US Federal Government Continues Cybersecurity Leadership With New OMB Memo
A recently released Office of Management and Budget (OMB) memo, M-22-16, outlines, and further aligns, Federal Civilian Executive Branch (FCEB) agencies’ fiscal year 2024 budgetary considerations for cross-agency cybersecurity investments. The guidance that M-22-16 provides enables federal civilian agencies to properly assign cyber-initiative funding toward the most critical areas of cybersecurity.
The OMB, along with the Office of the National Cyber Director (ONCD), will assess agencies’ funding submissions to determine if an affected agency’s approach is in alignment with the overall strategy and policy as stated in the Executive Order on Improving the Nation’s Cybersecurity. This memo prioritizes 2024 budgetary considerations within three focus areas:
1. Improving the Defense and Resilience of Government Networks. Zero Trust remains at the forefront of government security initiatives, as expected. The government’s position remains that Zero Trust is the future of cybersecurity and should be funded as such.
The memo pushes IT modernization initiatives ranging from a push to cloud adoption to the sunsetting of unnecessary and antiquated systems. There is a focus on IT consolidation, cross functionality, and shared resources, as well as software procurement and development practices.
2. Deepening Cross-Sector Collaboration in Defense of Critical Infrastructure. The memo stresses compliance with the National Defense Authorization Act of 2021 moving forward. Agencies are encouraged to work with the Cybersecurity and Infrastructure Security Agency (CISA), Sector Risk Management Agencies (SRMA), and industry leaders to help identify and defend against modern emerging threats. The sharing of information is paramount to eliminating blind spots in an agency’s defensive posture.
3. Strengthening the Foundations of Our Digitally-Enabled Future. Agencies should utilize funding provided by the Infrastructure Investment and Jobs Act (IIJA). It is important to note that the IIJA may not cover technical support costs in all areas. With that in mind, the OMB suggests joint cross-agency efforts during the design and build phase as a method for reducing overhead.
This memo also reinforces the harsh reality of an understaffed or underskilled workforce by focusing hiring practices on people who may have been passed by previously due to a lack of expertise in a focus area. Relaxing these standards will open doors to entry-level personnel while allowing for cross-functional training opportunities, leading to higher pay and a better employee experience. There is a renewed focus on supply chain risk management initiatives, with pending legislation to extend these requirements into fiscal year 2026. Agencies should take note of Executive Order 13873, Securing the Information and Communications Technology and Services Supply Chain, for further guidance on this initiative.
The US federal government is going to great lengths to establish itself as a security leader instead of a laggard. Security and risk leaders should focus their energies on working toward the shared goal of creating a robust, highly secured operational environment through process, design, and talent retention, with Zero Trust adoption as a primary initiative.
Highly regulated industries would be wise to keep a sharp eye on what the US government is doing and follow a similar path to success.
Forrester clients with questions about Zero Trust and the involved federal requirements should schedule a guidance session with one of our Zero Trust-focused analysts — Heath Mullins, Carlos Rivera, or David Holmes. Also, keep an eye out for additional research and tools focused on Zero Trust adoption.