Congressional Budget Office, CBO Cost Estimate HR 3101 Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2017 , October 6, 2017. Unclassified.
National Security Archive
The CBO’s 2017 estimate puts a $38 million price tag on the first federal push to institutionalize cyber‑information sharing across America’s ports.
Source: Congressional Budget Office, CBO Cost Estimate HR 3101 Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2017 , October 6, 2017. Unclassified. Date: Oct 6, 2017 Archive: Congressional Budget Office Collection: Cyber Vault: Delegation of Authority Oct 25, 2017
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
A Budget Lens on Port Cybersecurity
The CBO’s October 6 2017 cost estimate for H.R. 3101 was produced just weeks after the House Committee on Homeland Security reported the bill. The estimate is a routine part of the congressional budget process: the nonpartisan agency translates legislative language into dollar terms so lawmakers can weigh fiscal impact against policy goals. In this case the CBO was asked to price a narrowly‑focused effort to shore up the cyber defenses of America’s maritime gateways—a response to a wave of high‑profile cyber‑intrusions that, by 2017, had begun to spill over into critical infrastructure.
The bill emerged from a broader post‑2015 security push that linked physical and digital threats to the nation’s supply chain. After the 2015 U.S. government shutdown, the Department of Homeland Security (DHS) and the Coast Guard intensified their focus on cyber‑risk assessments for ports, recognizing that a successful breach could cripple the flow of goods and fuel the economy. H.R. 3101 formalized that concern, directing DHS to develop a risk‑assessment model and to compel port‑area maritime security advisory committees to share threat intelligence. The CBO’s estimate—$38 million in outlays over five years—places a modest price tag on a program that, while small in the federal budget, signals a shift toward institutionalizing cyber‑information sharing in a sector long dominated by physical security protocols.
Who’s Speaking, and What Their Numbers Reveal
The document lists three CBO analysts—Megan Carroll, Jon Sperl, and Paige Piper/Bach—who respectively handled federal costs, state‑local‑tribal impacts, and private‑sector implications. Their division of labor underscores the bill’s multi‑layered reach: federal agencies would fund staff and data‑sharing platforms; state and local governments would be drawn into advisory committees; private port operators would be mandated to embed cyber considerations into vulnerability assessments. The estimate’s reliance on “historical spending patterns for similar activities” hints at a nascent but growing portfolio of cyber‑related expenditures within DHS and the Coast Guard, suggesting that the agency already had a baseline of cyber work that could be expanded rather than built from scratch.
Notably, the CBO concludes that the bill would not trigger pay‑as‑you‑go (PAYGO) rules and would stay below the Unfunded Mandates Reform Act (UMRA) thresholds for both intergovernmental and private‑sector mandates. By framing the mandates as financially modest, the analysis implicitly reassures legislators that the bill’s requirements would not impose a heavy burden on ports—a sector already sensitive to regulatory costs. The language “most for additional staff required to design and implement data‑sharing systems” reveals where the CBO sees the primary expense: human capital, not new hardware or large‑scale infrastructure.
Why This Estimate Still Matters
Although the bill itself never became law, the CBO’s cost estimate provides a rare snapshot of how Congress evaluated cyber‑security policy in the late 2010s. It marks one of the first instances where a federal budget office quantified the fiscal impact of a cyber‑information‑sharing mandate aimed at a specific industry. The figure—$38 million—has been cited in subsequent hearings on maritime cyber‑risk, serving as a reference point for later proposals that sought larger, more comprehensive funding.
The estimate also illustrates the incremental approach the federal government took toward cyber‑resilience: rather than a sweeping overhaul, it opted for targeted coordination mechanisms, leveraging existing advisory committees. This strategy foreshadowed later initiatives, such as the 2020 Maritime Cybersecurity Act, which built upon the same information‑sharing framework but with a broader funding envelope.
In the archival record, the CBO estimate stands out because it translates abstract security concerns into concrete budgetary language, making the intangible threat of a cyber‑attack visible in fiscal terms. For scholars of cyber‑policy, it offers a measurable benchmark to assess how the perceived cost of securing the nation’s ports has evolved—a useful counterpoint to the often‑inflated rhetoric surrounding cyber‑threats. For policymakers, the document reminds us that even modest investments in coordination and staffing can lay the groundwork for a more resilient maritime supply chain, a lesson that remains relevant as the U.S. confronts ever‑more sophisticated cyber adversaries.
CONGRESSIONAL BUDGET OFFICE COST ESTIMATE
October 6, 2017
H.R. 3101 Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2017
As ordered reported by the House Committee on Homeland Security on September 7, 2017
SUMMARY
H.R. 3101 would require the Department of Homeland Security (DHS) to expand efforts to enhance the cybersecurity of U.S. ports. The bill also would clarify that the Coast Guard, the agency within DHS primarily responsible for activities related to maritime security, is authorized to pursue efforts related to cybersecurity. Based on information from DHS, CBO estimates that implementing H.R. 3101 would cost $38 million over the 2018-2022 period, assuming appropriation of the necessary amounts.
Enacting the bill would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply. CBO estimates that enacting H.R. 3101 would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2028.
H.R. 3101 would impose intergovernmental and private-sector mandates, as defined in the Unfunded Mandates Reform Act (UMRA), on owners and operators of port facilities and vessels. Based on an analysis of information from the Coast Guard about current practices related to cybersecurity among maritime facilities and vessels, CBO estimates that the cost of complying with the mandates for public and private entities would fall below the annual thresholds established in UMRA for intergovernmental and private-sector mandates ($78 million and $156 million in 2017, respectively, adjusted annually for inflation).
ESTIMATED COST TO THE FEDERAL GOVERNMENT
The estimated budgetary effect of H.R. 3101 is shown in the following table. The costs of this legislation fall primarily within budget functions 050 (defense), 400 (transportation), and 450 (community and regional development).
By Fiscal Year, in Millions of Dollars
| | 2018 | 2019 | 2020 | 2021 | 2022 | 2018-2022 |
| :--- | :---: | :---: | :---: | :---: | :---: | :---: |
| **INCREASES IN SPENDING SUBJECT TO APPROPRIATION** | | | | | | |
| Estimated Authorization Level | 8 | 8 | 8 | 9 | 9 | 42 |
| Estimated Outlays | 5 | 8 | 8 | 8 | 9 | 38 |
**BASIS OF ESTIMATE**
For this estimate CBO assumes the bill will be enacted near the end of 2017 and that the estimated amounts will be appropriated each year. Estimated outlays are based on historical spending patterns for similar activities.
H.R. 3101 would direct DHS to pursue a variety of activities to enhance cybersecurity, particularly by increasing the capacity for information sharing among maritime stakeholders in the federal, state, local, and private sectors. Under the bill, DHS would need to develop a model for assessing maritime-related cybersecurity risks and require area maritime security advisory committees—stakeholder groups formed to address security-related issues at specific U.S. ports—to share information related to cybersecurity threats and develop plans to address port-specific vulnerabilities.
According to DHS, many of the activities required under the bill are consistent with current administrative policy, but implementing some efforts—particularly those aimed at increasing the capacity for information sharing among maritime stakeholders—would require additional spending. Based on an analysis of information from DHS, CBO estimates that fully funding such efforts would cost $38 million over the 2018-2022 period, mostly for additional staff required to design and implement data-sharing systems and provide analytical support related to risk assessment.
**PAY-AS-YOU-GO CONSIDERATIONS:** None.
**INCREASE IN LONG TERM DIRECT SPENDING AND DEFICITS:**
CBO estimates that enacting H.R. 3101 would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2028.
2
INTERGOVERNMENTAL AND PRIVATE-SECTOR IMPACT
H.R. 3101 would impose intergovernmental and private-sector mandates, as defined in UMRA, on owners and operators of port facilities and vessels by requiring them to incorporate cybersecurity information into their vulnerability assessments. The bill also would require facilities to address cybersecurity risks and develop a mitigation plan if they submit security plans for approval after DHS has developed a model for assessing maritime-related cybersecurity risk. Based on an analysis of information from the Coast Guard about current practices among maritime facilities and vessels, CBO estimates that the incremental cost of complying with the mandates for public and private entities would fall below the annual thresholds established in UMRA for intergovernmental and private-sector mandates ($78 million and $156 million in 2017, respectively, adjusted annually for inflation).
ESTIMATE PREPARED BY:
Federal Costs: Megan Carroll
Impact on State, Local, and Tribal Governments: Jon Sperl
Impact on the Private Sector: Paige Piper/Bach
ESTIMATE APPROVED BY:
H. Samuel Papenfuss
Deputy Assistant Director for Budget Analysis
3
NATIONAL SECURITY ARCHIVE
National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu