CISA's plans for 2020

The latest budget request for the Cybersecurity and Infrastructure Security Agency would continue funding core federal cybersecurity programs while exploring new tech programs around DNS threats, botnet detection and malware analysis.

The budget overview for CISA seeks $1.1 billion for cybersecurity operations. About half of that covers the National Cybersecurity Protection System (NCPS), which includes Einstein ($405 million) and the Continuous Diagnostics and Mitigation program ($232 million).

The budget document includes targets for both programs: CISA hopes to have 63 percent of agencies sharing user activity data via the DHS-managed federal dashboard under CDM by the end of fiscal year 2020.

DHS spent the past year helping agencies hook up to a federal reporting dashboard and tinkering with the program and procurement structure, shifting from tracking individual agency progress by phases to capabilities and rolling out CDM DEFEND, a new contracting vehicle. The shift from phases to capabilities came after Congress complained the old approach prevented agencies from implementing multiple phases of the program at the same time.

Einstein's goals involve attribution of attempts to hack federal networks to nation-state actors. The target for 2020 is 22 percent -- the budget document states that increases in attributable activity is a sign that information sharing and threat indicator development are improving.

According to the budget, in fiscal year 2020 the program plans to complete deployment of asset management and identity and access management for agencies that have signed memorandums of agreement, continue expanding pilot programs on data protection, begin deployment across federal agencies and develop AWARE, a risk scoring algorithm that will be used to judge agency performance.

The National Cybersecurity and Communications Integration Center (NCCIC) would receive $248 million.

The budget also requests an additional $4.4 million for NCPS to begin developing a centralized DNS name resolution service over the next year. The project would provide better visibility of threats to federal DNS infrastructure and provide agencies with enterprise DNS management and analytics. DHS plans to procure and award a contract for those services in fiscal year 2020.

In January, CISA issued its first-ever emergency directive giving agencies 10 days to put in place a series of protections against DNS hijacking.

While officials say they have no direct evidence any federal domains were hijacked during a recent global campaign, two Hill staffers briefed by DHS on the matter told FCW that because of the shifting nature of the attacks and the lack of monitoring employed by many federal agencies, DHS officials are not sure whether a compromise may have happened in the past.

In the directive, CISA stated it would begin regular delivery of Certificate Transparency logs for all agency domains, and it required each agency to immediately begin monitoring them for anomalous activity. The budget said a new, centralized DNS security device would "provide insights into threat activity across the federal government by giving CISA cyber visibility into all DNS requests."

The budget requests $9.8 million to support research and development of technologies to detect and identify botnets and other large-scale threats. CISA currently relies on a patchwork of threat intelligence reporting from multiple sources to keep tabs on botnet activity and is looking for a more automated solution that will aggregate those reports into a coherent narrative.

The agency is also searching for a way to provide "quick, accurate analysis of file binaries for malware discovery at scale" and will be redesigning and refreshing its Advanced Malware Analysis Center to bolster reliability and scalability this year.  

The budget also calls for $11 million to run CyberSentry, a pilot program that would voluntarily extend existing NCCIC services to critical infrastructure organizations. The pilot will deploy network sensor systems at the boundary between an organization's control systems and its corporate IT networks, detecting and tracking any malicious cyber activity along the way. With the requested funding, the agency said it plans to achieve initial operating capabilities for up to five organizations by the end of FY 2020.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

  • Comment
    Blue Signage and logo of the U.S. Department of Veterans Affairs

    Doing digital differently at VA

    The Department of Veterans Affairs CIO explains why digital transformation is not optional.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.