Biden’s cybersecurity plan has a huge funding gap

Unless Congress steps in, NIST will be unable to do the work assigned, jeopardizing the success of the administration’s cyber ambitions.

The Biden administration is boasting about its planned $13 billion investment in cybersecurity for federal civilian agencies, but the White House’s plans neglect essential programs, including foundational research and standards setting.

The administration is once again requesting far too little for the National Institute of Standards and Technology (NIST), which develops cybersecurity standards and guidelines for the rest of the government. The White House directs NIST to play a critical role in its most important cybersecurity priorities, but does not fund the agency to match its importance. Unless Congress steps in, NIST will be unable to do the work assigned, jeopardizing the success of the administration’s cyber ambitions.

The National Institute of Standards and Technology, part of the Department of Commerce, conducts technical research into emerging technologies while also developing risk mitigation frameworks. Its most visible outputs are more than 200 directives that establish cybersecurity standards, technical specifications and guidelines that governments and private industry use as their benchmarks. NIST also maintains the Cybersecurity Framework, a detailed system for managing cybersecurity risks. It offers a methodology for identifying and prioritizing an organization’s assets and protecting those systems. Critical infrastructure operators, government contractors and federal agencies all measure the efficacy of their cybersecurity procedures against this framework.

Over the past three years, the administration has added new responsibilities to NIST’s already full plate. Just months after his inauguration, President Biden issued a sweeping executive order on improving national cybersecurity that, among other things, tasked NIST with developing guidelines on how to identify critical software and how to secure software supply chains.

Two years later, the White House issued a new National Cybersecurity Strategy to protect U.S. interests in cyberspace and position the nation “to realize all the benefits” of digital technology. NIST is the lead or contributing agency for nearly 20 percent of the initiatives implementing the strategy. Building on NIST’s existing efforts on cyber workforce development, the administration tasked NIST with establishing core competencies for cybersecurity-related jobs and supporting education and training programs.

Last summer, the administration announced the “U.S. Cyber Trust Mark,” a new certification and labeling program to help consumers identify baseline security standards for smart devices and Internet of Things technology. Although the Federal Communications Commission is running the program, NIST is developing the underlying cybersecurity requirements and collaborates with the FCC extensively.

Most recently, the administration issued an executive order aiming to address the “promise and peril” of artificial intelligence. Once again, officials chose to make NIST responsible for the technical backbone: establishing standards for AI development, use and evaluation; publishing guidelines and best practices for AI safety and security; evaluating the efficacy of privacy protections; and publishing an AI in Global Development Playbook that not only incorporates risk management principles but also global governance and human rights best practices.

Yet, despite the centrality of the National Institute of Standards and Technology to U.S. cybersecurity policy, its funding has not kept up with its missions. Back in 2020, the congressionally-mandated Cyberspace Solarium Commission — where a co-author of this essay served as executive director — warned that NIST “lacks the resources necessary to meet the increasing demands on its staff and support expanding mission requirements.” The White House requested only $79.4 million for NIST’s cybersecurity and privacy program in FY20.

Consequently, the commission’s congressional co-chairs urged their appropriations colleagues to increase NIST’s FY21 cybersecurity and privacy program to $107.5 million, but to no avail — NIST’s budget remained relatively stagnant. Two years later, the commission’s co-chairs again called for NIST’s cybersecurity and privacy program to be upped to $135.9 million, noting further tasking from executive orders.

But NIST’s budget has continued to fall far short of the Cyberspace Solarium Commission’s recommendation. This year’s budget requested just $96.8 million for the program, below even what the commission’s co-chairs recommended four years ago. With inflationary pressures taken into account, the difference is even more stark.

This decrease is disturbing. Without appropriate funding, NIST will be unable to carry out critical research that directly affects the cybersecurity of American citizens. If the administration and Congress continue to increase NIST’s workload, the agency will need more resources to hire staff to do its work in a timely and efficient manner.

NIST’s Cybersecurity and Privacy program needs an increase of at least $50 million over the FY25 request of $96.8 million to invest in the hiring and retention of a sufficiently skilled workforce, and to scale its programs to support the additional research and development responsibilities with which it has been tasked. Within that increase, NIST should specifically receive an additional $20 million toward its cybersecurity education initiatives; $7 million for its AI-related initiatives; and $6 million to support Internet of Things security programs, including its work on the U.S. Cyber Trust Mark.

Without the proper funding, NIST will be forced to choose between its traditional role of producing much-needed cybersecurity frameworks and guidelines or dedicating resources towards the government’s ambitious and high-visibility initiatives. Either way, U.S. national security will suffer.

It’s not enough to just spend $13 billion on cybersecurity — the money has to be invested in the right places. The Biden administration and Congress are missing the mark by underfunding NIST. This failure gives both our adversaries and cyber criminals an edge in their hostile cyber ambitions — an edge we can’t afford.

Rear Adm. (Ret.) Mark Montgomery is a senior director at the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. He directs CSC 2.0, which works to implement the recommendations of the Cyberspace Solarium Commission, where he previously served as executive director. Follow him @MarkCMontgomery. Michael Sugden is a research analyst and editorial associate with CCTI at FDD.