Breaking Down Memorandum M-24-14: Administration Cybersecurity Priorities for the FY 2026 Budget

On July 10, the Executive Office of the President in partnership with the Office of Management and Budget (OMB) and the Office of the National Cyber Director (ONCD) released Memorandum M-24-14: Administration Cybersecurity Priorities for the FY 2026 Budget, outlining its cybersecurity investment priorities for the fiscal year 2026 budget submissions. 

This guidance aligns with the National Cybersecurity Strategy (NCS) and is built upon five key pillars:

•  Defend Critical Infrastructure

•  Disrupt and Dismantle Threat Actors

•  Shape Market Forces to Drive Security and Resilience

•  Invest in a Resilient Future

•  Forge International Partnerships to Pursue Shared Goals

Many might gloss over a memo addressing budgetary proposal guidance in favor of more buzzworthy cybersecurity topics, especially with hacker summer camp (BlackHat, DefCon, TDI, and LV B-Sides) right around the corner, but delving into this memo affords us remarkable insights. M-21-14 doesn’t exactly contain any “gotchas” or surprises, but it offers some clear and targeted guidance for federal agencies, and the industries that support them, on prioritizing the future of U.S. cybersecurity strategy and mission.

Pillar 1: Defend Critical Infrastructure

Pillar 1 is the most robustly outlined and impactful. It stresses the importance of federal agencies updating and retrofitting their infrastructures to be more resilient. What does resilience mean? Agencies looking to be resilient need to be ready to “adapt to changing conditions and withstand and recover rapidly from disruption…including the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents. (NIST SP 800-39)" Resilience implementations look to be a primary target for agencies to enhance their cybersecurity budgets in fiscal year 2026. Zero trust, accelerated technology collaborations with the private sector, and open-source innovation lead the charge for these enhancements.

Modernizing Federal Defenses

The memo states, “Agency budget submissions should demonstrate how agencies are reducing risk by increasing maturity of information systems across the pillars outlined in the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model.” To bolster federal cybersecurity, the memo emphasizes the transition to zero trust architectures. Federal agencies looking to enhance their FY 2026 budgets need to get a ticket for the zero trust train.

Zero trust involves modernizing technology, particularly by prioritizing systems currently unable to deploy modern security controls, and by leveraging government-managed cybersecurity services along with private sector innovation. Agencies are being called on to demonstrate improvements through metrics like FISMA reporting — aligning investments across enterprise solutions to enhance information sharing and reduce risks. The memo stresses that while the CISA model is more flexible and adaptable for civilian agencies, this call for modernization and prioritization of critical and legacy systems echoes Department of Defense (DoD) communications that we saw earlier this year at the Adapt 2024 conference in April, and in their recently released Zero Trust Overlays.

At Aquia we’re proud to have guided the adoption of zero trust best practices for our federal partners — enabling our customers to secure their systems in a way that’s mission-driven and tailored to their needs. We couple a vendor-neutral approach with the foundational tenets of the zero trust model to translate them into clear, practical steps and quantifiable metrics. Our zero trust architects have contributed to blogs outlining topics like zero trust certifications and frameworks, agency-led zero trust guidance, public-private partnerships for zero trust acceleration, criticality analysis, and even what zero trust isn’t. 

Scaling Public-Private Collaboration

During the Department of Defense keynote at Adapt 2024, Gurpreet Bhatia, the DoD’s Principal Director for Cybersecurity and Deputy Chief Information Security Officer, called for robust collaboration between the public and private sectors to accelerate zero trust adoption and that same emphasis is found in memo M-24-14. Acknowledging the critical role of collaboration, the memo stresses the importance of strong partnerships and “defending critical infrastructure against adversarial activity and other threats.'' by emphasizing “collaboration through structured roles and responsibilities.” Sector risk management agencies (SRMAs) must prioritize building capacity to manage sector-specific risks, ensuring adequate resourcing for both one-time and recurring responsibilities as outlined in National Security Memorandum 22 (NSM-22): Memorandum on Critical Infrastructure Security and Resilience. 

Improving Baseline Cybersecurity Requirements

Building off the calls for zero trust adoption and collaboration, federal agencies are tasked with developing minimum security and resilience requirements for each sector. Per the memo, “In setting cybersecurity requirements and considering needed resources, regulatory agencies are strongly encouraged to consult with regulated entities to establish baseline cybersecurity requirements that can be applied across critical infrastructure sectors.” The memo goes a step further and advises that baselines should be “applied across critical infrastructure sectors but (be) agile enough to adapt as adversaries increase capabilities and change tactics.” This guidance includes allocating sufficient funding for inspectors and auditors to enforce and harmonize regulatory regimes and encourage that consistency and agility. 

Enhancing Open-Source Software Security

The memo also aligns with prevailing trends by embracing the benefits of open-source software, urging agencies to ensure its secure use and contribute to its maintenance. Per the memo, this willingness to work with the open-source community exemplifies the federal government's willingness to embrace cutting-edge open-source code to “help sustain components depended on by the agency.” Agencies looking to build their budgets should develop processes to monitor, review, and manage open-source software, integrating these considerations into their IT and cybersecurity governance structures. In general, this shift towards embracing the open-source community is a welcomed evolution, and one that’s long overdue.

Pillar 2: Disrupt and Dismantle Threat Actors

Pillar 2 keeps it short and sweet.  It drills down into this administration's commitment to disrupt cyber threat actors through coordinated efforts across federal agencies. Agencies with roles in disrupting threat actors are encouraged to prioritize resources for investigating cybercrimes, dismantling ransomware infrastructure, and participating in interagency task forces focused on cybercrime and virtual currency abuse.

Countering Cybercrime and Defeating Adversaries

Looking to the future, this memo states that departments and agencies looking for funding should “demonstrate how they prioritize resources to investigate cybercrimes and cyber-enabled crimes, disrupt threat actors, dismantle ransomware infrastructure, ensure participation in interagency task forces focused on cybercrime, and combat the abuse of virtual currency.” tl;dr: If you want to keep your hands in the federal coffer, be ready to show us how you are addressing DevSecOps, advanced threat detection and response, and purple teaming.

Pillar 3: Shape Market Forces to Drive Security and Resilience

Pillar 3 is all about the administration’s willingness to put their money where their mouth is. Regardless of if we’re considering secure software bills of materials (SBOMS) or software-supply chain risk management (S-SCRM), or leveraging grants for fueling secure design and build phases that take advantage of both, it’s clear that budget planning for FY 2026 is going to need to address spending money on secure investments.

Securing Software Development and Federal Procurement

We’ve been hearing about SBOMS and S-SCRM for a while now, but this memo incentivizes agencies to commit to these important security measures. By requiring agencies to defend their budgets by committing to the use of software that complies with secure development practices, the OMB ensures that federal procurement improves accountability and security within the software supply chain. 

Leveraging Federal Grants for Security

One common theme in this memo is an emphasis on minimum security standards and baselines as a means to provide consistent protection and security. As agencies look to FY 2026, the memo makes a point to link this concept of minimum security standards with federally funded infrastructure projects, like the Infrastructure Investment and Jobs Act, the Inflation Reduction Act, and the CHIPS and Science Act. To take advantage of these funding opportunities, agencies should ensure that they are “sufficiently resourced to fulfill these requirements and to implement joint efforts across agencies to provide technical support for projects throughout the design and build phases.” The name of the game moving forward is meeting those minimum security standards, and federal leadership at least suggests here that doing so will enable agencies to defend, if not improve, their budgets.

Pillar 4: Invest in a Resilient Future

Strengthening the Cyber Workforce

There has been a lot of conversation in 2024 centered around addressing the challenges of hiring cyber professionals. This memorandum highlights the importance of the National Cyber Workforce and Education Strategy (NCWES), and programs like the Department of Labor’s Apprenticeship USA programs.  These programs focus  on bringing the most skilled cyber operators into the scope of federal employment, regardless of their education backgrounds. The memo stresses that agencies should support flexible hiring practices and “demonstrate how agencies invest in adopting skills-based best practices including skills-based and competency-based assessments and the removal of 4-year college degrees as minimum requirements when appropriate to remove barriers for joining the federal cyber workforce.” We as an industry need to reevaluate how we train and qualify our skilled workforce. M-24-14 makes it clear that as our global adversaries continue to build robust cybersecurity talent pools, this shift toward skills over degrees is the federal government's path forward.

Preparing for a Post-Quantum Future

No future-looking memo on cybersecurity is complete without a reference to quantum security. M-24-14 calls for agencies to mitigate risks posed by quantum computing by refining cost estimates for transitioning critical systems to quantum-resistant cryptography, as directed by National Security Memorandum 10 (NSM-10): Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems. The goal is “to ensure that they (agencies) are sufficiently resourced to transition their most critical and sensitive networks and systems to quantum resistant cryptography.” The advance of quantum computing will make all current iterations of encryption obsolete, necessitating a paradigm-shift in how defenders protect sensitive data. The Administration is driving federal agencies to be ready for that inevitable change.

Securing the Technical Foundation of the Internet

It's all about “secure-by-design” as we look to FY 2026. Agencies are urged to ensure hardware and software have security baked-in (as opposed to ‘bolted on’).  A key way to accomplish this is by using memory-safe programming languages and hardware. Agencies looking to maximize their budgets should include measures to advance secure software development policies and enhance Internet routing security through “the use of memory safe programming languages, memory safe hardware, formal methods, and advancement of software understanding and measurability.” As we look to the future, it's clear that the administration wants to see agencies go beyond just responding to vulnerabilities and incidents, and focus on building systems that can be resilient from the onset. 

Pillar 5: Forge International Partnerships to Pursue Shared Goals

Pillar 5 feels a little like a gimme. Of course we want to foster collaborative security efforts with our allies abroad, but in reality, as so many global governments begin to isolate themselves, this emphasis could prove to be impactful for agencies looking to secure funding to realize the requirements of Executive Order 14034: Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries. 

Expanding Global Cyber Capacity

M-24-14 stresses the significance of efforts which improve the transparency, security, and resilience of global supply chains for industrial control systems and operational technologies. Federal agencies are encouraged to support the creation of long-term, strategic partnerships between public and private sectors, both domestically and internationally.  Such partnerships will enhance cybersecurity supply chain risk management (particularly for industrial control systems and operational technologies), expand global cyber capacity building efforts, and enhance support for global law-enforcement responses to cyber attacks. Ultimately, securing Americans’ data is all about coordinating with our partners overseas.

So, What’s All This Mean to Us?

Aquia is a Service-Disabled Veteran-Owned Small Business (SDVOSB) with its heart tied to the mission of the federal government.  We support federal agencies in their work on SaaS governance, zero trust, DevOps, purple teaming, FedRAMP, and many other flavors of compliance, as well as GRC innovation.  We are strategically aligned with the established priorities outlined in M-24-14.  We all share the same goal, protecting American citizens' privacy and security, and creating a safer and more resilient global cybersecurity landscape.

If you’d like to learn more about how we can help you advance your cloud and cybersecurity initiatives, give us a shout. We’d love to speak with you.