Agencies prioritize investments that lead to “secure by design” technologies, the White House says in new budget guidance that hews to the new national cybersecurity strategy by also prioritizing “performance-based” regulations and potentially funding a new cadre of “specialized cyber analysts.”
The guidance released this week lays out the Biden administration’s cyber priorities for the fiscal 2025 budget. The document is signed by OMB Director Shalanda Young and acting National Cyber Director Kemba Walden.
It follows the five pillars of President Joe Biden’s national cyber strategy released in March, starting with efforts to “defend critical infrastructure.” And for federal agencies focused on modernizing their cyber defenses, the guidance doubles down on efforts stemming from the May 2021 cybersecurity executive order.
“Agency investments should lead to durable, long-term solutions that are secure by design,” the guidance states.
As with last year’s guidance, the White House tells agencies to show in their budgets funds “progress in zero trust deployments.” The 2022 zero trust strategy directed agencies to meet specific goals for establishing a zero trust architecture by the end of fiscal 2024.
Budget submissions should “explain efforts to close any gaps in those requirements” and “make clear how agency investments support people, processes, and technology that advance agency capabilities along the Zero Trust Maturity Model.”
Mike Hettinger, a former House Oversight and Reform Committee staff member and now president of Hettinger Strategy Group, applauded the White House’s continued efforts to put zero trust principles at the center of federal cyber defense plans.
“Full implementation of zero trust principles and architectures across the government is key to ensuring agencies can defend against ongoing cyber attacks,” Hettinger said. “From a congressional funding standpoint, it is imperative that zero trust cybersecurity remain at the very top of the priority list. It is just too critical to be underfunded now, into FY-25 and beyond.”
The guidance also tells agencies to prioritize the modernization of legacy systems, a significant concern for agencies attempting to apply zero trust practices like phishing-proof multifactor authentication.
The guidance directs agencies to “prioritize technology modernization where agency systems are reaching end of life or end of service,” as well as “Federal Information Security Modernization Act High and High Value Asset systems that are unable to meet zero trust requirements, ensuring that these systems meet standards for security and customer experience requirements.”
OMB’s latest report on federal cybersecurity detailed several challenges agencies continue to face mitigating security vulnerabilities in High Value Assets, with “patch management” being the top finding for those systems.
Ross Nodurft, former chief of OMB’s cyber team and executive director of the Alliance for Digital Innovation, also highlighted how the guidance “helpfully” focuses on “building modern, secure enterprise environments.”
“Agency investments in zero trust security solutions and migration to more modern cloud based environments are essential for building more robust, extensible environments,” Nodurft said.
Shaping market forces
The budget guidance also emphasizes the national cyber strategy’s push to use government purchasing power to “shape market forces to drive security and resilience.” It highlights forthcoming cybersecurity requirements, including those that will require federal software vendors to sign self-attestation forms that they’re product meets secure development practices outlined by the National Institute of Standards and Technology.
Agencies in their budget submissions should “ensure capacity exists to meet secure software and services requirements, including costs associated with contracts and appropriate training,” the guidance states.
And they should also “identify where agency implementation of cybersecurity requirements may benefit from novel procurement practices and/or approaches that could be piloted within the agency or among select agencies for evaluation for broader federal enterprise use.”
Meanwhile, in a separate section of the guidance, the White House also directs agencies to ensure they’re budgeting to “to begin transitioning agencies’ most critical and sensitive networks and systems to post quantum cryptography,” in line with OMB guidance released last year.
Nodurft said ADI appreciates the “recognition that there are both public and private sector costs associated with the implementation of administration cybersecurity requirements such as modernizing to post-quantum cryptography and producing secure software development self-attestation forms.”
Budgeting for critical infrastructure requirements
Meanwhile, the guidance directs agencies, particularly those with cyber regulatory authorities, to “improve baseline cybersecurity requirements” as part of their budget submissions.
“The NCS emphasizes rebalancing the responsibility to defend cyberspace to ensure that the most capable and best-positioned actors in cyberspace serve as effective stewards of the cyber ecosystem,” the guidance states. “In setting cybersecurity requirements and considering needed resources, regulators are strongly encouraged to consult with regulated entities.”
Budgets should “further performance-based regulations,” the guidance continues, by ensuring “current and future requirements leverage existing cybersecurity frameworks and voluntary consensus standards.”
Agencies should also be planning to establish cyber standards that “can be applied across critical infrastructure sectors but are agile enough to adapt as adversaries increase capabilities and change tactics,” the guidance continues.
Meanwhile, agencies should also be considering the “cybersecurity capabilities and capacity, including personnel, to ensure effective enforcement of regulatory regimes.”
Despite the focus on regulatory approaches, the guidance calls for sector risk management agencies to also “scale public private partnerships,” including by potentially adding capacity in their budgets for “specialized cyber analysts capable of working with critical infrastructure and providing proactive information to owners and operators.”
“Such analysts would evaluate sector needs, improve government processes for intelligence and informational analysis, and partner with private sector, state, local, tribal and territorial entities,” the guidance continues. “Such considerations should be discussed in accordance with a long-term vision to meet a defined mission and avoid duplication.”