any resources to it,\u201d he said.<br \/>\n                    Copyright<br \/>\n                            \u00a9\u00a02026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Policymakers struggle to factor cybersecurity into federal funding programs https:\/\/federalnewsnetwork.com\/cybersecurity\/2026\/06\/policymakers-struggle-to-factor-cybersecurity-into-federal-funding-programs\/ Publish Date: 2026-06-22 16:05:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":235307,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/federalnewsnetwork.com\/wp-content\/uploads\/2022\/05\/Copy-of-Untitled-5.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[20,24],"class_list":["post-235306","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-artificial-intelligence","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/235306"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=235306"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/235306\/revisions"}],"predecessor-version":[{"id":235309,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/235306\/revisions\/235309"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/235307"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=235306"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=235306"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=235306"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}