H.R. 5733 would require the National Cybersecurity and Communications Integration Center (NCCIC) in the Department of Homeland Security (DHS) to develop and maintain capabilities to identify and mitigate threats and vulnerabilities to products and technologies used in the automated control of critical infrastructure processes. The bill also would require DHS to provide briefings to the Congress on those capabilities not later than six months after the bill’s enactment and every six months thereafter over the next four years.
On the basis of information from DHS, CBO has concluded that the NCCIC already provides assistance to owners and operators of critical infrastructure and control systems vendors to identify and mitigate security vulnerabilities to their industrial control systems. The bill would codify those responsibilities but would not impose any new operating requirements on the department. Thus, we estimate that implementing H.R. 5733 would cost less than $500,000 over the 2019-2023 period to prepare and deliver the required briefings; such spending would be subject to the availability of appropriated funds.
Enacting H.R. 5733 would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply.
CBO estimates that enacting H.R. 5733 would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2029.
H.R. 5733 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act.