US defines cybersecurity priorities for FY 2025 budget submissions in latest OMB memo

A memorandum has been issued to department and agency heads, outlining the Biden administration’s cross-agency cybersecurity investment priorities for the formulation of the fiscal year (FY) 2025 Budget submissions to the U.S. Office of Management and Budget (OMB), consistent with spring guidance. Additionally, guidance on cybersecurity research and development priorities will be released in a separate memorandum.

“OMB and the Office of the National Cyber Director (ONCD) will jointly review agency responses to these priorities in the FY 2025 Budget submissions, identify potential gaps, and identify potential solutions to those gaps,” Shalanda Young, OMB director, and Kemba Walden, acting National Cyber Director, wrote in the memorandum issued this week. “OMB, in coordination with ONCD, will provide feedback to agencies on whether their submissions are adequately addressed and are consistent with overall cybersecurity strategy and policy, aiding agencies’ multiyear planning through the regular budget process.” 

The document added that consistent with the five pillars of the National Cybersecurity Strategy (NCS), departments and agencies should prioritize five cybersecurity effort areas – Defend Critical Infrastructure, Disrupt and Dismantle Threat Actors, Shape Market Forces to Drive Security and Resilience, Invest in a Resilient Future, and Forge International Partnerships to Pursue Shared Goals. These priorities should be addressed within the FY 2025 Budget guidance levels provided by OMB.  

The memorandum further added that in accordance with the President’s direction in the NCS, Executive Order 14028, and National Security Memorandum 8, the U.S. Government must continue to strengthen and modernize its information technology systems. Agency investments should lead to durable, long-term solutions that are secure by design. 

Budget submissions should demonstrate how they achieve progress in zero trust deployments as outlined in OMB Memorandum M-22-09, and explain efforts to close any gaps in those requirements. They must also meet the goals set forth in the Federal Zero Trust Strategy and make clear how agency investments support people, processes, and technology that advance agency capabilities along the Zero Trust Maturity Model.

The memorandum also called upon the submissions to prioritize technology modernization where agency systems are reaching the ‘end of life’ or ‘end of service’ and where Federal Information Security Modernization Act High and High-Value Asset systems that are unable to meet zero trust requirements, ensuring that these systems meet standards for security and customer experience requirements. 

Submissions must also secure National Security Systems, including those that are owned or operated by Federal Civilian Executive Branch (FCEB) agencies, and continue to leverage shared cybersecurity services when appropriate and where capability gaps persist, in order to build Federal cohesion and defend federal systems.

The NCS emphasizes rebalancing cyberspace defense to ensure the most capable actors are effective stewards of the ecosystem. Regulators should consult with regulated entities when setting cybersecurity requirements and considering resources. Budget submissions should demonstrate performance-based regulations, agile baseline standards, and prioritizing cybersecurity capabilities and capacity, including personnel, for effective enforcement of regulatory regimes.

To defend critical infrastructure against adversarial activity and threats, collaboration through structured roles and responsibilities is crucial. Automated data exchange and knowledge exchange enable increased connectivity. Budget submissions should prioritize building capacity and mechanisms to collaborate with critical infrastructure owners and operators, develop resource-informed plans, collaborate with information-sharing and analysis organizations, and consider an additional capacity for specialized cyber analysts. 

The memorandum outlined that ransomware is a threat to national security, public safety, and economic prosperity. “The Administration is committed to mounting disruption campaigns and other efforts that are so sustained, coordinated, and targeted that they render ransomware no longer profitable.”

Budget submissions for departments and agencies should prioritize investigating ransomware crimes, disrupting infrastructure, combating virtual currency abuse, and ensuring participation in interagency task forces focused on cybercrime.

 Earlier this month, the OMB published an update to a September 2022 memorandum (M-22-18) that focuses on enhancing the security of the software supply chain through secure software development practices. The latest document, M-23-16, extends the timeline for the collection of attestations for critical software and non-critical software; clarifies the scope of the earlier memorandum; provides guidance on the use of plans of action and milestones submitted to federal agencies by software producers; and provides future updates to guidance.

The OMB document called upon budget submissions should demonstrate how they ensure capacity exists to meet secure software and services requirements, including costs associated with contracts and appropriate training. They must also identify where agency implementation of cybersecurity requirements may benefit from novel procurement practices and/or approaches that could be piloted within the agency or among select agencies for evaluation for broader federal enterprise use.

It also called upon the budget submissions to demonstrate how the agency supports efforts to secure this infrastructure from cyber threats. This can be done through support for project review, fiscal compliance, and assessment to address cybersecurity threats and the development of cybersecurity performance standards for infrastructure investments where existing standards require refinement. They must also encourage the implementation of joint efforts across agencies to provide technical support to projects throughout the design and build phases. 

The OMB document identified that employers in the federal and national cyber workforce face challenges in recruiting, hiring, and retaining professionals to fill vacancies in the workforce, which negatively impacts America’s collective cybersecurity. 

Budget submissions should use ‘Good Jobs Principles’ and best practices for effective workforce investments. Budget proposals should support initiatives that meet federal cyber workforce demand by developing, attracting, and retaining cyber talent, leveraging skills-based hiring best practices, and attracting underrepresented groups. Additionally, agencies should include technical assistance, grant programs, and cross-sectional cybersecurity workforce efforts to build technical, foundational skills and needed capacity.

The OMB document also called for the preparation of a post-quantum future to promote U.S. leadership in quantum information science and address potential threats that quantum computers may pose to encrypted data and systems. 

Budget proposals should ensure transparency in requirements under NSM-10, M-23-02, and NMM-2022-09, including services and software for accurately inventorying cryptographic systems and transitioning agencies’ critical networks to post-quantum cryptography.

The document also looks at strengthening international partner capacity and the U.S. ability to assist, which would come through the nation displaying leadership through cooperation in identifying, disrupting, or otherwise addressing malicious cyber activity through a whole-of-government approach that will mitigate threats to America’s networks and critical infrastructure. 

Budget submissions for federal agencies with overseas cybersecurity missions should focus on maximizing expertise, enhancing collaboration with foreign partners and allies, and strengthening international partners’ cyber capacity. These efforts should involve collaboration with the private sector, non-governmental organizations, and other stakeholders to ensure security within the digital ecosystem.

Agencies have been required to establish formal Supply Chain Risk Management (SCRM) programs for acquisitions of information and communications technology and services, the OMB document said. 

Budget proposals should transparently evaluate and monitor supply chain risks, support agency SCRM programs, and assess threats and vulnerabilities from transactions involving information and communications technology.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.