Cybersecurity will remain a high priority for the White House in the near future, particularly at critical U.S. infrastructure facilities, according to a memorandum issued to heads of executive departments and agencies by the Office of Management and Budget (OMB) on Tuesday.
The memo is intended to guide agency heads planning cybersecurity investments as they create their fiscal 2025 budget submissions. In it, OMB Director Shalanda Young and acting National Cyber Director Kemba Walden identified five priority areas, consistent with the five pillars of the National Cybersecurity Strategy the White House issued in March. (See “Zero-trust, Cybersecurity’s New Focus,” Texas RE Board/MRC Briefs: May 17, 2023.)
OMB and the Office of the Cyber Director (ONCD) plan to review the agencies’ budget submissions for gaps in addressing these priorities and provide potential solutions, in addition to suggestions for the agencies’ future-year budget planning. A separate memo will address cybersecurity research and development priorities.
Public-Private Collaboration Emphasized
Defending critical infrastructure against cyberattacks is the first priority identified by OMB and ONCD. This section includes guidance related to strengthening and modernizing federal defenses, enhancing the security stance of private-sector infrastructure operators, and improving “baseline cybersecurity requirements” by ensuring that “the most capable and best-positioned actors in cyberspace serve as effective stewards of the cyber ecosystem.”
As part of the latter guidance, federal regulators are “strongly encouraged to consult with regulated entities” about the most effective cybersecurity requirements and resources to accomplish security goals. The budget submissions should ensure that requirements use current cybersecurity frameworks and consensus standards whenever possible and that baseline cyber standards are flexible enough to be applied across infrastructure sectors and adapt to malicious actors’ changing tactics and capabilities.
Scaling public-private collaboration is another component of this initial section, with emphasis on the role of sector risk management agencies (SRMA) in leading the response across various sectors. SRMAs were established in the 2021 National Defense Authorization Act to support sector risk management, assess sector risk, manage sector coordination, facilitate information sharing, support incident management and contribute to emergency preparedness efforts. The Department of Energy is the SRMA for the electricity sector.
The memo tasks SRMAs with developing plans to “mature [their] capabilities” and improve their processes for collaborating with critical infrastructure owners and operators on risk identification and mitigation. The organizations are also asked to consider their capacity for adding specialized cyber analysts to evaluate sector needs and improve government processes for intelligence and information analysis.
Cybercrime
Other priorities identified in the memo include countering cybercrime and ransomware actors by organizing staff to investigate and disrupt criminal activity before it affects critical infrastructure, as in the Colonial Pipeline ransomware attack of 2021. (See Colonial CEO Welcomes Federal Cyber Assistance.) Agency heads are encouraged to ensure their organizations participate in interagency cybercrime task forces.
The memo’s third priority asks agency heads to show their ability to ensure accountability and security through the procurement process. Priority four urges agencies and departments to highlight their planned cyber workforce investments, considering the ongoing challenges in both the public and private sectors with “recruiting, hiring and retaining [cybersecurity] professionals.”
The fourth priority also requests information on organizations’ preparations for the coming generation of quantum computing devices, which are expected to pose significant threats to existing data encryption practices.
Finally, agencies whose mandates include overseas cybersecurity activities should explain how they work with foreign partners to prepare for cyberattacks, including strengthening public- and private-sector capabilities, and to ensure global supply chains for information, communication, and operational technology products and services remain secure.