OMB’s Cybersecurity Priorities for Agency FY 2025 Budgets

The Office of Management and Budget (OMB) recently issued a memorandum to federal Executive Branch departments and agencies outlining the Biden Administration’s current cross-agency cybersecurity investment priorities, to which agencies should align in formulating fiscal year (FY) 2025 budget submissions.

OMB is directing agencies to focus their FY 2025 cyber-related budgets to align with the five pillars of the administration’s National Cybersecurity Strategy (NCS), which was released in March. Below is a summary of the requirements, with emphasis added on key elements.

Defend Critical Infrastructure – NCS Pillar 1

• Modernize Defenses: Agencies are to prioritize achieving progress in zero trust deployments by making it clear how their IT investments are meeting OMB ZT goals, as directed by OMB directives and ZT strategy. Agencies are to prioritize modernizing systems that are reaching end of life/service, struggling to meet Federal Information Security Modernization Act (FISMA) requirements, or High Value Asset (HVA) systems that are unable to meet zero trust requirements.
• Improve Baseline Cybersecurity Requirements: Agency budget submissions should demonstrate how their cybersecurity requirements and requested resources will leverage existing cybersecurity frameworks and standards to support and meet relevant performance-based regulations and ensure effective regulatory enforcement. The NCS emphasizes rebalancing the responsibility for cybersecurity toward technology producers and service providers to encourage them to follow “secure by design” principles.
• Scale Public-Private Collaboration: Agency budgets are to prioritize building the capacity and mechanisms to collaborate with critical infrastructure owners and operators to mitigate cyber threats and vulnerabilities. Budgets should demonstrate how agencies will build on existing experience with existing collaborative information sharing organizations to define sector-by-sector needs and capability gaps. Each Sector Risk Management Agency (SRMA) is to develop a plan to mature its capabilities, improve processes, make use of technology solutions, and consider additional capacity for specialized cyber analysts to provide proactive information to critical infrastructure owners and operators.

Disrupt and Dismantle Threat Actors - NCS Pillar 2

• Counter Cybercrime, Defeat Ransomware: Agencies are to prioritize staff to investigate ransomware crimes and disrupt ransomware infrastructure and actors as well as participate in interagency task forces focused on cybercrime.

Shape Market Forces to Drive Security and Resilience - NCS Pillar 3

• Secure Software and Leverage Federal Procurement to Improve Accountability: Agency budgets should demonstrate how they will meet secure software and services requirements mandated by OMB, which require agencies to ensure software producers attest to conformity with federal secure software development practices. Agencies are also asked to identify novel procurement practices or approaches that might help them implement cybersecurity requirements for consideration in federal efforts to strengthen and standardize government-wide contract requirements.
• Leverage Federal Grants and Other Incentives to Build in Security: Departments and agencies should ensure that cybersecurity resilience is addressed within federally funded infrastructure programs, and their supporting digital elements. Agency budgets are to demonstrate how they will support infrastructure cyber-resilience through project reviews and assessments and the development/refinement of cybersecurity performance standards for infrastructure investments. Joint agency efforts to provide technical support to projects are encouraged.

Invest in a Resilient Future - NCS Pillar 4

• Strengthen Cyber Workforce: Agency budgets should demonstrate how they will successfully recruit, hire, develop and retain their cyber workforce through the various federal workforce development provisions available to them. Agencies with a mission requirement to bolster the national cyber workforce capacity are to include any technical assistance, grant programs, and cross-sectional cybersecurity workforce capacity efforts needed.
• Prepare for the Post-Quantum Future: Agency budgets should demonstrate how they meet current federal mandates and requirements around quantum information science, quantum computers and encryption. Agencies are to identify any services and software needed to inventory cryptographic systems and to begin transitioning critical and sensitive networks and systems to post quantum cryptography.

Forge International Partnerships to Pursue Shared Goals - Pillar 5

• Strengthen International Partner Capacity and U.S. Ability to Assist: Budgets for agencies with overseas cybersecurity missions should demonstrate how they pursue, support and achieve effective international cyber capacity building and strengthen international partners’ cyber capacity. Agencies with a mission requirement to support international operational coordination should show how they enhance collaboration with foreign partners and allies.
• Secure Global Supply Chains for Information, Communications, and Operational Technology Products and Services: Agency budgets should clearly show how they evaluate and monitor supply chain risks and how they support required agency Supply Chain Risk Management (SCRM) programs. Agencies are to also demonstrate how they address threats and vulnerabilities related to foreign adversaries and technology acquisitions.

Implications

Those who have been watching the evolution of federal cybersecurity policies and programs over the last several years or more will recognize several of these themes, many of which were addressed in OMB’s FY 2024 budget guidance to agencies, including zero trust modernization, infrastructure security, SCRM and cyber workforce development.

What this memo underscores from the NCS is the effort to place to onus of, and liability for, cybersecurity vulnerabilities onto technology producers, particularly software producers. Further, federal cyber leaders are indicating their intent to use federal procurements as a means to drive industry compliance with federal secure software development requirements.

Federal cyber and acquisition leaders are seeking input from industry stakeholders and others to help them shape any changes to federal regulations and contract requirements, so interested parties need to engage and express their perspectives to ensure a constructive outcome.