OMB’s Cybersecurity Priorities for Agency FY 2026 Budgets

The Office of Management and Budget (OMB) recently issued a memorandum to federal Executive Branch departments and agencies outlining the Biden Administration’s cross-agency cybersecurity investment priorities, to which agencies should align in formulating fiscal year (FY) 2026 budget submissions. OMB continues to direct agencies to focus their FY 2026 cyber-related budgets to align with the five pillars of the administration’s 2023 National Cybersecurity Strategy (NCS).

Below is a summary of the requirements, with emphasis added on key elements.

Defend Critical Infrastructure – NCS Pillar 1

• Modernize Defenses: Agencies are to continue moving toward fully mature zero trust architectures, prioritize modernizing systems that cannot yet deploy modern security controls and leverage government-managed cybersecurity shared services to fill cybersecurity gaps. Agencies should prioritize investing in department-wide, enterprise solutions to align efforts, ensure consistency and enable information sharing. Agencies must submit an updated zero trust implementation plan to OMB and the Office of the National Cyber Director (ONCD) by early November 2024, documenting current maturity levels in each NCS pillar for all high value assets and high impact systems as well as the agency target maturity levels to be achieved by the end of FY26.
• Improve Baseline Cybersecurity Requirements: Agency budget submissions should demonstrate sufficient funding for cybersecurity capabilities and capacity to fulfill their rolls across regulated critical infrastructure sectors, including inspectors and auditors, to ensure effective enforcement and harmonization of regulatory regimes. OMB strongly encouraged regulatory agencies to consult with regulated entities to establish baseline cybersecurity requirements that can be applied across sectors and are agile enough to meet changing threats.
• Scale Public-Private Collaboration: Agency budgets are to demonstrate how each Sector Risk Management Agency (SRMA) prioritizes building the capacity and mechanisms to manage risks to respective critical infrastructure sectors and ensure that each SRMA is sufficiently resourced to fulfill their designated responsibilities and requirements. Capacities and mechanisms include defending critical infrastructure against threats, developing and strengthening collaboration, and enabling automated exchange of data, information and knowledge.
• Improve Open Source Software Security and Sustainability: Agency budgets should ensure the secure use and maintenance of open source software at their agencies, including making security-related contributions to open source software components; monitoring changes to code; tracking and correcting potential errors and flaws in code; and other related activities. Agencies should integrate open source software considerations into their IT and cybersecurity governance structures, modeled after private sector open source programs.

Disrupt and Dismantle Threat Actors - NCS Pillar 2

• Counter Cybercrime, Defeat Adversaries: Agencies with designated roles in the disruption of threat actors should prioritize budget resources to investigate cybercrimes and cyber enabled crimes, disrupt threat actors, dismantle ransomware infrastructure, ensure participation in interagency task forces focused on cybercrime, and combat the abuse of virtual currency.

Shape Market Forces to Drive Security and Resilience - NCS Pillar 3

• Secure Software and Leverage Federal Procurement to Improve Accountability: Agency budgets should ensure that they have the capacity to meet OMB’s secure software development requirements. OMB requires agencies to only use software from producers who can attest to their compliance with federal secure software development practices.
• Leverage Federal Grants and Other Incentives to Build in Security: Departments and agencies are directed to leverage federal grant, loan, and other government funding mechanisms “to ensure minimum security and resilience requirements and effective accountability mechanisms” are built into critical infrastructure-related projects that receive such government funding. Agency budgets are to ensure sufficient resources to fulfill these requirements and to implement joint agency efforts to provide technical support for projects throughout the design and build phases.

Invest in a Resilient Future - NCS Pillar 4

• Strengthen Cyber Workforce: Agency budgets should demonstrate how they will successfully recruit, hire, develop and retain their cyber workforce. Agencies should demonstrate how they support flexible hiring and compensation initiatives; how they are adopting skills-based best practices to remove hiring barriers; and how they support initiatives that meet the federal cyber workforce demand.
• Prepare for the Post-Quantum Future: Agency budgets should continue to refine the cost estimates they submitted to comply with National Security Memorandum on Promoting U. S. Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems (NSM-10) to ensure that they are sufficiently resourced to transition their most critical and sensitive networks and systems to quantum resistant cryptography.
• Secure the Technical Foundation of the Internet: To ensure that the hardware and software of their enterprise networks are secure by design, agencies budgets should consider measures such as the use of memory safe programming languages, memory safe hardware, and other measures, as well as support the use of enhancements to the Border Gateway Protocol to increase Internet routing security. Agencies should use their procurement processes to enforce federal secure software development policies.

Forge International Partnerships to Pursue Shared Goals - Pillar 5

• Strengthen International Partner Capacity and U.S. Ability to Assist: Agency budgets should show that they prioritize expanding global cyber capacity building efforts under Executive Order 14034 to protect U.S. public and private data from foreign adversaries and demonstrate how they increase operational collaboration with international law enforcement partners.
• Secure Global Supply Chains for Information, Communications, and Operational Technology Products and Services: Agency budgets should demonstrate efforts to improve the transparency, security, and resilience of global supply chains for industrial control systems and operational technologies, advance cybersecurity supply chain risk management programs, and support strategic public and private sector collaboration around these supply chains.

Final Thoughts

Several elements in the latest OMB budget directive remain consistent with, and build upon, major elements in OMB’s FY 2025 cyber budget guidance, and in the FY 2024 budget guidance as well. These include making progress on zero trust implementation, IT and cybersecurity modernization, infrastructure security, cyber information sharing and collaboration, supply chain risk management, cyber workforce development and combating cybercrime.

The latest guidance also continues to drive home the fact that federal cybersecurity policy will maintain pressure on the federal IT supply chain – software and hardware producers, service providers and integrators – to meet increasingly stringent product development, operational cybersecurity practices and acquisition requirements to have access to the federal contracting market going forward.