Cybersecurity and Infrastructure Security Agency - Congressional

218820

Department of Homeland Security Cybersecurity and Infrastructure Security Agency

CISA - 1

Department of Homeland Security

Cybersecurity and Infrastructure Security Agency

Budget Overview

Fiscal Year 2020 Congressional Justification

Department of Homeland Security Cybersecurity and Infrastructure Security Agency

CISA - 2 Table of Contents

Cybersecurity and Infrastructure Security Agency ...........................................................................................................................................................1

Appropriation Organization Structure ...........................................................................................................................................................................3

Strategic Context ................................................................................................................................................................................................................5

Budget Comparison and Adjustments ...........................................................................................................................................................................14

Personnel Compensation and Benefits ...........................................................................................................................................................................25

Non Pay Budget Exhibits.................................................................................................................................................................................................26

Supplemental Budget Justification Exhibits .................................................................................................................................................................28

Department of Homeland Security Cybersecurity and Infrastructure Security Agency

CISA - 3 Cybersecurity and Infrastructure Security Agency

Appropriation Organization Structure

Organization Name Level Fund Type (* Includes Defense Funding) Cybersecurity and Infrastructure Security Agency Component

Operations and Support Appropriation

Mission Support PPA Discretionary - Appropriation*

Cybersecurity PPA

Cyber Readiness and Response PPA Level II Discretionary - Appropriation* Cyber Infrastructure Resilience PPA Level II Discretionary - Appropriation* Federal Cybersecurity PPA Level II Discretionary - Appropriation*

Infrastructure Security PPA

Infrastructure Capacity Building PPA Level II Discretionary - Appropriation* Infrastructure Security Compliance PPA Level II Discretionary - Appropriation*

Emergency Communications PPA

Priority Telecommunications Services PPA Level II Discretionary - Appropriation* Emergency Communications Preparedness PPA Level II Discretionary - Appropriation*

Integrated Operations PPA

Risk Management Operations PPA Level II Discretionary - Appropriation* Critical Infrastructure Situational Awareness PPA Level II Discretionary - Appropriation* Stakeholder Engagement and Requirements PPA Level II Discretionary - Appropriation* Strategy, Policy, and Plans PPA Level II Discretionary - Appropriation*

Office of Biometric Identity Management PPA

Identity and Screening Program Operations PPA Level II Discretionary - Appropriation

IDENT/Homeland Advanced Recognition Technology Operations and Maintenance PPA Level II Discretionary - Appropriation

Procurement, Construction, and Improvements Appropriation Construction and Facilities Improvements PPA Discretionary - Appropriation

Cybersecurity PPA

Continuous Diagnostics and Mitigation PPA Level II,Investment Discretionary - Appropriation* National Cybersecurity Protection System PPA Level II,Investment Discretionary - Appropriation*

Federal Infrastructure Evolution Modernization PPA Level II,Investment Discretionary - Appropriation*

Emergency Communications PPA

Next Generation Networks Priority Services PPA Level II,Investment Discretionary - Appropriation*

Biometric Identity Management PPA

IDENT/Homeland Advanced Recognition Technology PPA Level II,Investment Discretionary - Appropriation

Department of Homeland Security Cybersecurity and Infrastructure Security Agency

CISA - 4 Organization Name Level Fund Type (* Includes Defense Funding)

Risk Management Operations PPA

Infrastructure Security PPA

Research and Development Appropriation

Cybersecurity PPA Discretionary - Appropriation*

Infrastructure Security PPA Discretionary - Appropriation* Risk Management Operations PPA Discretionary - Appropriation*

Federal Protective Service Appropriation

FPS Operations PPA

Operating Expenses PPA Level II Discretionary - Offsetting Fee

Countermeasures PPA

Protective Security Officers PPA Level II Discretionary - Offsetting Fee Technical Countermeasures PPA Level II Discretionary - Offsetting Fee

Department of Homeland Security Cybersecurity and Infrastructure Security Agency

CISA - 5 Cybersecurity and Infrastructure Security Agency

Strategic Context

Component Overview

The strategic context presents the performance budget by tying together strategy, budget resource requests, programs, or PPAs, and performance

measures that gauge the delivery of results to our stakeholders. The Common Appropriation Structure (CAS) allows DHS to integrate the strategic

programmatic view with our budget view of resources. With this structure, a significant portion of the Level 1 PPAs represent what DHS refers to as

our mission programs. A mission program is a group of activities acting together to accomplish a specific high-level outcome external to DHS and

d below. Performance

measures associated with these programs are presented in two measure sets, strategic and management measures. Strategic measures communicate

results delivered for our agency goals by these mission programs and are considered our Government Performance and Results Act Modernization

Act of 2010 (GPRAMA) measures. Additional management measures are displayed to provide a more thorough context of expected program

because the measure did not exist at that time.

Cybersecurity: The Cybersecurity program advances computer security preparedness and the response to cyberattacks and incidents. The program

includes activities to secure the federal network, respond to incidents, disseminate actionable information, and collaborate with private-sector

partners to secure critical infrastructure. This program supports the implementation of government-wide deployment of hardware and software

systems to prevent and detect incidents, response to incidents at federal and private entities, and collaboration with the private sector to increase

the security and resiliency of critical networks. The program also coordinates cybersecurity education for the federal workforce.

Strategic Measures

Measure: Average number of hours to notify agency of an incident on their network from earliest detection of potentially malicious activity

Description: This measure provides insight into the efficiency and effectiveness of the NCPS program as a whole, by assessing average time to

notify agency of an incident on their network, ensuring that the program is focusing time and resources primarily on identifying legitimate security

threats. When activity on a federal network corresponds to an active Indicator of Compromise (IOC) deployed through the National Cybersecurity

Protection System (NCPS), an alert is generated and sent to DHS. After initial review, DHS analysts triage the alerts based on a number of

factors. If an alert, or several related alerts, is confirmed as suspected malicious activity, an incident ticket is created and notification is sent to the

affected agency for further action. Fiscal Year: FY 2015 FY 2016 FY 2017 FY 2018 FY 2019 FY 2020

Target: --- --- --- --- 24 24

Result: --- --- --- --- TBD TBD

Department of Homeland Security Cybersecurity and Infrastructure Security Agency

CISA - 6

Measure: Percent of incidents detected or blocked by EINSTEIN intrusion detection and prevention systems that are attributed to Nation State

activity Description: This measure demonstrates the EINSTEIN intrusion detection and prevention

significant malicious cyber-activity by Nation States on federal civilian networks. Nation States possess the resources and expertise to not only

develop sophisticated cyber-attacks but sustain them over long periods of time. Thus the indicators that EINSTEIN deploys to detect and block

malicious cyber-activity should focus on methods and tactics employed by Nation States. The overall percentage of incidents related to Nation

State activity is expected to increase through greater information sharing with partners and improved indicator development, which will result in

better incident attribution. Fiscal Year: FY 2015 FY 2016 FY 2017 FY 2018 FY 2019 FY 2020

Target: --- --- --- 20% 21% 22%

Result: --- --- --- 29% TBD TBD

Measure: Percent of participating federal, civilian executive branch agencies for which Continuous Diagnostics and Mitigation (CDM)

capabilities to manage user access and privileges to their networks are being monitored on the DHS managed Federal Dashboard

Description: This measure calculates the percent of participating federal, civilian executive branch agencies in the Continuous Diagnostics and

Mitigation (CDM) program whose data relating to user activities on their network is visible on the DHS managed Federal Dashboard. The data

ining to this

particular CDM capability that focuses on restricting network privileges and access to only those individuals who need it to perform their duties.

The data that is visible to the agencies is at the individual/object level while the Federal Dashboard will provide DHS with summary level

vulnerability and security information. Deploying CDM and sharing information with Federal agencies will enable greater DHS visibility and

management of the security of Federal IT networks. Fiscal Year: FY 2015 FY 2016 FY 2017 FY 2018 FY 2019 FY 2020

Target: --- --- --- --- 42% 63%

Result: --- --- --- --- TBD TBD

Measure: Percent of respondents indicating that operational cybersecurity information products provided by DHS are helpful

Description: This measure assesses whether the products that the DHS National Cybersecurity and Communications Integration Center (NCCIC)

feedback form

enables recipients of products to submit feedback about the content of each product. Question five of the feedback survey solicits data on how

helpful the information is to the stakeholder. Fiscal Year: FY 2015 FY 2016 FY 2017 FY 2018 FY 2019 FY 2020

Target: --- --- 78% 90% 90% 90%

Result: --- --- 92% 93% TBD TBD

Department of Homeland Security Cybersecurity and Infrastructure Security Agency

CISA - 7

Measure: Percent of significant (critical and high) vulnerabilities identified by DHS cyber hygiene scanning of federal networks that are mitigated

within the designated timeline

Department of Homeland Security Cybersecurity and Infrastructure Security Agency

CISA - 1

Department of Homeland Security

Cybersecurity and Infrastructure Security Agency

Budget Overview

Fiscal Year 2020 Congressional Justification

Department of Homeland Security Cybersecurity and Infrastructure Security Agency

CISA - 2 Table of Contents

Cybersecurity and Infrastructure Security Agency ...........................................................................................................................................................1

Appropriation Organization Structure ...........................................................................................................................................................................3

Strategic Context ................................................................................................................................................................................................................5

Budget Comparison and Adjustments ...........................................................................................................................................................................14

Personnel Compensation and Benefits ...........................................................................................................................................................................25

Non Pay Budget Exhibits.................................................................................................................................................................................................26

Supplemental Budget Justification Exhibits .................................................................................................................................................................28

Department of Homeland Security Cybersecurity and Infrastructure Security Agency

CISA - 3 Cybersecurity and Infrastructure Security Agency

Appropriation Organization Structure

Organization Name Level Fund Type (* Includes Defense Funding) Cybersecurity and Infrastructure Security Agency Component

Operations and Support Appropriation

Mission Support PPA Discretionary - Appropriation*

Cybersecurity PPA

Cyber Readiness and Response PPA Level II Discretionary - Appropriation* Cyber Infrastructure Resilience PPA Level II Discretionary - Appropriation* Federal Cybersecurity PPA Level II Discretionary - Appropriation*

Infrastructure Security PPA

Infrastructure Capacity Building PPA Level II Discretionary - Appropriation* Infrastructure Security Compliance PPA Level II Discretionary - Appropriation*

Emergency Communications PPA

Priority Telecommunications Services PPA Level II Discretionary - Appropriation* Emergency Communications Preparedness PPA Level II Discretionary - Appropriation*

Integrated Operations PPA

Risk Management Operations PPA Level II Discretionary - Appropriation* Critical Infrastructure Situational Awareness PPA Level II Discretionary - Appropriation* Stakeholder Engagement and Requirements PPA Level II Discretionary - Appropriation* Strategy, Policy, and Plans PPA Level II Discretionary - Appropriation*

Office of Biometric Identity Management PPA

Identity and Screening Program Operations PPA Level II Discretionary - Appropriation

IDENT/Homeland Advanced Recognition Technology Operations and Maintenance PPA Level II Discretionary - Appropriation

Procurement, Construction, and Improvements Appropriation Construction and Facilities Improvements PPA Discretionary - Appropriation

Cybersecurity PPA

Continuous Diagnostics and Mitigation PPA Level II,Investment Discretionary - Appropriation* National Cybersecurity Protection System PPA Level II,Investment Discretionary - Appropriation*

Federal Infrastructure Evolution Modernization PPA Level II,Investment Discretionary - Appropriation*

Emergency Communications PPA

Next Generation Networks Priority Services PPA Level II,Investment Discretionary - Appropriation*

Biometric Identity Management PPA

IDENT/Homeland Advanced Recognition Technology PPA Level II,Investment Discretionary - Appropriation

Department of Homeland Security Cybersecurity and Infrastructure Security Agency

CISA - 4 Organization Name Level Fund Type (* Includes Defense Funding)

Risk Management Operations PPA

Infrastructure Security PPA

Research and Development Appropriation

Cybersecurity PPA Discretionary - Appropriation*

Infrastructure Security PPA Discretionary - Appropriation* Risk Management Operations PPA Discretionary - Appropriation*

Federal Protective Service Appropriation

FPS Operations PPA

Operating Expenses PPA Level II Discretionary - Offsetting Fee

Countermeasures PPA

Protective Security Officers PPA Level II Discretionary - Offsetting Fee Technical Countermeasures PPA Level II Discretionary - Offsetting Fee

Department of Homeland Security Cybersecurity and Infrastructure Security Agency

CISA - 5 Cybersecurity and Infrastructure Security Agency

Strategic Context

Component Overview

The strategic context presents the performance budget by tying together strategy, budget resource requests, programs, or PPAs, and performance

measures that gauge the delivery of results to our stakeholders. The Common Appropriation Structure (CAS) allows DHS to integrate the strategic

programmatic view with our budget view of resources. With this structure, a significant portion of the Level 1 PPAs represent what DHS refers to as

our mission programs. A mission program is a group of activities acting together to accomplish a specific high-level outcome external to DHS and

d below. Performance

measures associated with these programs are presented in two measure sets, strategic and management measures. Strategic measures communicate

results delivered for our agency goals by these mission programs and are considered our Government Performance and Results Act Modernization

Act of 2010 (GPRAMA) measures. Additional management measures are displayed to provide a more thorough context of expected program

because the measure did not exist at that time.

Cybersecurity: The Cybersecurity program advances computer security preparedness and the response to cyberattacks and incidents. The program

includes activities to secure the federal network, respond to incidents, disseminate actionable information, and collaborate with private-sector

partners to secure critical infrastructure. This program supports the implementation of government-wide deployment of hardware and software

systems to prevent and detect incidents, response to incidents at federal and private entities, and collaboration with the private sector to increase

the security and resiliency of critical networks. The program also coordinates cybersecurity education for the federal workforce.

Strategic Measures

Measure: Average number of hours to notify agency of an incident on their network from earliest detection of potentially malicious activity

Description: This measure provides insight into the efficiency and effectiveness of the NCPS program as a whole, by assessing average time to

notify agency of an incident on their network, ensuring that the program is focusing time and resources primarily on identifying legitimate security

threats. When activity on a federal network corresponds to an active Indicator of Compromise (IOC) deployed through the National Cybersecurity

Protection System (NCPS), an alert is generated and sent to DHS. After initial review, DHS analysts triage the alerts based on a number of

factors. If an alert, or several related alerts, is confirmed as suspected malicious activity, an incident ticket is created and notification is sent to the

affected agency for further action. Fiscal Year: FY 2015 FY 2016 FY 2017 FY 2018 FY 2019 FY 2020

Target: --- --- --- --- 24 24

Result: --- --- --- --- TBD TBD

Department of Homeland Security Cybersecurity and Infrastructure Security Agency

CISA - 6

Measure: Percent of incidents detected or blocked by EINSTEIN intrusion detection and prevention systems that are attributed to Nation State

activity Description: This measure demonstrates the EINSTEIN intrusion detection and prevention

significant malicious cyber-activity by Nation States on federal civilian networks. Nation States possess the resources and expertise to not only

develop sophisticated cyber-attacks but sustain them over long periods of time. Thus the indicators that EINSTEIN deploys to detect and block

malicious cyber-activity should focus on methods and tactics employed by Nation States. The overall percentage of incidents related to Nation

State activity is expected to increase through greater information sharing with partners and improved indicator development, which will result in

better incident attribution. Fiscal Year: FY 2015 FY 2016 FY 2017 FY 2018 FY 2019 FY 2020

Target: --- --- --- 20% 21% 22%

Result: --- --- --- 29% TBD TBD

Measure: Percent of participating federal, civilian executive branch agencies for which Continuous Diagnostics and Mitigation (CDM)

capabilities to manage user access and privileges to their networks are being monitored on the DHS managed Federal Dashboard

Description: This measure calculates the percent of participating federal, civilian executive branch agencies in the Continuous Diagnostics and

Mitigation (CDM) program whose data relating to user activities on their network is visible on the DHS managed Federal Dashboard. The data

ining to this

particular CDM capability that focuses on restricting network privileges and access to only those individuals who need it to perform their duties.

The data that is visible to the agencies is at the individual/object level while the Federal Dashboard will provide DHS with summary level

vulnerability and security information. Deploying CDM and sharing information with Federal agencies will enable greater DHS visibility and

management of the security of Federal IT networks. Fiscal Year: FY 2015 FY 2016 FY 2017 FY 2018 FY 2019 FY 2020

Target: --- --- --- --- 42% 63%

Result: --- --- --- --- TBD TBD

Measure: Percent of respondents indicating that operational cybersecurity information products provided by DHS are helpful

Description: This measure assesses whether the products that the DHS National Cybersecurity and Communications Integration Center (NCCIC)

feedback form

enables recipients of products to submit feedback about the content of each product. Question five of the feedback survey solicits data on how

helpful the information is to the stakeholder. Fiscal Year: FY 2015 FY 2016 FY 2017 FY 2018 FY 2019 FY 2020

Target: --- --- 78% 90% 90% 90%

Result: --- --- 92% 93% TBD TBD

Department of Homeland Security Cybersecurity and Infrastructure Security Agency

CISA - 7

Measure: Percent of significant (critical and high) vulnerabilities identified by DHS cyber hygiene scanning of federal networks that are mitigated

within the designated timeline