The guidance also reminded agencies of requirements set out in two earlier memos on how to include security into the funding for IT.
Agencies are required to fund and integrate security into the lifecycle of each system undergoing development, modernization, or enhancement, OMB said.
It said that steady-state system operations must meet existing security requirements before new funds are spent on system development, modernization or enhancement.
OMB also requested that agencies provide detail on how they are allocated resources between correcting existing security weaknesses in steady-state investments and proposing funds for system development, modernization or enhancement.
Further, OMB called on agencies with significant weaknesses identified by the Government Accountability Office of agency inspectors general to identify specific funds they are requesting for proposed development, modernization or enhancements to correct those weaknesses.
