US administration releases memorandum focusing on fiscal 2024 cyber priorities for FCEB agencies

US administration releases memorandum focusing on fiscal 2024 cyber priorities for FCEB agencies

The White House has issued a memorandum that outlines cross-agency cyber investment priorities of U.S. President Joe Biden’s administration. It calls upon federal civilian executive branch (FCEB) agencies to make investments across three cyber priorities, including improving the defense and resilience of government networks, deepening cross-sector collaboration in defense of critical infrastructure, and boosting the foundations of a digitally-enabled future.

The memorandum said that the guidance on cybersecurity research and development priorities can be found in the forthcoming memorandum Multi-Agency Research and Development Priorities for the FY 2024 Budget. “These priorities should be addressed within the FY 2024 Budget guidance levels provided by OMB.” 

The Office of Management and Budget (OMB) and the Office of the National Cyber Director (ONCD) will review agency responses to these cyber priorities while identifying potential gaps and likely solutions to close those gaps. In addition, the two agencies will coordinate to provide feedback to agencies on whether the cyber priorities are adequately addressed and consistent with the overall cybersecurity strategy and policy. 

In his May 2021 Executive Order, President Biden called on the U.S. government to “make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life” to strengthen and modernize its information technology (IT) systems and networks. The FCEB agencies are set to lead by example by prioritizing zero trust implementation and IT modernization in FY 2024 budget submissions. 

The U.S. administration directed agencies in a January memorandum to the highest-value starting points on their path to a zero-trust strategy that describes several shared services, which should be prioritized to support a long-term government-wide effort.

“This strategy is a starting point, not a comprehensive guide to a fully mature zero trust architecture,” the memorandum said. The Federal Zero Trust Strategy laid down in that memorandum also requires agencies to achieve specific zero trust security goals by the end of FY 2024, with budget submissions expected to prioritize ensuring this work is completed. 

“Agencies have submitted zero trust implementation plans to OMB, and a cross-government team of cybersecurity experts from OMB, ONCD, and Cybersecurity and Infrastructure Security Agency (CISA) is engaging with agencies to refine these plans and define ambitious, achievable goals,” the latest memorandum said. “The Federal Zero Trust Strategy defines priority goals for agencies to achieve a consistent enterprise-wide baseline for cybersecurity grounded in principles of least privilege, minimizing attack surface, and designing protections around an assumption that agency perimeters should be considered compromised.” 

“This is a significant shift in FCEB operations, and agencies should demonstrate a commitment in their budget submission to making this shift and achieving a new and more resilient foundational state,” the White House memorandum added.

The U.S. critical infrastructure increasingly interfaces with and is defined by cyberspace, so ensuring that infrastructure’s defense and resilience against cyberthreats calls for ‘unprecedented level of collaboration between the public and private sectors.’ It also necessitates deepening cross-sector collaboration in securing critical infrastructure agencies.

Agencies will build this collaboration in FY 2024 by prioritizing their sector risk management agency (SRMA) responsibilities and ensuring adequate information sharing through designated cybersecurity centers.

FY 2024 budget submissions should prioritize specific proposals that ensure SRMAs have adequate resources to fulfill their section 9002 responsibilities. The proposals should enable SRMAs to collaborate more closely with CISA and other SRMAs to improve the trajectory of collective (government and industry) defense, response, and resilience within respective sectors. It also should enable information exchange among government and industry, including through the U.S. Federal Cyber Centers and Information Sharing and Analysis Organizations and Information Sharing and Analysis Centers, to develop actionable operational intelligence. The measures would also offer meaningful threat mitigation advice.

The submissions must also improve a detailed understanding of national security risks associated with each sector that are or could be exploited by adversaries, including nation-states. It should also achieve a deeper understanding of threat actors’ cyber tactics, techniques, and procedures and the risk posed to each sector. Lastly, the proposals must facilitate increased sharing and collaboration between industry and government on cyber threat intelligence, indicators, and defensive measures, including incidents in secure, physical, or virtual settings. 

As the U.S. transforms from a digitally complemented economy to a digitally suffused one, the decisions agencies make on shaping, directing, and securing that transition will reverberate for decades into the future. FCEB agencies prioritize physical infrastructure, human capital, and supply chain risk management. 

With the Biden administration engaging in a ‘once-in-a-generation’ investment in infrastructure through the Infrastructure Investment and Jobs Act (IIJA), the budgets of FCEB agencies should support efforts to secure this infrastructure from cyber threats. 

The memorandum said that where the IIJA funding does not cover costs associated with providing technical support, FY 2024 investments should prioritize funding for supporting project review and assessment to address cybersecurity threats and developing cybersecurity performance standards for infrastructure investments where existing standards are insufficient. It must also provide for implementing joint efforts across agencies to provide technical support to projects throughout the design and build phases. 

Addressing supply chain risk management (SCRM), the Federal Acquisition Security Council was established to manage cybersecurity risk, partly to make recommendations concerning how to remove certain covered articles from executive agency information systems, or to exclude certain sources of those articles from executive agency procurement actions. 

“Federal agencies are required to establish formal SCRM programs for their own acquisitions, particularly around information and communications technology and services (ICTS),” the memorandum said. “While these requirements currently sunset at the end of 2023, legislation is pending to extend the requirement through 2026. The FY 2023 President’s Budget made critical investments in SCRM programs at agencies. Agencies should sustain these investments in their FY 2024 submissions. In addition, agencies should target additional resources for training and appropriately tracking supply chain investments to support improvements to the Federal government’s overall SCRM efforts,” it added.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related