In a memorandum issued by the Executive Office of the President addressing administration cybersecurity priorities for the FY 2026 budget, the document identified that the OMB (Office of Management and Budget) and the ONCD (Office of the National Cyber Director) will jointly review agency responses to these priorities in the FY 2026 Budget submissions, identify potential gaps, and identify potential solutions to those gaps. These agencies will provide feedback to agencies on whether their submissions adequately address and are consistent with overall cybersecurity strategy and policy, aiding agencies’ multi-year planning through the regular budget process.
“Guidance on cybersecurity research and development priorities is included in the forthcoming joint memo from OMB and the Office and Science and Technology Policy on Multi-Agency Research and Development Priorities for the FY 2026 Budget,” Shalanda D. Young, OMB director and Harry Corker Jr., National Cyber Director, wrote in the memorandum, addressed to the heads of executive departments and agencies.
The National Cybersecurity Strategy (NCS) highlights five pillars to enhance the Nation’s cybersecurity posture. These are – Defend Critical Infrastructure; Disrupt and Dismantle Threat Actors; Shape Market Forces to Drive Security and Resilience; Invest in a Resilient Future; and Forge International Partnerships to Pursue Shared Goals.
Classified as ‘M-24-14,’ the memorandum identified that sustained investments across these five pillars are critical to mitigate cybersecurity risks and should be addressed within the FY 2026 Budget guidance levels provided by OMB. “The Administration is committed to data-driven decision-making and departments and agencies are expected to incorporate performance measurement strategies into resource requests in order to build visibility in requested activities and allow effective measurement of investments.”
The document also outlined that the administration is working to maintain an open, free, global, interoperable, reliable, and secure cyberspace alongside partners and in opposition to those who provide safe haven to bad actors. Departments and agencies should ensure that they are sufficiently resourced to expand global cyber capacity-building efforts and demonstrate how they increase operational collaboration with international law enforcement partners.
“Additionally, budget submissions should demonstrate efforts to improve the transparency, security, and resilience of global supply chain activity for industrial control systems and operational technologies as well as to mature and implement cybersecurity supply chain risk management programs, strategies, and policies,” according to the memorandum. “Moreover, budget submissions should support the creation of long-term, strategic collaboration between public and private sector partners domestically and abroad to rebalance and improve the transparency, security, and resilience of global supply chains for industrial control systems and operational technologies.”
In line with the President’s direction in the NCS and Executive Order 14028 Improving the Nation’s Cybersecurity, the U.S. government needs to continue to strengthen and modernize its information technology systems by executing the transition towards fully mature zero trust architectures, prioritizing technology modernization of federal systems that cannot deploy modern security controls such as encryption and multifactor authentication, and leveraging government-managed cybersecurity shared services where capability gaps persist.
The memorandum noted that agency investments should lead to demonstrable improvements reflected by agency FISMA reporting or similar metrics. “Agencies with federated networks should prioritize investments in department-wide, enterprise solutions to the greatest extent practicable in order to further align cybersecurity efforts, ensure consistency across mission areas, and enable information sharing.”
Agency budget submissions should demonstrate how agencies are reducing risk by increasing the maturity of information systems across the pillars outlined in the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model. Within 120 days of the date of this memorandum, agencies must submit an updated zero trust implementation plan to the OMB and ONCD.
Additionally, to cover the implementation of zero trust on information systems, these plans must document current and target maturity levels in each pillar for all high-value assets and high-impact systems1 as well as the agency target maturity level for those systems to be achieved by the end of FY26. OMB, ONCD, and CISA will review submitted plans with agencies.
The memorandum said that as identified in the NCS and National Security Memorandum 22 on Critical Infrastructure Security and Resilience (NSM-22), defending critical infrastructure against adversarial activity and other threats depends upon developing and strengthening collaboration through structured roles and responsibilities. In addition, increased connectivity is enabled by the automated exchange of data, information, and knowledge.
It added that budget submissions should demonstrate how each Sector Risk Management Agency (SRMA) prioritizes building the capacity and mechanisms to manage risks to respective sectors and ensure that each SRMA is sufficiently resourced to fulfill their one-time and recurring responsibilities and requirements as identified in NSM-22.
The NCS and NSM-22 commit federal departments and agencies to developing minimum requirements for each sector for security and resilience. In setting cybersecurity requirements and considering needed resources, regulatory agencies are encouraged to consult with regulated entities to establish baseline cybersecurity requirements that can be applied across critical infrastructure sectors but are agile enough to adapt as adversaries increase capabilities and change tactics.
Recognizing the benefits of open source software, departments, and agencies should ensure the secure use of open source software and contribute to maintaining open source code to help sustain components depended on by the agency. Agencies should integrate open source software considerations, including processes to review, approve, inventory, and centralize open source consumption, into agency IT and cybersecurity governance structures. Agencies are encouraged to study the benefits that can be gained through the establishment of a governance function modeled after private sector open source program offices that define roles, responsibilities, and methods of engagement.
The memorandum noted that the administration is committed to mounting disruption campaigns and supporting other sustained, coordinated, and targeted efforts that disrupt the tools and infrastructure used by threat actors. Budget submissions for departments and agencies with existing, designated roles in the disruption of threat actors should demonstrate how they prioritize resources to investigate cybercrimes and cyber-enabled crimes, disrupt threat actors, dismantle ransomware infrastructure, ensure participation in interagency task forces focused on cybercrime, and combat the abuse of virtual currency.
Through a host of programs, the administration is making ‘once-in-a-generation’ investments in America’s infrastructure and supporting the digital ecosystem. Consistent with the NCS, NSM-22 directs departments and agencies to utilize grant, loan, and other Federal government funding mechanisms to ensure minimum security and resilience requirements and effective accountability mechanisms are incorporated into critical infrastructure-related projects that receive Federal funding.’ Departments and agencies should ensure that they are resourced to fulfill these requirements and implement joint efforts across agencies to provide technical support for projects throughout the design and build phases.
The memorandum said that to address issues in recruiting, hiring, and retaining professionals to fill vacancies in federal and non-federal government cyber workforce, budget submissions should demonstrate how they support the implementation of the National Cyber Workforce and Education Strategy (NCWES). In particular, budget submissions should demonstrate how agencies support flexible hiring and compensation initiatives through internal assessment and/or requests for cyber positions/roles.
Additionally, budget submissions should demonstrate how agencies invest in adopting skills-based best practices including skills-based and competency-based assessments and the removal of four-year college degrees as minimum requirements when appropriate to remove barriers to joining the federal cyber workforce. Also, these submissions should support initiatives that meet the federal cyber workforce demand by developing, attracting, and retaining diverse cyber talent in the federal government such as work-based learning, shared hiring actions, and multiple on-ramp approaches.
The administration is also preparing to promote U.S. leadership in quantum information science and address potential threats that quantum computers may pose to encrypted data and systems. Departments and agencies should continue to refine the cost estimates they submitted as part of the NSM-10 requirement to ensure that they are sufficiently resourced to transition their most critical and sensitive networks and systems to quantum-resistant cryptography.
This post was originally published on 3rd party site mentioned in the title of this site
