[06/30/2023: This story has been updated to include additional context around the Transportation Security Administration's regulatory approach to the pipeline sector.]
As the 2025 budget season starts to heat up, the White House wants to ensure government agencies adopt plans aligned with a raft of cybersecurity policies, standards and directives the federal government has put in place over the past decade.
The guidance, included in a memo signed by Office of Management and Budget Director Shalanda Young and acting National Cyber Director Kemba Walden, was developed to work in tandem with the five “pillars” of action outlined in the National Cybersecurity Strategy issued earlier this year. The OMB and ONCD intend to review responses from agencies to ensure their spending plans focus on aligned issues.
"OMB, in coordination with ONCD, will provide feedback to agencies on whether their submissions are adequately addressed and are consistent with overall cybersecurity strategy and policy, aiding agencies’ multiyear planning through the regular budget process," Young and Walden wrote.
Making agencies budget accountable
Internally, the White House is expecting agencies to explain how their budget plans will tie into larger security initiatives across government, like the administration's push around implementing Zero Trust security architecture, technology modernization, shared services and protecting “high value assets,” or systems and the devices that have been prioritized by agencies as critical to carrying out their mission.
After years of waiting, agencies will also be expected to outline clear plans to migrate their devices and systems to new forms of encryption that can (theoretically) defend against (also theoretical) cyber attacks leveraged by quantum computers. To that end, OMB wants to ensure that each agency’s 2025 budget includes plans to acquire the software and services needed to inventory cryptographic systems and start moving sensitive networks and systems to NIST-approved algorithms.
This should include necessary services and software needed to accurately, and where possible, automatically inventory cryptographic systems and to begin transitioning agencies’ most critical and sensitive networks and systems to post-quantum cryptography as directed to do so by OMB.
Future-proofing Federal cyberdefenses
U.S. officials such as Walden, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency and Chris Inglis, former National Cyber Director, have consistently called for the federal government to leverage its massive purchasing power to set higher standards around secure software, devices and cloud applications that can eventually percolate down to the commercial level.
In line with those sentiments and the National Cyber Strategy, the memo calls for federal grants, procurement and other initiatives to be crafted to incentivize the development of more secure technology throughout broader industry.
Finally, OMB wants proposed budges to support larger workforce development initiatives in the federal government, such as skills-and-competency-based assessments, shared hiring actions and multiple on-ramp approaches to identify, hire and retain candidates from groups that have long been underrepresented in cybersecurity.
“These initiatives will strengthen the cyber workforce by attracting members of underrepresented groups, such as women, people of color, rural populations, and those with disabilities; and for agencies that have a mission requirement to bolster cyber capacity throughout the national workforce, include technical assistance, grant programs, and cross-sectional cybersecurity workforce efforts to build technical, foundational cyber skills, and needed capacity,” the memo states.
Chris Cummiskey, a former senior leader at the Department of Homeland Security and now a consultant, told SC Media in an interview that as other entities like CISA, ONCD and the White House National Security Council have taken more active roles setting cyber policy throughout the government in recent years, OMB is leaning into its leading budgetary role to exert its own influence on agency cybersecurity operations.
“I think it’s a clear message to agencies that in FY 2025 if you’re asking for money, if you want to have a smoother path with us here at OMB, you’ll follow not only the national cyber strategy but also…synchronizing what the resourcing profile will look like as they move through decisions at departments and submit budgets [later this year],” Cummiskey said.
Protect our gas and hot dogs
Not surprisingly, funneling government dollars into better methods to protect critical infrastructure is a major focus for OMB, in line with the Biden administration’s intense focus on protecting U.S. supply chains and other essential services from digital disruption following ransomware attacks in 2021 against Colonial Pipeline and foodmaker JBS that temporarily impacted their supply lines.
Agency budget proposals should detail the personnel they have or need around monitoring supply chain risks in their designated sectors, as well as assessing any links in those chains that may be owned by a foreign individual, entity or government who might leverage it for disruption.
Imposing new regulations were a key part of ONCD’s strategy and are viewed as one of the clearest pathways to improving cybersecurity protections in critical infrastructure, where federal authorities tend to be strongest.
But the administration has seen blowback in the water and pipeline sectors when implementing new or enhanced rules over the past two years, with critics saying the Transportation Security Administration and Environmental Protection Agency did not do enough to consult with industry or understand the ground-level realities of operating and defending critical infrastructure.
OMB’s guidance explicitly encourages other agencies not to repeat those mistakes.
“In setting cybersecurity requirements and considering needed resources, regulators are strongly encouraged to consult with regulated entities,” Young and Walden wrote.
The TSA has since revised their pipeline regulations in response to industry feedback, increasing the amount of time owners and operators would have to report hacks to the government from 12 hours to 24 hours and building in additional flexibility for owners and operators to meet some of the objectives without needing to follow the government’s specific prescriptions.
Similarly, the memo asks agencies to explain how their budget submissions will further the administration’s goals around implementing performance-based regulations, fit in with existing cybersecurity frameworks and voluntary standards, and ensure that any new regulations are standardized enough to apply to different sectors of critical infrastructure while still retaining enough flexibility to customize them for each industry’s individual needs.
Sector Risk Management Agencies – or agencies designated as the lead coordinator and regulator for certain industries – should also prioritize investments and spending that can build up capabilities for the government to interact with industry, identify malicious cyber activity and coordinate on things like threat information sharing, incident response and remediation.
Interestingly, OMB suggests agencies make room in their budgets for “specialized cyber analysts” who focus on critical infrastructure and act as a facilitator between government and industry to provide more “proactive” information around cyber threats to owners and operators.
OMB said it will craft a separate memorandum to guide cybersecurity research and development priorities for the 2025 budget cycle.
