On December 23, the House and Senate Appropriations Committee agreed to a $1.7 trillion omnibus spending bill that funds government operations through the fiscal year 2023. On December 29, President Biden signed it. The 4,155-page bill reflects an already agreed-upon $858 billion for defense spending and an additional $800 billion for non-defense spending, including several prominent cybersecurity items.US Senator Chris Murphy (D-CT), chair of the Subcommittee on Homeland Security, said, \u201cThis bill is a reasonable compromise, and I\u2019m proud of the investments it would make in the responsible management of our border, the protection of our nation from cyber threats, and the protection of our coastlines and airports.\u201dOn the House side, Homeland Security Subcommittee Chairwoman Lucille Roybal-Allard (D-CA) said, \u201cThis year\u2019s appropriations bill for the Department of Homeland Security makes historic investments in America\u2019s domestic, maritime, and border security while also protecting critical cyber and physical infrastructure and supporting disaster relief.\u201dKey cybersecurity provisions in the billCybersecurity is referenced dozens of times in the bill, highlighting how routine cybersecurity spending has become in the federal government. The following cybersecurity provisions in the spending bill are noteworthy for their prominence, the dollar amounts involved, their first-time appearance in the annual appropriations process, or the emphasis lawmakers place upon them.CISA Funding: The bill allocates $2.9 billion for the Cybersecurity and Infrastructure Security Agency (CISA), $313.5 million or 12% above the fiscal year 2022 levels and $396.4 million above the President\u2019s budget request. Among some of the specific CISA funding flagged by lawmakers areMore than $1.7 billion for cybersecurity efforts that include \u201cthe protection of civilian federal networks that also benefit state, local, tribal and territorial (SLTT) government networks\u201d$214.2 million to further advance CISA\u2019s Cybersecurity Operations, encompassing, among other things, a $17 million increase for the Joint Cyber Defense Collaborative (JCDC)A $16 million increase for the Multi-State Information and Analysis Center, for a total of $43 million for the center$46 million for \u201cthreat hunting and response capabilities\u201d across federal, SLTT, and critical infrastructure networks$17 million for \u201cemergency communications preparedness\u201dAn additional $32 million for \u201cincreasing regional operations capabilities\u201dAdditional Ukraine Supplemental Appropriations Act, 2023. This bill, included as part of the omnibus spending package, allocates $50 million to address cybersecurity threats from Russia and other malicious actors.Office of Personnel Management: The spending package gives $422 million for the Office of Personnel Management to \u201caddress cybersecurity and hiring initiatives,\u201d representing an increase of $49.2 million.National Science Foundation: The legislation provides $69 million for the National Science Foundation\u2019s CyberCorps program, a $6 million increase from last year. \u200b\u200bThe program provides students with scholarships if they agree to work for the government in cybersecurity after graduation.Treasury Department: The bill allocates $100 million in supplemental funds for salaries and expenses for enhanced cybersecurity for systems operated by the department.Office of the National Cyber Director: The bill provides $21,926,000 in funding for the Office of the National Cyber Director.Secret Service funding: The bill allocates $23 million for and reauthorizes the Secret Service to continue operating the National Computer Forensics Institute, which serves as a national training center for law enforcement officials to learn methods for investigating and combating cyber and electronic crimes.Commerce Department funding: The legislation allocates $35 million specifically for technology modernization and cybersecurity risk mitigation for the department.Department of Homeland Security (DHS) funding: The bill allocates $3 million for the DHS Intelligence and Cybersecurity Diversity Fellowship Program.TikTok banned on executive branch phonesDespite ongoing efforts by China\u2019s ByteDance to forge a compromise agreement with the Committee on Foreign Investment in the US (CFIUS) to assuage the national security concerns surrounding its popular TikTok video app, the spending bill prohibits the use of TikTok on executive agency phones. The legislation requires the Office of Management and Budget (OMB), in consultation with the administrator of general services, the director of CISA, the director of national intelligence, and the secretary of defense, to develop within two months standards and guidelines for executive agencies requiring the app\u2019s removal.Following the bill\u2019s enactment, the chief administrative officer of the US House of Representatives banned TikTok from the phones of House members and staff effective immediately. A TikTok spokesperson said, \u201cWe\u2019re disappointed that Congress has moved to ban TikTok on government devices \u2014 a political gesture that will do nothing to advance national security interests \u2014 rather than encouraging the administration to conclude its national security review. The agreement under review by CFIUS will meaningfully address any security concerns that have been raised at both the federal and state level.\u201dLimitations on Chinese, North Korean, and Iranian procurementThe bill stipulates that no government agency may use their funds to buy telecom equipment from Chinese tech giants Huawei or ZTE for \u201chigh or moderate impact information systems,\u201d as determined by the National Institute of Standards and Technology (NIST).It further states that agencies cannot use any of their funds for technology, including biotechnology, digital, telecommunications, and cyber, developed by the People\u2019s Republic of China unless the secretary of state, in consultation with the USAID administrator and the heads of other federal agencies, as appropriate, determines that such use does not adversely impact the national security of the United States.Moreover, no agency can spend funds on entities owned, directed, or subsidized by China, Iran, North Korea, or Russia unless the FBI or other appropriate federal entity has assessed any risk of cyber espionage or sabotage associated with acquisitions from these entities.Report on ransomware and other cyber-related attacks by foreign partiesThe bill incorporates the Ransomware Act, which requires the Federal Trade Commission (FTC) to deliver to Congress in 2025 and 2027 a report that spells out the number and types of ransomware incidents or other cyberattacks from China, North Korea, Iran, or Russia. It also invites the FTC to share information on litigation related to these incidents and recommend new laws and business practices to strengthen the resilience of US organizations against digital threat actors.Ensuring medical device cybersecurityFinally, the bill amends the Federal Food, Drug, and Cosmetic Act to make medical device makers meet specific cybersecurity standards. Among the requirements is submitting a plan to the secretary of the Food and Drug Administration to monitor, identify, and address post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.The manufacturers must also ensure their devices and associated systems are secure and release post-market software and firmware updates and patches. The device makers are further required to provide a software bill of materials (SBOM) to the secretary of the FDA that includes all off-the-shelf, open-source, and critical components used by the devices.The bill further requires the FDA to provide additional resources and information on improving the cybersecurity of medical devices within 180 days and annually thereafter, including information on identifying and addressing cyber vulnerabilities for healthcare providers, health systems, and device manufacturers. Within one year, the Government Accountability Office (GAO) is required to issue a report that identifies the challenges faced by healthcare providers, health systems, patients, and device manufacturers in addressing vulnerabilities and how federal agencies can strengthen coordination to improve the cybersecurity of devices.