Adding additional cyber requirements from the OMB / DHS without allocating funds implies that existing funds have to be spread ever thinner , or monies have to be diverted from the Department Agency mission.
Perhaps an alternative is providing prioritization for allocation of existing funds (This mandate is #1, then this exec order etc etc).
With the "public" availability of such a list, audit should become more effective, as well as enabling a maturity scorecard. Agency x has completed the top 2, Agency y has completed the top 5 etc.
Finally with a prioritized list of requirements, it should be more straight forward to hold D/A leaders accountable for progress AND make it obvious to those in Congress / OMB etc that to add something new means something else has to give