Governance & Risk Management
,
Government
,
Industry Specific
Administration Continues to Shift Software Security Responsibilities to Developers
The White House has outlined its strategic priorities for future cross-agency cybersecurity investments, emphasizing five key areas: defending critical infrastructure, dismantling threat actors, shaping market forces, investing in resilience and forging international partnerships.
See Also: Securing Healthcare: Minimizing Risk in an Ever-Changing Threat Landscape
The Office of Management and Budget memorandum issued Wednesday outlines the administration’s fiscal year 2026 cybersecurity priorities and largely reflects the pillars included in the national cybersecurity strategy (see: White House Unveils Biden’s National Cybersecurity Strategy. OMB said it will jointly review agency budget requests to identify potential gaps in cyber investments and ensure departments are incorporating performance measurement strategies into their funding proposals.
The national cybersecurity strategy issued last year requires organizations in critical infrastructure sectors to meet certain basic cyber requirements and calls for a shift in the bulk of security responsibilities from end users to software developers. Under the new memo, agencies have four months to provide OMB and the Office of the National Cyber Director with updated zero trust implementation plans that document the current and target maturity levels for all federal information systems.
OMB Director Shalanda Young and ONCD Director Harry Coker said in the joint memo that agencies must prioritize “technology modernization of federal systems that cannot deploy modern security controls” such as encryption and multifactor authentication. Federal agencies also are required to prioritize departmentwide enterprise solutions that “ensure consistency across mission areas” and “enable information sharing.”
The memo encourages federal agencies “to consult with regulated entities to establish baseline cybersecurity requirements that can be applied across critical infrastructures” while maintaining agility and adaptability to mature with the evolving cyberthreat landscape. ONCD and OMB also urged agencies and federal departments to study open-source software initiatives and the benefits that can be gained by establishing a governance function for open-source projects modeled after the private sector.
Budget submissions should identify existing departments and roles designed to investigate, disrupt and dismantle cybercrimes, according to the memo, including interagency task forces focused on combating ransomware infrastructure and the abuse of virtual currency. Meanwhile, the administration is continuing its push for agencies to only use software provided by developers who can attest their compliance with minimum secure software development practices.
The national cyber strategy – as well as the joint memo – directs agencies to “utilize grant, loan and other federal government funding mechanisms to ensure minimum security and resilience requirements” are incorporated into critical infrastructure projects. Agencies are also tasked with refining previously submitted cost estimates related to quantum information science research and addressing potential threats that quantum computers could pose to federal encrypted data and systems.
Coker said in February the White House was exploring potential “liability regimes” to force commercial software developers into adopting safe coding practices, urging Congress to pass legislation that prevents the industry from disclaiming all liability for cyberattacks and mitigating critical vulnerabilities.
“All software is going to have some level of vulnerabilities,” Chris Wysopal, co-founder and chief technology officer of Veracode, previously told Information Security Media Group about the administration’s software supply chain security efforts. “That said, we do know how to make software that has significantly fewer vulnerabilities by following proven secure development processes” (see: White House Targets Software Provider Accountability).
OMB typically sets a September deadline 13 months before the start of the next fiscal year for federal agencies to submit budgetary proposals for review.