The Office of Management and Budget (OMB) and the White House’s Office of the National Cyber Director (ONCD) are giving Federal agencies their marching orders on cybersecurity priorities as they work on fiscal year (FY) 2025 budgets, with an emphasis on tying in the five pillars of the National Cybersecurity Strategy (NCS) released by ONCD in March.
The cyber strategy features multiple focus points including continuing efforts to improve security in already-regulated critical infrastructure sectors, a high-level goal of shifting more security responsibility onto providers of tech products and services, and a robust focus on using “all tools of national power” to go after attackers.
Implementation plans for the cyber strategy are expected from the ONCD sometime this summer.
The June 27 memo to Federal agency heads from OMB Director Shalanda Young and Acting NCD Kemba Walden lists out “cross-agency cybersecurity investment priorities for formulating fiscal year (FY) 2025 Budget submissions to the Office of Management and Budget (OMB), consistent with spring guidance.”
The document notes that OMB guidance on cybersecurity “research and development priorities” will be released separately.
“Consistent with the five pillars of the National Cybersecurity Strategy (NCS), departments and agencies should prioritize five cybersecurity effort areas: 1) Defend Critical Infrastructure; 2) Disrupt and Dismantle Threat Actors; 3) Shape Market Forces to Drive Security and Resilience; 4) Invest in a Resilient Future; and 5) Forge International Partnerships to Pursue Shared Goals,” the memo reads.
“These priorities should be addressed within the FY 2025 Budget guidance levels provided by OMB,” it continues.
“OMB and the Office of the National Cyber Director (ONCD) will jointly review agency responses to these priorities in the FY 2025 Budget submissions, identify potential gaps, and identify potential solutions to those gaps,” the memo says.
“OMB, in coordination with ONCD, will provide feedback to agencies on whether their submissions are adequately addressed and are consistent with overall cybersecurity strategy and policy, aiding agencies’ multiyear planning through the regular budget process,” the memo states.
Policy highlights from the document drawn from the executive orders and other actions taken by the Biden administration since 2021, matched to the five pillars of the national cybersecurity strategy, including:
- Strengthening and modernizing IT systems;
- Achieving progress in zero trust security and explaining remaining gaps;
- Prioritizing modernization of systems that are reaching end of life and where high-value systems are unable to meet zero trust requirements;
- Securing national security systems;
- Leveraging shared cybersecurity services;
- Rebalancing the responsibility to defend cyberspace;
- Further performance-based regulations including baseline cyber standards for critical infrastructure;
- Countering cybercrime and ransomware;
- Shaping market forces to improve security and resilience including conformity with security software development practices;
- Strengthening cyber workforces in the government and private sector;
- Preparing for the post-quantum computing future; and
- Securing global supply chains for information, communications, and operational technology products and services.