The Office of Management and Budget (OMB) is pressing federal agencies to better justify cybersecurity spending by tying budget requests to program performance, embracing risk-based investment decisions, and eliminating duplicative security tools.
Speaking on July 14 at MeriTalk’s Shift Happens event in Washington, D.C., Nick Polk, branch director for federal cybersecurity at OMB, said the office is evaluating agency cyber budgets against the effectiveness of their security programs, rather than assuming additional funding automatically translates to stronger defenses.
“We … align what the agencies are requesting every year for their budget against what their … performance or cyber program is,” Polk said.
He explained that this budget shift is due to cybersecurity leaders historically defaulting to asking for more funding instead of “determining how much investment is actually needed to achieve an acceptable level of defense.”
Rather than spreading cybersecurity dollars evenly across every system, Polk said agencies should make risk-based investment decisions under a zero trust architecture, recognizing that not every asset requires the same level of protection.
“We can’t defend everything to 100%,” Polk said. “There are some systems that don’t need a multi-billion-dollar defense plan … we really need to make those risk-based decisions within the framework of a zero trust architecture.”
Polk also pointed to opportunities to reduce costs by consolidating overlapping cybersecurity tools.
Felipe Fernandez, chief technology officer at Fortinet Federal, echoed Polk’s comments for more disciplined cybersecurity spending, saying tighter budgets can force agencies to rethink long-standing investments and determine which capabilities deliver the greatest value.
“You get to challenge the notion that certain things actually warrant your budget or spend,” Fernandez said. “So, it’s a learning opportunity, a growth opportunity for every agency when budget gets constrained.”
At the same time, Fernandez cautioned against cutting investments that directly support cyber resilience, including renewing critical security subscriptions, replacing end-of-life equipment, and securing artificial intelligence (AI) systems already in production.
“If your agency has already deployed AI capabilities … you have no excuse but to continue to spend on the security required to keep that enabler,” Fernandez said. “We’ve changed that conversation from security being a cost to being a value enabler.”
A shift in cybersecurity accountability
Additionally, Polk said OMB’s budget strategy reflects a broader shift in how the federal government measures cybersecurity success.
While compliance reporting remains part of the federal cybersecurity process, Polk said it is no longer sufficient on its own.
“You can check all the boxes … and you have a paperwork tower the size of … the Empire State Building,” Polk said. “But you can’t really wave one of those at an advanced persistent threat … and stop them from breaking in.”
Rather than relying primarily on compliance checklists, OMB is increasingly looking at operational metrics such as mission enablement and mean time to detect, which measures how quickly an organization identifies a security incident.
Polk said advances in AI-enabled penetration testing and red teaming are making those metrics easier to measure in real time.
He added that compliance efforts that are not tied to mission outcomes can create unnecessary burdens for IT teams instead of improving agencies’ security posture.