The White House on Wednesday released a memo for the heads of all Federal agencies laying out its “cross-agency cybersecurity investment priorities” for fiscal year (FY) 2026.
The memo – signed by Office of Management and Budget (OMB) Director Shalanda Young and National Cyber Director (NCD) Harry Coker on July 10 – mirrors the five pillars of the Biden administration’s National Cybersecurity Strategy (NCS).
Agencies’ FY26 cyber budgets should reflect the five pillars of the NCS: defend critical infrastructure; disrupt and dismantle threat actors; shape market forces to drive security and resilience; invest in a resilient future; and forge international partnerships to pursue shared goals.
“Sustained investments across these five pillars are critical to mitigate cybersecurity risks and should be addressed within the FY 2026 Budget,” Young and Coker wrote in the joint memo.
The annual memo, now in its third iteration, provides agencies with guidance on what to prioritize within each of the NCS’s five pillars.
Pillar one has the most directives from OMB and ONCD on how agencies should allocate their resources to defend critical infrastructure.
The White House is calling on agencies to prioritize modernizing IT systems in their FY26 cybersecurity budget, and specifically, wants them to continue transitioning towards fully mature zero trust architectures.
The memo calls on agencies to submit an updated zero trust implementation plan within 120 days that documents current and target maturity levels for high impact systems in line with the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model. Agencies must specifically list the target maturity level they plan for those systems to achieve by the end of FY26.
OMB, ONCD, and CISA will review submitted plans with agencies.
Within the first pillar, the White House is also requesting agencies to prioritize scaling public-private collaboration; improve baseline cybersecurity requirements; and improve open source software security and sustainability.
In the second pillar, ONCD and OMB want agencies to prioritize countering cybercrime and defeating adversaries.
“Budget submissions for departments and agencies with existing, designated roles in the disruption of threat actors should demonstrate how they prioritize resources to investigate cybercrimes and cyber enabled crimes, disrupt threat actors, dismantle ransomware infrastructure, ensure participation in interagency task forces focused on cybercrime, and combat the abuse of virtual currency,” the memo says.
In line with the third pillar – shape market forces to drive security and resilience – the administration wants agencies to ensure their FY26 budget requests have resources to meet secure software development requirements. The memo also states that agencies should leverage Federal grants – like the CHIPS and Science Act – to build in security.
To invest in a resilient future, the administration wants agencies’ FY26 cyber budgets to revolve around strengthening the cyber workforce; preparing for the post-quantum future; and securing the technical foundation of the internet.
OMB and ONCD said budget requests should demonstrate how agencies support flexible hiring – like investing in skills-based hiring with the removal of four-year college degrees as minimum requirements. The memo calls for agencies to ensure they are resourced “to transition their most critical and sensitive networks and systems to quantum resistant cryptography.” It also wants agencies’ budgets to consider the use of memory safe programming languages.
Finally, the administration wants agencies’ FY26 cyber budgets to reflect the need to support the “long-term, strategic collaboration between public and private sector partners domestically and abroad to rebalance and improve the transparency, security, and resilience of global supply chains for industrial control systems and operational technologies.”
Young and Coker wrote that OMB and ONCD will jointly review agency responses to these priorities in the FY 2026 budget submissions, identify potential gaps, and identify potential solutions to those gaps. They noted that they plan to provide feedback to agencies on whether their submissions adequately address and are consistent with overall cybersecurity strategy and policy.
“With this Memo, the Administration is ensuring a through line – from the Strategy, to budget guidance, to the President’s Budget Request – in order to provide clear guidance and ultimately increase our Nation’s security,” ONCD said.