The president's proposed budget for the Department of Homeland Security includes $8.5 million to operate the so-called voluntary program intended to help companies use the framework of cybersecurity standards released in February by the National Institute of Standards and Technology.
Industry observers say it remains to be seen exactly how DHS will spend that money, which is part of a proposed $1.25 billion fiscal year 2015 budget for cybersecurity, according to a DHS document released on Tuesday.
Whether that funding will go to contractors, new employees, overhead or some other expense is an open question, one industry source said. Another asked whether the department would put some of it toward establishing metrics to determine what is and isn't working within the voluntary program, now known as C-Cubed.
"Without baseline data and cost effectiveness metrics we really can't assess how much we are succeeding and thus what we need to change going forward," the second source said.
"With the President's release of the 2015 budget, it is not yet clear what is actually targeted funding for Cybersecurity Framework-related efforts such as the C3 voluntary program," said Kent Landfield, McAfee's director of standards and technology policy. "We're looking forward to learning the details in the days to come."
DHS said in a release that the request "includes $1.25 billion for cybersecurity activities including resources to detect malicious traffic targeting civilian Federal government networks and resources to support cyber and cyber-enabled investigations . . . to areas such as cyber economic crime, identity theft, theft of export controlled data, and child exploitation, as well as for managing computer forensics programs."
The overall figure includes the $8.5 million for C-Cubed and other activities in support of President Obama's Executive Order 13636, which mandated the NIST framework and DHS voluntary program.
The adequacy of that figure is difficult to assess, industry sources agreed.
By comparison, a program to "audit, assess, and monitor critical infrastructure and/or key resources at protective sites which directly or indirectly support a Presidential visit" gets almost half as much -- $3.9 million -- as is allocated to support the voluntary program.
In other cybersecurity accounts, a DHS budget document explains that over $143 million is set aside to implement the government's continuous diagnostics and mitigation program, and another $28 million would go toward improved sharing of classified information with DHS' federal, state and local partners.
The budget includes $67.5 million for cybersecurity research, development, testing and evaluation.
The House Homeland Security Committee scheduled a hearing for March 13 to examine the budget request.