Continuous monitoring bill would cost $710M to implement says CBO

A bill set for consideration on the House floor this week that would amend the Federal Information Security Management Act to explicitly include continuous monitoring would cost $710 million over a 5 year period to implement, says the Congressional Budget Office.

The CBO cost estimate (.pdf) says the bill, Federal Information Security Amendments Act of 2012 ( H.R. 4257) would increase annual federal agency cybersecurity spending by 2 percent, or roughly $200 million a year. According to the Office of Management and Budget, the 24 largest federal agencies collectively spent more than $13 billion during fiscal 2011 on securing their systems--about 18 percent of all reported IT spending that year. (The intelligence community budget is classified.)

Most of the extra spending would be required to pay for extra personnel expenses, as well as computer hardware and software, the CBO says. Its spending projection is based in part on an assumption that only half of agencies have implemented "adequate continuous monitoring."

Continuous monitoring is a big part of the bill, which the House Oversight and Government Reform Committee approved April 18. Its primary sponsors are the chairman and ranking member of the committee, Rep. Darrell Issa (R-Calif.) and Elijah Cummings (D-Md.), respectively. (The bill approved by the committee was an amendment in the nature of a substitute put forward with Cummings' support; during the markup, he said changes to the original text were made at the recommendation of the Government Accountability Office.)

It would direct agencies to set up a cybersecurity program that includes automated and continuous monitoring, which it defines as "an uninterrupted, ongoing real time, or near real-time process" used to determine if implemented cybersecurity controls in place are effective. Federal officials have said bandwidth considerations might mean that continuous monitoring means scans conducted at a monthly pace, since doing so more frequently might exceed pipeline capacity.

The bill also would place oversight of federal cybersecurity programs firmly in the hand of the Office of Management and Budget, which during this administration has done its best to have the Homeland Security Department assume that role.

In addition, it would create a federal security incident center that would provide technical assistance to agencies in handling network breaches as well as spread governmentwide information about potential threats and vulnerabilities.

Issa has suggested (embedded video) that the General Services Administration or another federal agency, rather than OMB, could be responsible for the day-to-day operations of the center.

For more:
- download the CBO cost estimate
- go to the THOMAS page for the bill

Related Articles:
Four cybersecurity bills set for House consideration 
Cybersecurity legislation roundup, 2012 edition – UPDATED 
CISPA sponsors narrow bill 
Agencies have cybersecurity control flexibility, reminds DHS