If you are a CISO, you have likely spent years explaining to the board that cybersecurity is not just a cost center but a foundation for growth. In a recent article published late January 2026, Michael Duffy, the Acting Federal CISO for the United States, gave a masterclass in how to win that argument.
For those outside the U.S., it is easy to dismiss “federal” news as local politics. However, Duffy is not just a government official. He is the Chief Cyber Strategist for the world’s largest and most targeted enterprise. His role at the Office of Management and Budget (OMB) involves setting the security standards that thousands of agencies must follow to receive funding. When the U.S. government shifts its strategy, the global supply chain, international insurance markets, and software vendors move with it.
Duffy is signaling a major shift: the upcoming National Cyber Strategy is not just a vision document. It is a funding filter. If your 2026 roadmap is not aligned with these shifts, you are not just falling behind on security. You are accumulating “technical debt” that will eventually be paid back with massive interest.
The “Quantum Mortgage”: Why Your 2026 Procurement is Already Outdated
One of the most jarring insights from Duffy’s recent briefings involves the looming shadow of Post-Quantum Cryptography (PQC). The U.S. government is no longer treating “Quantum-Ready” as a futuristic concept. They are making it a procurement mandate today.
Duffy explains a simple truth: every system you modernize today that fails to account for PQC is a “mortgage” you are taking out against your future budget.
Why This Matters for Your Board
When you present your next hardware or cloud migration plan, the question should no longer be “is it secure?” It must be “is it quantum-compliant?” By adopting this government-backed stance, you can frame PQC not as an academic worry but as a fiduciary responsibility. It allows you to avoid the inevitable and expensive “rip-and-replace” cycles that will hit organizations just a few years from now.
DNS: The Foundation of Your Zero Trust Architecture
While most CISOs are preoccupied with Identity and Access Management (IAM), the Office of Management and Budget is pointing toward a much older protocol as the new frontline: DNS. With the finalization of NIST SP 800-81 Rev. 3, the federal government is re-classifying Secure DNS from a networking utility to a core Zero Trust Pillar.
The Tactical Shift: Protective DNS
The strategy highlights a hard reality: if you do not control your DNS traffic, you do not actually have a perimeter. By operationalizing Protective DNS, a move heavily pushed by the Cybersecurity and Infrastructure Security Agency (CISA), organizations can neutralize a vast majority of malware at the source before it ever touches an endpoint. It is arguably the highest-ROI move available to a security leader in 2026.
Aligning People, Process, and Tech Through Tabletop Realism
It is easy to buy a tool, but it is hard to build a response culture. Duffy recently shared insights from a Federal CISO Council tabletop exercise that focused on the friction between different government bodies during a crisis.
Moving Beyond the “Tool” Mentality
The federal approach is now focused on how the “People” and “Process” sides of the house interact when the “Tech” fails. For the private sector, this means your 2026 strategy must move beyond “detect and defend” and into coordinated orchestration.
Duffy’s “framing” document provides a clear template for this:
- NIST provides the “what” (The Standards).
- OMB provides the “how much” (The Resources).
- CISA provides the “make it real” (The Operations).
If your internal security team does not have these three distinct functions clearly defined, your response will stutter when it matters most.
The Bottom Line: Use the Global Standard as Your Shield
The 2026 National Cyber Strategy gives you a clear target to aim for. When you align your internal priorities with these standards, you are not just following a trend. You are adopting a battle-tested framework for managing risk at scale.
As Michael Duffy emphasizes, a unified strategy allows an organization to confidently state: “We are coordinated, we are resourced, and we are reducing risk in a way that is meaningful.”
For Further Reading
This blog post is based on the insights and analysis presented in the article:
Friedman, Sara. “Federal CISO Duffy highlights upcoming national cyber strategy as ‘framing’ document for future efforts.” Inside Cybersecurity (Jan 27, 2026).
