Agencies should be prioritizing investments that lead to “secure by design” technologies, the White House says in new budget guidance that hews to the new national cybersecurity strategy by also prioritizing “performance-based” regulations and potentially funding a new cadre of “specialized cyber analysts.”
The guidance released this week lays out the Biden administration’s cyber priorities for the fiscal 2025 budget. The document is signed by OMB Director Shalanda Young and acting National Cyber Director Kemba Walden.
It follows the five pillars of President Joe Biden’s national cyber strategy released in March, starting with efforts to “defend critical infrastructure.” And for federal agencies focused on modernizing their cyber defenses, the guidance doubles down on efforts stemming from the May 2021 cybersecurity executive order.
“Agency investments should lead to durable, long-term solutions that are secure by design,” the guidance states.
As with last year’s guidance, the White House tells agencies to budget funds that “achieve progress in zero trust deployments” as outlined by the 2022 zero trust strategy, which directed agencies to specific goals for establishing a zero trust architecture by the end of FY-24.
Budget submissions should “explain efforts to close any gaps in those requirements” and “make clear how agency investments support people, processes, and technology that advance agency capabilities along the Zero Trust Maturity Model.”
Mike Hettinger, a former House Oversight and Reform Committee staff member and now president of Hettinger Strategy Group, applauded the White House’s continued efforts to put zero trust principles at the center of federal cyber defense plans.
“Full implementation of zero trust principles and architectures across the government is key to ensuring agencies can defend against ongoing cyber attacks,” Hettinger said. “From a congressional funding standpoint, it is imperative that zero trust cybersecurity remain at the very top of the priority list. It is just too critical to be underfunded now, into FY-25 and beyond.”
The guidance also tells agencies to prioritize the modernization of legacy systems, a significant concern for agencies attempting to apply zero trust practices like phishing-proof multifactor authentication.
The guidance directs agencies to “prioritize technology modernization where agency systems are reaching end of life or end of service,” as well as “Federal Information Security Modernization Act High and High Value Asset systems that are unable to meet zero trust requirements, ensuring that these systems meet standards for security and customer experience requirements.”
OMB’s latest report on federal cybersecurity detailed several challenges agencies continue to face mitigating security vulnerabilities in High Value Assets, with “patch management” being the top finding for those systems.
Ross Nodurft, former chief of OMB’s cyber team and executive director of the Alliance for Digital Innovation, also highlighted how the guidance “helpfully” focuses on “building modern, secure enterprise environments.”
“Agency investments in zero trust security solutions and migration to more modern cloud based environments are essential for building more robust, extensible environments,” Nodurft said.
Budgeting for critical infrastructure requirements
Meanwhile, the fiscal 2025 guidance directs agencies, particularly those with cyber regulatory authorities, to “improve baseline cybersecurity requirements” as part of their budget submissions.
The direction comes after Biden’s cyber strategy called for moving beyond voluntary collaboration and toward establishing requirements for key parts of critical infrastructure sectors.
“The NCS emphasizes rebalancing the responsibility to defend cyberspace to ensure that the most capable and best-positioned actors in cyberspace serve as effective stewards of the cyber ecosystem,” the guidance states. “In setting cybersecurity requirements and considering needed resources, regulators are strongly encouraged to consult with regulated entities.”
Budgets should “further performance-based regulations,” the guidance continues, by ensuring “current and future requirements leverage existing cybersecurity frameworks and voluntary consensus standards.”
Agencies should also be planning to establish cyber standards that “can be applied across critical infrastructure sectors but are agile enough to adapt as adversaries increase capabilities and change tactics,” the guidance continues.
Meanwhile, agencies should also be considering the “cybersecurity capabilities and capacity, including personnel, to ensure effective enforcement of regulatory regimes.”
Despite the focus on regulatory approaches, the guidance calls for sector risk management agencies to also “scale public private partnerships,” including by potentially adding capacity in their budgets for “specialized cyber analysts capable of working with critical infrastructure and providing proactive information to owners and operators.”
“Such analysts would evaluate sector needs, improve government processes for intelligence and informational analysis, and partner with private sector, state, local, tribal and territorial entities,” the guidance continues. “Such considerations should be discussed in accordance with a long-term vision to meet a defined mission and avoid duplication.”