Key Takeaways
- A new Institute for Security and Technology (IST) report urges Congress and the Trump administration to embed cybersecurity requirements into federal grants and infrastructure funding.
- Recent legislation, including the Bipartisan Infrastructure Law, missed chances to impose strong cyber standards on funded projects.
- Federal agencies often lack the expertise to evaluate grantees’ cyber plans, resulting in vague, unenforceable language in funding notices.
- The Office of the National Cyber Director’s 2024 “playbook” offers concrete NOFO language, terms‑and‑conditions, and templates that could be adapted government‑wide.
- IST recommends making cyber plans mandatory, adding audit and accountability measures, and considering a cybersecurity set‑aside (≈10 % of IT budgets) to ensure resources are devoted up front.
- Addressing cyber risk early is framed as a national‑security imperative; delaying investment increases vulnerability to threats like the China‑linked Volt Typhoon group and AI‑enabled attacks.
Policy Report Calls for Cyber‑Focused Federal Funding
The Institute for Security and Technology released a policy memo urging Congress and the Trump administration to treat cybersecurity as a core criterion when awarding grants and other federally funded projects. The report argues that as power grids, water utilities, hospitals, schools, and other critical systems become more digital, they also grow more vulnerable to hacking. Embedding security requirements early would protect essential services and reduce long‑term risk.
Congress Has Repeatedly Missed Opportunities to Strengthen Cyber Requirements
IST notes that lawmakers have failed to capitalize on several recent chances to insert robust cyber provisions into major spending bills. Despite widespread agreement that infrastructure investments should be “secure by design,” the actual language in enacted laws often omits concrete cybersecurity mandates, leaving funded projects exposed to avoidable threats.
Federal Agencies Often Fail to Enforce Cyber Standards in Grants
Even when cyber language appears in funding notices, many granting agencies lack the expertise to assess the cybersecurity plans submitted by state, local, or private‑sector recipients. This gap results in weak oversight, allowing awardees to receive money without demonstrable efforts to harden the systems they are building or upgrading.
Nicholas Leiserson Highlights the Consensus‑Practice Gap
Nicholas Leiserson, IST’s senior vice president for policy, observed that while policymakers agree cybersecurity should be a funding lever, that consensus rarely translates into operational requirements. He warned that treating cyber risk as a secondary concern undermines national‑security goals and leaves critical infrastructure susceptible to disruption.
Foreign Threats and AI Amplify the Urgency
The memo cites repeated warnings about foreign hackers—particularly the China‑linked “Volt Typhoon” group—having infiltrated U.S. critical networks to pose a risk of future conflict‑related disruption. It also warns that advances in artificial intelligence could accelerate these challenges, making timely, enforceable cyber standards even more essential.
Near‑Term Legislative Vehicles Offer a Path Forward
IST identifies the upcoming farm bill and the surface transportation reauthorization as immediate opportunities for Congress to embed stronger cybersecurity clauses. By attaching clear requirements to these bills, lawmakers can begin correcting the pattern of missed opportunities without waiting for entirely new legislation.
Leiserson Hopes the IST Memo Inspires Action
Leiserson expressed hope that legislators and administration officials will draw inspiration from the IST memo when drafting new policies and funding mechanisms. He believes that translating the existing policy consensus into concrete grant conditions is both feasible and necessary to protect vital systems.
Existing Protections Focus on Data, Not Systems
Current federal grants frequently include requirements to safeguard sensitive government data such as taxpayer or law‑enforcement information. However, Leiserson points out that comparable mandates for the underlying operational systems—those that keep power flowing or water clean—are often absent, creating a significant security gap.
The Bipartisan Infrastructure Law Illustrates a Missed Chance
The $1.2 trillion Bipartisan Infrastructure Law (BIL) established a $1 billion grant program for state and local cybersecurity, yet the law’s broader infrastructure spending contained little in the way of mandatory cyber planning or upgrades. IST labels BIL a prime example of a missed opportunity to tie large‑scale investments to security outcomes.
Brian Scott Describes Biden Administration Intentions and Obstacles
Brian Scott of Bright Shield Strategies, a former deputy assistant national cyber director, recalled that the Biden administration sought to ensure infrastructure awards incorporated appropriate resilience and cybersecurity measures. Officials from the ONCD and NSC developed plans to add cyber assessment requirements, but concerns arose that stringent rules might deter small businesses and that agencies lacked the expertise to evaluate submitted plans.
The ONCD Playbook Provides a Practical Toolkit
In 2024, the Office of the National Cyber Director published a “playbook” aimed at fixing the shortcomings seen in BIL. The playbook supplies ready‑to‑use NOFO language, terms‑and‑conditions language, and templates for grantees to conduct risk assessments and develop cybersecurity plans. IST views this document as a viable starting point for establishing government‑wide cyber risk mitigation standards for federal awards.
IST Recommends Building on the Playbook and Agency Models
The report urges policymakers to adopt the ONCD playbook as a baseline for uniform cyber requirements across all grant programs. It also highlights the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) as an agency‑specific model: CESER reviews cyber plans for energy‑infrastructure awardees. IST argues that such oversight should be made mandatory, paired with auditing mechanisms to hold grantees accountable after funds are disbursed.
Consider a Cybersecurity Set‑Aside and Front‑Loading Investments
Drawing on research that roughly 10 % of IT budgets go to security, IST suggests creating a cybersecurity set‑aside within federally funded programs. This approach would give recipients flexibility to allocate funds where needed, though it risks over‑ or under‑funding depending on project‑specific risks. Regardless of the mechanism chosen, Leiserson stresses that cyber investments must be made at the front end of projects; delaying security spending makes it far harder to manage risk later and undermines national‑security preparedness.