H.R. 5780 would require the Cybersecurity and Infrastructure Security Agency (CISA) to provide information and guidance on securing critical infrastructure (such as power generation and transmission facilities) to state, local, and private stakeholders. CBO expects that, under the bill, CISA would provide that information on an agency website to help nonfederal entities protect themselves and their systems from terrorist threats. On the basis of information from CISA regarding similar information sharing programs, CBO estimates that it would cost $6 million in 2021 to develop and disseminate security guidance, training modules, and fact sheets. CBO expects that the department would need 13 new employees by 2022, at an average salary of $150,000, to communicate with the critical infrastructure community and to review additional materials for the website. In total, satisfying that requirement would cost $14 million over the 2020-2025 period, CBO estimates.
The bill also would authorize CISA to train state and local officials to assess risks to critical infrastructure through a one-year pilot program. Using information on the costs of similar training efforts, CBO estimates that it would cost $5 million to develop the curriculum and materials for the pilot program. If CISA chose to continue the pilot program after one year, costs would be higher than CBO estimates.
Satisfying the bill’s reporting requirements would cost less than $500,000 over the 2020-2025 period.
For this estimate, CBO assumes that the bill will be enacted in fiscal year 2020. Under that assumption, CISA could incur some costs in 2020, but CBO expects that most of the costs would be incurred in 2021 and later. In total, CBO estimates that implementing H.R.5780 would cost $19million over the 2020-2025 period (see Table 1). Such spending would be subject to the availability of appropriations.