On July 10, 2024, the White House released a new memo regarding the Biden administration’s cybersecurity investment priorities, initially proposed in July 2022. This new memorandum now marks the third time the Office of the National Cyber Director (ONCD), headed by Harry Coker, has released updated priorities and outlined procedures regarding the five core pillars of the National Cybersecurity Strategy Implementation Plan (NCSIP), now relevant through fiscal year 2026.
Key highlights from the FY26 memorandum
In the latest annual version of the budget memo, a more strategic shift has been introduced with a focus on zero trust principles in organizations and improved collaboration between the public and private sectors.
Some of the key highlights of this newest memo include:
A focus on NCS pillars
The memo reinforces President Biden’s proposed five pillars of the National Cybersecurity Strategy (NCS), which are:
- Defend critical infrastructure
- Disrupt and dismantle threat actors
- Shape market forces
- Invest in a resilient future
- Forge international partnerships
Updated zero trust requirements
Agencies are now required to submit their zero trust implementation strategies within 120 days. This includes documentation of their current and targeted maturity levels for high-value systems.
Enhanced public-private sector integrations
Before budgets are submitted, Sector Risk Management Agencies (SRMAs) need to demonstrate how they prioritize the various risk management elements outlined in the National Security Memorandum 22 (NSM-22).
Cyber workforce development
Renewed emphasis is being placed on addressing the recruiting, hiring and retention challenges in the federal cyber workforce. This includes introducing more flexible hiring requirements and removing specific degree requirements when appropriate.
Post-quantum cryptography preparation
The FY26 memo directs federal agencies to allocate resources for transitioning critical and sensitive networks and systems to quantum-resistant cryptography. This includes developing and implementing new cryptographic algorithms resistant to quantum attacks.
The evolution of the NCSIP and the ONCD
Over the past few years, the Biden administration has introduced a radical approach to cybersecurity resilience, painting federal cybersecurity priorities and strategies in a much more serious tone than before.
The establishment of the ONCD back in February 2021 marked an important step forward in the country’s response to the escalating dangers of today’s modern cybersecurity threats.
Since then, the eyes have been on the ONCD to help strengthen the nation’s cyber defenses, using the introduction of the NCSIP as a way to lead this effort. When reviewing the suggested updates and amendments between the first and third iterations of this policy, it’s clear that Coker is making some progressive improvements.
In just a couple of years, the NCSIP has expanded its scope to be much more actionable, listing clearer directives toward improving the nation’s cybersecurity infrastructure, increasing collaboration between public and private sectors, and improving the government’s ability to respond to cyber threats.
The expanding role of federal cyber regulation
The ONCD’s role is starting to become more of a proactive influencer when it comes to federal cybersecurity policy-making. Stepping away from the broad categorization of cybersecurity initiatives to more specific deadlines surrounding agency requirements on zero trust implementation planning and explicit mandates for quantum-resistant cryptography readiness, it’s clear that the ONCD is becoming more confident in what it can ask of the federal government.
As we move forward, it’s fair to say we’ll continue to see more refinements of the NCSIP with increasingly more detailed guidance and requirements for agencies to follow.