As ordered reported by the Senate Committee on Homeland Security and Governmental Affairs on July 29, 2015
S. 1869 would require the Department of Homeland Security (DHS) to make available the tools and capabilities necessary to protect the federal government’s digital infrastructure and information systems against cyber threats. The bill would further require all federal agencies (except the Department of Defense and elements of the intelligence community) to adopt those tools once available. With the recent enactment of the Consolidated Appropriations Act, 2016, DHS and all federal agencies are already required to perform the same activities as those required by S. 1869. One notable difference, though, is that the Consolidated Appropriations Act, 2016, authorized the Office of Management and Budget to waive the requirement that agencies implement certain cybersecurity measures if doing so would either be unnecessary to secure agency information systems or extremely burdensome. S. 1869 contains no such exception.
Although CBO does not have enough information to provide a precise estimate of the costs of implementing S. 1869, the costs of eliminating an agency’s ability to obtain a waiver from some of the bill’s requirements could be significant. The extent of those costs would depend not only on the number of agencies that will receive waivers under current law, but also the degree to which those agencies can implement the protections required by the bill. For example, one requirement in both S. 1869 and the Consolidated Appropriations Act, 2016, is to encrypt data stored on or moving through agency information systems.
Based on information from various agencies, CBO expects that data residing on some older or out-of-date information systems cannot be encrypted. Those systems would either have to be updated or replaced. Under current law, CBO expects that some agencies in that situation will receive a waiver allowing them time to develop plans to update or replace their current systems. Under S. 1869, those agencies would be required to implement all capabilities, including data encryption, on all information systems not later than one year after enactment. Having to accelerate those agencies’ plans to update or replace those systems within one year could cost hundreds of millions of dollars over the 2016-2020 period, CBO estimates. Such spending would be subject to the availability of appropriated funds.