OMB’s Cybersecurity Priorities for Agency FY 2024 Budgets

The Office of Management and Budget (OMB) recently issued a memorandum to Federal Civilian Executive Branch (FCEB) agencies outlining the Biden Administration’s cross-agency cyber investment priorities, to which agencies should align in formulating fiscal year (FY) 2024 budget submissions to OMB.

OMB is directing FCEB agencies to focus their FY 2024 cyber-related budgets in three main priority areas, each containing specific sub-areas for funding.

Improving the Defense and Resilience of Government Networks

• Zero Trust Implementation: The Federal Zero Trust Strategy (and OMB Memo M-22-09) requires agencies to achieve specific zero trust security goals by the end of FY 2024, grounded in principles of least privilege, minimized attack surfaces, and an assumption that agency perimeters are compromised. FY 2024 budget submissions should ensure these goals are met.  
• IT Modernization for Cybersecurity by Design: Agencies should prioritize IT modernization efforts that integrate security during the design phase, as well as throughout the system lifecycle. In addition, agencies should leverage shared solutions that enhance inherent secure development and operations. Agency FY 2024 budget submissions should prioritize accelerated use of secure cloud infrastructure and services; secure customer experience solutions; modern security technologies, leveraging the Continuous Diagnostics and Mitigation (CDM) program; shared awareness/operations among security and IT operations; agile development practices; and National Institute of Standards and Technology (NIST) security standards for agency software procurement and development practices. Funding requests must not be duplicative of current agency or Technology Modernization Fund (TMF) projects.

Deepening Cross-Sector Collaboration in Defense of Critical Infrastructure

• Sector Risk Management Agencies (SRMA): Agencies with sector risk management agency (SRMA) responsibilities must adequately fund these activities and prioritize building the mechanisms to collaborate with critical infrastructure owners and operators to identify, understand, and mitigate threats, vulnerabilities, and risks to respective sectors. FY 2024 budget submissions should Enable collaboration and information sharing among SRMAs, CISA and industry on cyber threat intelligence and defensive measures; and improve understanding of national security risks within each sector and the cyber tactics of threat actors, including nation-states.

Strengthening the Foundations of our Digitally-Enabled Future

• Securing Infrastructure Investments: Agencies should support efforts to secure all types of infrastructure from cyber threats. Where the Infrastructure Investment and Jobs Act (IIJA) funding does not cover costs associated with providing technical support to address cybersecurity threats, agency FY 2024 budgets should prioritize funding to support project reviews and assessments; developing/improving cybersecurity performance standards for infrastructure investments; and implementing joint-agency technical support throughout the project design and build phases.
• Human Capital: Agencies should continue to invest in a capable IT and cyber workforce, including executive leadership training and cross-discipline training in cyber- and law, executive management, procurement, human capital, records management, and other intersecting fields. FY 2024 agency budgets should prioritize funding to hire, train and retain IT and cyber professionals; exploring alternative skills-based hiring and pay incentive practices; and ensuring technology-focused staff are skilled in modern, secure approaches to system architecture and platform and application development.
• Technology Ecosystems and Supply Chain Risk: Agencies should sustain funding in their FY 2024 budget submissions for their mandated supply chain risk management (SCRM) programs to ensure certain covered IT and communications items and sources are removed or excluded from agency information systems and related procurements. In addition, agencies should target additional funding for training and tracking supply chain investments to support overall federal SCRM efforts. Finally, in their FY 2024 budget submissions, agencies should highlight funding that supports a national effort to mitigate undue or unacceptable levels of risk to economic security and national security associated with information and communications technology and services (ICTS) supply chain risk.

For those who have been watching the evolution of the federal cybersecurity landscape for the last several years, the latest OMB guidance does not introduce any new priorities or major initiatives. Rather, it serves as a reminder to agencies to stay the course on current government-wide efforts by allocating budget dollars to the cause.

This OMB memo also mentioned a forthcoming memorandum on Multi-Agency Research and Development Priorities for the FY 2024 Budget, which will provide guidance to agencies on cybersecurity research and development priorities. Stay tuned.