Even though Congress recognizes that the United States’ information technology (IT) and operational technology (OT) systems are highly vulnerable to cyber threats, the legislative branch has generally not included statutory cybersecurity requirements as part of significant funding bills. The executive branch is little better at incorporating requirements. For more than a decade, successive administrations have made statements about the importance of cybersecurity in critical infrastructure, but the U.S. government has issued minimal guidance—and fewer requirements—for cybersecurity in federally-funded projects. To finally achieve last mile cybersecurity for IT and OT systems, Congress should consider several policy opportunities to better align stated cybersecurity goals with federal spending, including requiring changes to grant guidance, creating cybersecurity programs to support investments, or requiring set-asides within programs. Policymakers should also consider how to incorporate cybersecurity maintenance costs as part of projects.

BACKGROUND

The Cyber Threat Landscape

In April 2026, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory warning of ongoing cyber threats to U.S. critical infrastructure. Amid U.S. combat operations in Iran, the advisory stated that pro-Iran regime hackers had infiltrated U.S. systems within the Government Services and Facilities (to include local municipalities), Water and Wastewater Systems (WWS), and Energy Sectors. At a time of war, America’s adversaries were targeting the homeland through cyberspace.

This is not surprising. In 2023, government officials and cybersecurity firms revealed that People’s Republic of China army units were infiltrating utilities and transportation hubs, pre-positioning in critical infrastructure in order to hold them at risk in the event of a conflict. Whether to impede military mobilization or sow panic, connectivity puts domestic infrastructure on the front lines of conflict in cyberspace, a reality that is otherwise inconceivable in physical domains.

At the same time, we face an array of other cyber threats. Cyber-enabled fraud cost Americans more than $20 billion in reported losses in 2025. With respect to fraud associated with responses to the COVID-19 pandemic alone, estimates have put the cost at between $100-135 billion. Cyber criminals are increasingly targeting organizations like schools and hospitals with extortion-based attacks. An average of five cyber incidents occur each week impacting K-12 schools, and ransomware has shut down schools across the country.

Collectively, these threats put our national and economic security at risk. When a hospital is shut down due to ransomware, patient outcomes suffer. Breaches of student data can affect children for their entire lives. What’s more, recent advances in artificial intelligence tools have the potential to accelerate these significant challenges.

Missed Opportunities: Federal Funding

The federal government plays a significant role in providing funding to help organizations, including hospitals, schools, water utilities, and state unemployment offices. This funding also extends to the purchase of information and communications technology and services (ICTS), which can be a target for malicious cyber actors. However, funding bills rarely address cybersecurity at all, much less require evaluation of those risks—and actions to address them—as a condition of receiving federal dollars. Consider several major spending bills from the last five years:

• CARES Act (2020, $2.2T) – The Coronavirus Aid, Relief, and Economic Security (CARES) Act, the first major economic response to the COVID-19 pandemic, contains provisions to encourage remote doctor visits, as well as investments in telehealth and telework more broadly. Yet it only has three mentions of cybersecurity, two of which pertain to trainings for small businesses about risks associated with telework or remote customer service, and one of which is for CISA’s pandemic efforts with critical infrastructure.

• American Rescue Plan Act (2021, $1.9T) – The American Rescue Plan Act, passed in the early days of the Biden administration to respond to COVID-19, mentions cybersecurity in one provision, pertaining to funding for CISA to respond to the SolarWinds incident that had become public three months before passage.

• Bipartisan Infrastructure Law (2021, $1.2T) – The Bipartisan Infrastructure Law (BIL) combined a traditional surface transportation reauthorization with more than $550 billion in additional infrastructure spending. It features several programs that are specifically targeted at making cybersecurity improvements, including $1 billion for state and local government cyber grants. However, with the exception of new programs at the Department of Energy (discussed below), only one of the non-cybersecurity-focused programs requires cybersecurity to be considered at all. At most, some programs explicitly list cybersecurity technologies as an allowable use of funds, but program administrators are neither required nor even encouraged to make cybersecurity assessments of the projects they approve.

• Inflation Reduction Act (2022, $891B) – The Inflation Reduction Act, which made substantial investments in energy infrastructure and climate change mitigation, has no mentions of cybersecurity whatsoever. This is despite the inclusion of provisions covering topics from apprenticeships to critical minerals sourcing requirements.

• One Big Beautiful Bill Act (2025, $3.7T) – While primarily a tax bill, the One Big Beautiful Bill Act contains hundreds of billions in new funding for national security priorities. Despite the focus on building the defense industrial base, other than a $90 million appropriation for assistance to small, non-traditional contractors that mentions cybersecurity, there are no other mentions beyond USCYBERCOM and existing programs of record.

Taken collectively, these laws expose a significant gap. Despite the risks evident to U.S. critical infrastructure in the cyber domain, Congress rarely includes explicit requirements to address cybersecurity as part of funding legislation.

Missed Opportunities: Executive Branch Efforts

Executive branch agencies regularly add conditions to funding beyond those imposed in statute by Congress. However, both regulatory and non-regulatory approaches fail to address core elements of cyber risk as a condition of receiving funding.

Regulatory Efforts

Depending on the type of project, there are two primary regulations that govern requirements for receiving federal funding.

The primary regulation governing requirements for grants, including pass-through grants to states, which encompasses much of traditional infrastructure spending, is the Uniform Guidance for Federal Awards (“Uniform Guidance”), issued by the Office of Management and Budget (OMB).  In its 2024 update, OMB explicitly calls out cybersecurity as a risk factor for grant-making agencies to consider before making an award. The 2024 update required recipients and sub-recipients to take documented steps to mitigate cybersecurity risks to sensitive information. And, for the first time, OMB explicitly added cybersecurity as a potential direct cost for grantees. In other words, grantees can now incorporate the costs of cybersecurity controls into their grant budgets, as opposed to taking money for cybersecurity out of the limited amount of administrative overhead allowed for a particular grant award.

However, these changes—and the guidance itself—are focused on protecting federal information, not the projects themselves. As a result, the most stringent requirements for states focus on efforts to protect sensitive data about law enforcement investigations and tax records, not on the critical functions that state and local governments perform.

The story is similar on the contracting front, where requirements derive from the Federal Acquisition Regulation (FAR). In 2021, President Biden’s Executive Order 14028 called for revisions to the FAR that would raise the cybersecurity bar for contractors, mandating uniform baseline cybersecurity requirements across agencies. Five years later, those reforms remain pending.

Even where there has been regulatory progress, such as with the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Program, the focus remains on protecting the confidentiality of government data stored on contractor systems. Cybersecurity requirements for the systems themselves are handled on a case-by-case basis—and are generally not addressed at all.

Non-Regulatory Approaches

There are other, less formal measures that agencies can take to encourage the evaluation of cybersecurity as part of funding decisions. However, there is limited evidence that these measures are driving behavioral change.

For example, notices of funding opportunity (NOFOs) tied to programs in the 2021 Bipartisan Infrastructure Law were one route the Biden administration tried to use to encourage the evaluation of cybersecurity as part of funding decisions. Following passage of the BIL, the administration decided that NOFOs tied to programs supported in the bill would need to contain language explicitly calling out cybersecurity. However, as a practical matter, NOFO clauses requiring that there be “an effort to consider and address” cyber risks are very difficult to enforce. There is no definition of what is sufficient to meet the threshold for considering and addressing cyber risks, which makes it challenging for both potential grantees and federal program officers to assess whether a project proposal satisfies this directive. What’s more, there is no corresponding language that exists in the grant terms and conditions, making it challenging to ensure that any planned cybersecurity mitigations are actually put in place.

In December 2024, the Office of the National Cyber Director (ONCD) and CISA put out a “Playbook for Strengthening Cybersecurity for Federal Grant Programs in Critical Infrastructure” (“ONCD Playbook”), which was intended to address some of the shortcomings of the NOFO-only approach. The playbook has guidance for federal program officers, grant recipients, and even state pass-through entities on how to incorporate cybersecurity into their project lifecycles, including sample risk management plans and boilerplate terms and conditions. However, the playbook has not been widely adopted, and attempts to incorporate it into the Uniform Guidance as a requirement for awards above a certain dollar amount were rebuffed at the end of the Biden administration.

POLICY APPROACHES

Policymakers looking to address gaps in critical infrastructure cybersecurity should consider leveraging the federal government’s spending power, whether through grant-making or acquisition requirements. In doing so, they should be cognizant of the limitations that constrain existing efforts, and they should also ensure that approaches reflect the recurring nature of  cybersecurity expenses.

Agency-Specific Plans: The Section 40126 Approach

One bright spot in the funding bills considered above is Section 40126 of the BIL, which sets out a framework for the Secretary of Energy to require cybersecurity plans for all of the Department’s programs included in the BIL. Importantly, the law requires the Department to consider both the cybersecurity maturity of the grant recipient and the solutions funded by the Department of Energy.

There are several advantages with this approach. Setting a blanket requirement at the agency level consolidates cybersecurity expertise (in the case of 40126, the Office of Cybersecurity, Energy Security, and Emergency Response, or CESER, is tasked with reviewing the cybersecurity plans) and also allows for sector-specific requirements (e.g., protection of information related to the bulk power system) that may not fit within a government-wide mandate. The review by CESER also ensures that independent cybersecurity experts are evaluating plans for adequacy, rather than program officers who might have other objectives they are trying to achieve.

However, there are real challenges with the 40126 approach. First and foremost, the framework itself is not mandatory. While the Department of Energy continues to require 40126 cybersecurity plans today, this requirement is reliant on the Secretary’s discretion. Framing it as “the Secretary may require” [emphasis added] is inadequate in light of the current risk environment. The plans are also not self-executing. CESER’s templates help identify different areas of risk that a project should account for, but they stop at “high-level descriptions” and do not require any details that would facilitate holding grantees accountable for their plans. Lastly, while the templates do mention resourcing, they fail to include specifics, which may result in inadequate funding being set aside for cybersecurity purposes.

Addressing issues on an agency-by-agency basis may prove more tractable than other approaches, as it requires less inter-committee or interagency coordination. Section 40126 provides a starting point for policymakers, but it also offers lessons learned: policymakers should consider making plans mandatory and incorporating the ability to audit and hold grantees accountable after funding is awarded.

A Broad Baseline: Applying the Playbook

Another approach for policymakers could be to use the ONCD Playbook as a starting point for setting universal cybersecurity risk mitigation requirements as part of federal awards. Updates to the Uniform Guidance could then require that all agencies include cybersecurity terms and conditions that, at minimum, cover the elements of the ONCD Playbook. In instances like transportation or healthcare funding, which require non-federal entities to go through their own contractual processes, these terms and conditions would also be passed down to those sub-awardees. Changes to the Uniform Guidance could be effectuated within OMB, through the Office of Federal Financial Management, or through statutory requirements advanced by Congress.

A uniform requirement has several advantages. Lack of regulatory harmonization continues to plague policymakers, and differing agency requirements relating to the protection of federal information impose a major cost on states. A government-wide approach avoids the proliferation of confusing or conflicting guidance and simplifies training for federal program officers and potential awardees. Uniformity also helps build a shared culture recognizing the importance of cybersecurity, rather than relegating it to only being the concern of specific agencies, such as those with national security mandates.

There are drawbacks with this approach. Centralization can increase efficiency, but it also may mean teams offering technical assistance lack domain knowledge (e.g., with respect to power systems). Given recent cuts to CISA, there might not be capacity to offer assistance to other agencies for some time. Given the large number of agency equities potentially impacted, advancing a whole-of-government approach may also prove challenging without a strong push from the White House or Congressional leadership.

Create a Cyber Set-Aside

Rather than addressing programs directly in statute or regulations, policymakers might consider allocating a set proportion of federal program funds used for ICTS to meet cybersecurity needs. While estimates vary, surveys of chief information security officers in industry reflect that approximately 10 percent of IT spending is used for security. Congress could consider a similar target and leave it up to agencies to design both policies to implement a set-aside and evaluation metrics to ensure they reach the target.

By ensuring that the funding for cybersecurity is available without prescribing how it should be used, this approach provides maximal flexibility to evolve over time. A flat set-aside addresses a core concern with other approaches: namely, the interests of program officers and grantees are not always aligned with those of policymakers seeking to improve cybersecurity. Without a set-aside, spending less on cybersecurity now frees up funding for other projects, potentially incentivizing under-investment in cybersecurity. The risk of that underinvestment falls not on the program officers and grantees making those spending decisions, but on the public, whose critical infrastructure could be made vulnerable for years (or decades) to come. A set-aside removes this misalignment by ensuring that cybersecurity receives adequate funding, regardless of any perverse incentives to under-spend relative to risk.

The challenge with this approach is that it is not risk-based. Using a heuristic means that some proportion of projects will end up with more cybersecurity funding than they actually need to match their risk profile. Policymakers will have to weigh that inefficiency against the significant effort it takes to produce cybersecurity risk management plans that are attempting to capture something that is inherently difficult to measure. Under a set-aside regime, more dollars could be devoted to implementing cybersecurity improvements rather than attempting to justify them. Policymakers should also consider whether the flexibility afforded by over-investing in some cases is actually a net benefit, as rapid changes in the threat landscape can quickly invalidate earlier risk assessments.