Federal Chief Information Security Officer Chris DeRusha gave a relatively upbeat assessment today on strides that Federal IT leadership and agencies have been making on implementing the Cybersecurity Executive Order that the Biden administration issued ten months ago.
“There’s been a lot that we’ve accomplished – a lot of work that [has been done by] the entire Federal ecosystem, both Federal agencies, employees of the agencies, [and] vendor partners,” DeRusha said at an event organized by FCW.
“Everyone has really been driving hard to make some really concrete progress that we’re starting to see … it’s exciting,” he said.
Speaking about the EO’s mandate that Federal agencies move toward zero trust security architectures, the Federal CISO reiterated that it will take agencies a period of several years to execute on that task. But he also emphasized that just making progress toward the larger goal will help to improve agency security.
“We do believe – and this is drawn from the experience of others who are further on the journey – that even incremental progress in some of the goals we’ve laid out the strategy is going to dramatically reduce the risk of successful attacks on Federal systems,” he said.
“That’s what we are trying to do here, we are driving towards a cure … but we’re going to make a lot incremental progress along the way that is going to have meaningful impact,” he said.
Zero Trust Strategy
Commenting on the Office of Management and Budget’s Federal Zero Trust Strategy issued in January, DeRusha said that “agencies are midstream in their first major task” under the strategy, which is to submit to OMB by late March zero trust implementation and budget plans for the next few years.
He said that the strategy comes with many deadlines, but added that overall effort “is too big and complicated to say that we know, or to put out a specific date, for all of those initiatives and actions that we put into the plan.” DeRusha added, “Agencies are simply at different phases of this journey, and it is not our intention or desire in any way, shape, or form to disrupt that,” he said.
“Agencies are already making good progress in some of the key … capabilities around identity around data management,” the Federal CISO said.
He explained that OMB wants to “just learn deeply where they’re at and how they view the whole plan kind of coming together in their most optimal state, which may just be different for most of the big agencies and that is fine.”
“What we do need is to ensure that those are good solid plans, and that our resource management side of house, the budget side of where I work at the Office of Management and Budget, is really kind of seeing that journey unfold early, and understanding what we are trying to accomplish so that everybody’s on the same page over the next couple of budget cycles,” he emphasized.
DeRusha called the process a “little bit of a new way of doing business for us, but we’re excited about it and we think that it makes a lot of sense. We’re kind of right in the middle of that iteration that we’ll have with agencies on that.”
He also echoed recent statements by Federal IT leadership on the value of having awarded Technology Modernization Fund (TMF) money to several agencies last year to get started on their zero trust work, and to be able to gain lessons for the rest of the government from those early efforts.
DeRusha said the TMF Board – of which he is a member – gets to monitor the zero trust progress of those TMF funding winners, including identifying technical resources, and then is able to “take back some of those lessons … and challenges of implementation so that we iterate on our own plans.”