Breaking down the numbers in Trump’s proposed cyber budget

When I first started at the Office of Management and Budget (OMB), my colleague and I were given the task of working with the budget examiners to develop an agency by agency view of cybersecurity spending to submit to Congress as part of the president’s budget submission. Agencies had, for the last few years, reported cybersecurity numbers that seemed to be disaggregated from the larger IT budget submission, and we were tasked with reconciling those submissions. This led to a three year project that has taken agencies from requesting cybersecurity dollars in reaction to events to a proactive, risk-based approach to budgeting for cybersecurity.

This year, the president’s budget calls for $15 billion in cyber spending. The Department of Defense (DOD) represents well over half of that total, at $8.5 billion. According to the office of management and budget, the $15 billion request is $583.4 million higher than the estimated cybersecurity spend in FY 2018.  

But what do these numbers actually represent?

{mosads}First, the total number comes from a combination of federal civilian agency investments in cybersecurity tools and services, as well as selected agency investments in “mission cyber.” The mission cyber spending includes spending on DOD cyber command activities, programs at the Department of Homeland Security (DHS) that protect the federal government and critical infrastructure, and law enforcement investments in cybersecurity investigations. These mission cyber investments represent well over half, and likely closer to two-thirds, of the total spending requested by the President. The rest of the investments are split between agency specific investments in tools, capabilities, processes, and managed services.

Second, in years past, agencies divided their spending into categories like “Preventing Malicious Cyber Activity” and “Shaping the Cybersecurity Environment.” Over the last three years, agencies have shifted their spending allocations to focus on the National Institute of Standards and Technology (NIST) Cybersecurity Framework functions, categories, and subcategories.

In addition, agencies are diving even deeper by investing in specific capabilities that roll up into those framework functions. Examples of specific investments would include patch management tools, security operations center infrastructure and personnel, identity and access management applications, and intrusion detection and prevention systems which are mapped to Federal Information Security Modernization Act (FISMA) metrics that agencies are mandated to report to OMB on a regular basis.

Finally, agencies are using threat intelligence to identify the most important capabilities. For example, if an agency sees increased threat activity focused on stealing credentials, an agency can focus on investments in multifactor authentication. While this mapping of threats to investments might seem like common sense, this is the first time that agencies have a common taxonomy of threats, capabilities, and metrics to build their budgets. Through this new process, outlined in OMB Memo M-17-25, agencies are able to build their cybersecurity budgets based on risk and justify their spending requests in ways that congress is more likely to fully fund. The partnership that OMB has developed with DHS and the intelligence community to access and share targeted threat information with agencies will allow for higher levels of security across the Federal government while potentially saving taxpayer money on what might have been unnecessary investments. 

While the risk based budgeting policies and processes have been rolled out, agencies have just started the heavy lifting required to drive down their risk. OMB and DHS, along with their partners in the intelligence community, must continue to elevate the conversation to the deputy secretary and secretary levels. Agency CFOs and CIOs must use these new budgeting tools to emphasize the importance of cybersecurity spending with their leadership.

This is no different than walking an industry CEO through a corporate risk decision. These new tools will allow the CFOs and CIOs to translate the technical side of cybersecurity into business decisions that any agency leader or corporate board member can understand. As agencies continue to develop these new budgeting tools, I look forward to seeing how this new process will reinforce the trust and safety of our federal IT infrastructure.

Ross Nodurft served as an Office of Management and Budget cyber lead at the White House and is the current vice president of Risk Management at One World Identity.