August 6, 2024

On July 10^th, the White House released Memorandum M24-14, giving administrative agencies guidance for cybersecurity priorities when building FY26 budgets.  The memorandum covered several topics, highlighting five NCS (National Cybersecurity Strategy) pillars:

1. Defend Critical Infrastructure
2. Disrupt and Dismantle Threat Actors
3. Shape Market Forces to Drive Security and Resilience
4. Invest in a Resilient Future
5. Forge International Partnerships to Pursue Shared Goals. 

While there are many great topics of discussion among those pillars and the memorandum, this writeup will focus primarily on the following three NCS subsections:

• Pillar 1, subsection entitled “Modernize Federal Defenses”
• Pillar 3, subsection entitled “Secure Software Development and Leverage Federal Procurement to Improve Accountability”
• Pillar 4, subsection entitled “Prepare for the Post-Quantum Future”

Modernize Federal Defenses

In this part of the memorandum, the Biden administration begins by guiding Federal Agencies to continue embracing two core initiatives in the Federal Agency domain: the May 2021 Executive Order 14028 and its subsequent detailed memorandums (Ex M21-31, M22-01, M22-09, M22-18, M23-01… et all), as well as the CISA Zero Trust Maturity Model, now on its second revision. In doing so, there are two parts that are new to this directive.

1. The memorandum explicitly directs agencies to “prioritize investments in department-wide, enterprise solutions to the greatest extent practicable in order to further align cybersecurity efforts, ensure consistency across mission areas, and enable information sharing.” This new language, especially the part about “department-wide, enterprise solutions,” is a call to do more than just invest in cybersecurity solutions that meet directives, but to overhaul the entire enterprise design of systems in Federal Agencies. The significance here is that true Zero Trust adherence requires a ground-up IT philosophy, an “all of organization” effort, not a cybersecurity department independently from IT or a mission trying to deploy security. It is clear the Biden administration understands that to truly secure Federal agencies leveraging Zero Trust, agencies’ IT must change significantly if they haven’t already.
2. There is a directive to make budgets submitted for FY26 reflect this change of philosophy and ask for budget investments to overhaul Federal agency IT from the ground up. Immediately following the budget language is a directive to submit an updated Zero Trust implementation plan to the administration within 120 days of the memo issuance.

   This is a significant memorandum, and agencies that have not already begun a complete overhaul of their IT from the ground up based on Zero Trust philosophies need to capture what the administration has stated and is requesting. No more can an agency “add” cyber security to their current IT stack and try to pass muster. The memo states that “OMB, ONCD, and CISA will review submitted plans with agencies.” Agencies likely will have to defend their Zero Trust maturity implementation plan in front of regulatory agencies, or face budget pressures. 

   It appears that CISA is taking the DoD CIO Sherman approach from the last 2 years. The CIO has been requiring DoD agency budgets to reflect the DoD ZT strategy issued by the PfMO or face rejection of their budget requests.

Recommended action(s):

Agencies should consider an:

• External or internal cross-discipline team assessment of their ZT technology stack, infrastructure and ZT strategy to align with the CISA maturity level guidelines. More specifically, they should adhere to the “department wide enterprise solutions” push emphasized in the memo.  If an internal assessment, it should include stakeholders from across the IT spectrum.
• External or internal review of the IT budget to assess where Zero Trust philosophies could or should be applied in the planned FY26 submission.

Secure Software Development and Leverage Federal Procurement to Improve Accountability

This is a short section that cites OMB M22-18 and M23-16 that requires agencies maintain secure software development for both externally written and internally written software.  The original memo M22-18 requires agencies to obtain attestation letters from OEMs that provide software to their agency. M23-16 extends the deadlines and adds some clarifications to M22-18. The attestation requirements do not put the burden on the agency, but instead the provider to follow secure software practices and then attest to the agency that they did. However, of specific interest is Section B, part 3 of 23-16, which clarifies that software written by a contractor for specific agency use can be considered agency-written and, therefore, the burden falls on the agency as though it were written by the agency.

This means that the ability to identify and confirm secure software practices and Software Bill of Materials (SBOM) creation falls on the agency. Hence, agencies need to work towards an application development lifecycle that ensures secure code development and a confirmed SBOM of the software end product.

Recommended action(s): 

Agencies should review all potential software development contracts and future RFPs to ensure that secure software development practices are clearly defined and required.  If current contracts have gaps, agencies should work with contract holders to amend the contract for visibility of the software development lifecycle to identify potential gaps.  Additionally, federal organizations should assess if the contract can be amended to close gaps and, for contracts that cannot be changed, develop a remediation plan as the contract matures.

Prepare for the Post-Quantum Future

This is also a short section, but re-enforces that agencies are mandated by NSM-10 to ensure their encryption infrastructure is ready for the Post Quantum Cryptography (PQC) future. In short, legacy ciphers are expected to be cracked soon by Quantum computing power, requiring new, stronger cryptography standards. NIST and a host of industry partners are working feverishly to find and confirm a new cryptography standard that can withstand Quantum computing power to crack them. They have yet to publish one, but once it is published, Federal agencies are required to replace the legacy ciphers with the new PQC ciphers.

To do this, agencies will need encryption infrastructure that can host and run those ciphers. Unfortunately, legacy infrastructure was designed specifically for traditional ciphers and often cannot be upgraded without a hardware replacement. Here, the White House is pushing for agencies to prepare for this change now, before it happens and they have to scramble. Typically, encryption hardware is rarely refreshed, so accelerating those timelines with new infrastructure that is modern and PQC capable is the push in this part of the memo.

In summary, there are many parts of this memo to consider, but the three highlighted here fall squarely in the CISO and cybersecurity realm. This memo requires that agency CIOs and CISOs address them in the new FY26 budget submissions to Congress and the White House expected in the coming months.

Recommended action(s): 

Agencies should assess the current encryption infrastructure for PQC readiness.  If there are gaps identified where the new ciphers will not be supported, create a remediation plan to accelerate the technology refresh of hardware and software to prepare for the cryptographic change. A tangential recommendation would be to assess the consolidation of encryption technologies into one platform for cost and use efficiencies.

Our team has been providing Zero Trust cybersecurity consultation and program creation services to Federal Civilian agencies and DoD agencies that have already been through this kind of exercise in FY 2025 under CIO Sherman’s directive.

These Zero Trust services offerings can vary from external consultation to internal temporary augmentation and finally long-term internal Zero Trust initiative leadership. Agencies can see some of GuidePoint Security’s capabilities through our Zero Trust integration lab, which currently combines more than 13 cybersecurity OEMs to demonstrate Zero Trust philosophies implemented in more than a dozen scenarios of user and system activity. Contact us to learn more.

*** This is a Security Bloggers Network syndicated blog from The Guiding Point | GuidePoint Security authored by Jean-Paul Bergeaux. Read the original post at: https://www.guidepointsecurity.com/blog/white-house-memo-pushes-federal-agencies-on-cybersecurity/