Annual Assessments

2022 Annual Report on Implementation

By Jiwon Ma, Mark Montgomery

This assessment reviews the implementation of CSC recommendations over the past year and identifies areas for future action.

The past two years have been witness to significant improvements in U.S. cybersecurity. Critical legislation has broken loose from long-standing jurisdictional conflicts to become law. Congress passed the Cyber Incident Reporting Act, which requires critical infrastructure companies to report cyberattacks and ransomware incidents. Lawmakers have increased funding for government cybersecurity efforts, particularly at the country’s primary cybersecurity agency, the Cybersecurity and Infrastructure Security Agency (CISA) in the Department of Homeland Security, whose budget has grown by more than 25 percent, from $2 billion for FY20 appropriation1 to $2.59 billion for FY22 appropriation.2 Even more funding is expected in FY23.3 The White House now has a national cyber director (NCD) to lead the coordination of cybersecurity strategy and policy implementation across the government. The State Department has a bureau and a nominated ambassador charged with leading America’s international engagement on cyberspace challenges. And the executive branch has taken other important actions (based on new legislation), such as the establishment of the Joint Cyber Defense Collaborative at CISA.

Progress Toward Implementation of the March 2020 Recommendations

Source: 2022 Annual Report on Implementation

Collectively, these changes will help deter malign actors in cyberspace and shore up U.S. defenses at home. They will also make digital interactions safer for stakeholders across industry and around the world. Most importantly, these changes will help to protect every American who uses the internet for work, study, or staying connected with loved ones. However, this progress cannot be the culmination of the U.S. government’s focus on cybersecurity; it must be the prelude to even further changes.

Congress created the U.S. Cyberspace Solarium Commission (CSC) to identify a strategic approach to securing cyberspace. Over the course of three years, the Commission developed 116 recommendations, many of which are accompanied by model legislative language. The Commission’s original report in March 2020 had 82 recommendations. Of these, nearly 60 percent are fully implemented or nearing implementation, and more than 25 percent are on track to implementation.

However, implementation is not the same as success. Lasting improvements in national cyber resilience will take sustained attention, investment, and agility to address the ever-shifting threat landscape. Accordingly, this assessment details both the progress of the Commission’s original work as well as the work of the non-profit CSC 2.0 project that has accepted the baton in the long race to secure cyberspace. Even as we issue this progress report, we know that assessing implementation is not enough. We urge readers to consider this report as a mid-course check, laying a path for the many stakeholders in government and industry charged with a task that we cannot afford to fail — protecting our national cybersecurity.

Senator Angus King (I-ME)
Co-Chair
CSC 2.0

Representative Mike Gallagher (R-WI)
Co-Chair
CSC 2.0

Notes

1. U.S. Senate Committee on Appropriations, “Summary of H.R. 1158 FY2020 Consolidated National Security Appropriations Package,” December 2019, page 15. (https://www.appropriations.senate.gov/imo/media/doc/121619%20–%20HR1158%20Natl%20Security%20Package%20Summary.pdf)
2. Mark Montgomery, “Congress Invests in National Cyber Resilience but Misses Important Opportunities in the Consolidated Appropriations Act,” Lawfare, April 1, 2022. (https://www.lawfareblog.com/congress-invests-national-cyber-resilience-misses-important-opportunities-consolidated)
3. House Committee on Appropriations, “Department of Homeland Security Appropriations Bill, 2023,” June 24, 2022, page 52. (https://docs.house.gov/meetings/AP/AP00/20220624/114951/HMKP-117-AP00-20220624-SD003.pdf