CBO Scores Protecting Cyberspace as a National Asset Act

The Protecting Cyberspace as a National Asset Act (S. 3480) would amend the Federal Information Security Management Act of 2002 (FISMA) to strengthen and coordinate security controls over computer information systems across federal civilian agencies. In addition, the legislation would aim to increase the security of privately owned computer networks for online communication and prevent intentional disruptions of such networks. S. 3480 would establish new offices, require additional testing of computer systems, and provide federal agencies with new authorities and responsibilities related to information security.

Based on information from the Department of Homeland Security (DHS), the Office of Management and Budget (OMB), and other major agencies involved in cybersecurity, CBO estimates that implementing S. 3480 would cost $1.5 billion over the 2011-2015 period, assuming appropriation of the necessary amounts. Most of those funds would be spent on salaries, expenses, and computer hardware and software.

The bill would, under certain circumstances, indemnify owners of critical infrastructure who implement emergency-response plans required by the federal government. CBO estimates that this authority would increase direct spending by $10 million over the 2011-2020 period to pay claims against the U.S. government; therefore, pay-as-you-go procedures apply. Enacting the legislation would not affect revenues. S. 3480 would impose intergovernmental and private-sector mandates, as defined in the Unfunded Mandates Reform Act (UMRA), on owners and operators of information systems designated as critical infrastructure by DHS. Owners and operators of such systems would have to comply with new security standards and procedures. The bill also would impose a mandate by limiting the damages that users of critical infrastructure can seek from owners and operators of such systems for incidents related to cyber risks.