FY25 Federal Cyber Priorities
The best, and some would argue, only way to truly tell the US Governments priorities is to understand the budget. If initiatives are funded then they are a priority, if not then it is just talk, suggestions, or nice to have's.
The US Government is signaling its future cyber priorities with a recently released OMB Memo M-23-18 "The Administrations Cyber Priorities for FY 25" M-23-18 (whitehouse.gov). The memo instructs Federal Agencies to prioritize budgeting/funding around key the key initiatives specifically outlined within the memo. In reading the memo, one will notice that several of the priorities are a continuation of funded initiatives that are currently going through the budget approval process as part of the FY24 budget.
The foundation for these priorities are the 5 pillars of the National Cybersecurity Strategy (NCS): FACT SHEET: Biden-Harris Administration Announces National Cybersecurity Strategy | The White House which was released in March of this year.
Key highlights of the cyber priorities for FY25 include:
Zero Trust: The memo specifically states that agencies should: "Meet the goals set forth in the Federal Zero Trust Strategy and make clear how agency investments support people, processes, and technology that advance agency capabilities along the Zero Trust Maturity Model" Zero Trust investments to date appear to be focused on education, gap analysis, and consulting, in the coming years larger deployments of technology appear to be on the horizon.
Ransomware: agencies involved in investigation should prioritize staff and technology to combat ransomware actors and their infrastructure.
Software Supply Chain: identify where agency implementation of cybersecurity requirements may benefit from novel procurement practices and/or approaches that could be piloted within the agency or among select agencies for evaluation for broader Federal enterprise use
Post Quantum Cryptography: ensure that requirements under NSM-10, M-23-02, and NMM-2022-09 are made transparent in Budget submissions. This should include necessary services and software needed to accurately, and where possible, automatically inventory cryptographic systems and to begin transitioning agencies’ most critical and sensitive networks and systems to post quantum cryptography as directed to do so by OMB.
Organizations may think it is a bit to early to begin sales campaigns for FY25, however, when you consider that agencies will begin their FY24 budget processes in early Jan 2024, now is the time to begin getting your technology in front of agencies to build relationships and drive requirements.