{ "id": "R44404", "type": "CRS Report", "typeId": "REPORTS", "number": "R44404", "active": true, "source": "EveryCRSReport.com", "versions": [ { "source": "EveryCRSReport.com", "id": 451334, "date": "2016-02-25", "retrieved": "2016-04-06T17:01:59.550815", "title": "Perspectives on Federal Cybersecurity Spending", "summary": "The federal government invests significant resources in cybersecurity across every agency through a variety of activities. Although a methodologically rigorous total for these investments has not been calculated and may not be possible, an understanding of how the federal government applies resources to protect U.S. public and private sector data and networks from cyberattacks is necessary for Congress to provide constructive oversight of those efforts. \nThis report considers federal cybersecurity investments in three broad categories:\nAgency spending to protect its own systems, networks, and data;\nAgency spending to protect other governmental systems, networks, and data; and\nAgency spending to protect non-federal IT systems, networks, and data.\nEach department and agency has some level of participation in cybersecurity activities. However, the Office of Management and Budget, the Department of Homeland Security, the Department of Commerce, the Department of Justice, and the Department of Defense have unique responsibilities established by statute\u2014either for their role in assisting other departments and agencies, or, as in the case with the Department of Defense, for their unique responsibility for their own information technology. \nEach February the administration releases three sets of documents which describe some facets of the government\u2019s investments in cybersecurity:\nThe President\u2019s Budget;\nCongressional Budget Justifications from each department or agency; and\nThe Federal Information Security Management Act (FISMA) report to Congress. \nThese reports provide some valuable insights into how or why the government makes certain investments associated with promoting cybersecurity. However, on their own, none of these documents provides a complete and precise representation of how much the federal government is spending on cybersecurity. This is in part because of how they are developed; they are developed from agency submissions based on administration guidance that does not require methodologically consistent reporting on cybersecurity spending\u2014or even provide a common definition for what cybersecurity is. \nEven if such an authoritative top-line figure for federal cybersecurity investments were available, without detail and context it would not effectively inform the Congressional decision-making process. Understanding the risks an individual agency faces, and what strategies they have for confronting those risks given their size, complexity, and mission is vital to determining the appropriate level of future cybersecurity investments for that agency. Armed with an understanding of those factors, Congress may choose to assess cybersecurity investments of a federal agency independently. Congress may alternatively choose to assess internal cybersecurity investments by an agency relative to similar federal agencies, and external investments relative to, and supporting, the non-\u201c.gov\u201d sector.", "type": "CRS Report", "typeId": "REPORTS", "active": true, "formats": [ { "format": "HTML", "encoding": "utf-8", "url": "http://www.crs.gov/Reports/R44404", "sha1": "24d8cd3e55b5ca49da44a79fd098278211255214", "filename": "files/20160225_R44404_24d8cd3e55b5ca49da44a79fd098278211255214.html", "images": null }, { "format": "PDF", "encoding": null, "url": "http://www.crs.gov/Reports/pdf/R44404", "sha1": "0b7b8975998b411ff513ec315e8fb25a7073adaf", "filename": "files/20160225_R44404_0b7b8975998b411ff513ec315e8fb25a7073adaf.pdf", "images": null } ], "topics": [ { "source": "IBCList", "id": 4300, "name": "Cybersecurity" } ] } ], "topics": [] }