S. 2439 would require the Cybersecurity and Infrastructure Security Agency (CISA) to identify and mitigate threats to systems that are used in the automated control of critical infrastructure processes (such as power generation and water treatment). The bill also would require CISA to brief the Congress on its capability to do so not later than six months after the bill’s enactment and every six months thereafter over the four-year period following enactment of the bill. In addition, the bill would require the Government Accountability Office to review and report on CISA’s practices for managing cybersecurity risks to industrial control systems.
CISA already assists the owners and operators of critical infrastructure with addressing security vulnerabilities in their industrial control systems. The bill would codify those responsibilities but would not impose any new operating requirements on the agency. CBO estimates that implementing S. 2439 would cost less than $500,000 over the 2021-2026 period to prepare and deliver the required briefings; such spending would be subject to the availability of appropriations.
For this estimate, CBO assumes that the bill will be enacted in fiscal year 2022.
On March 29, 2021, CBO transmitted a cost estimate for H.R. 1833, the DHS Industrial Control Systems Capabilities Enhancement Act of 2021, as ordered reported by the House Committee on Homeland Security on March 18, 2021. The two bills are similar, and CBO’s estimates of their costs are similar. Differences in CBO’s estimates of the cost of implementing the bills reflect the assumption that S. 2439 will be enacted in 2022.