From: The Hill
By Ross Nodurft, opinion contributor
When I first started at the Office of Management and Budget (OMB), my colleague and I were given the task of working with the budget examiners to develop an agency by agency view of cybersecurity spending to submit to Congress as part of the president’s budget submission. Agencies had, for the last few years, reported cybersecurity numbers that seemed to be disaggregated from the larger IT budget submission, and we were tasked with reconciling those submissions. This led to a three year project that has taken agencies from requesting cybersecurity dollars in reaction to events to a proactive, risk-based approach to budgeting for cybersecurity.
Finally, agencies are using threat intelligence to identify the most important capabilities. For example, if an agency sees increased threat activity focused on stealing credentials, an agency can focus on investments in multifactor authentication. While this mapping of threats to investments might seem like common sense, this is the first time that agencies have a common taxonomy of threats, capabilities, and metrics to build their budgets. Through this new process, outlined in OMB Memo M-17-25, agencies are able to build their cybersecurity budgets based on risk and justify their spending requests in ways that congress is more likely to fully fund. The partnership that OMB has developed with DHS and the intelligence community to access and share targeted threat information with agencies will allow for higher levels of security across the Federal government while potentially saving taxpayer money on what might have been unnecessary investments.