Federal CISO Considers Including Technology Modernization in Cybersecurity Metrics

Examining use of a recently bolstered modernization fund to implement cybersecurity measures could be one way the federal chief information security officer assesses the government’s risk posture going forward.

“I want to see tons of [Technology Modernization Fund] projects being implemented that are drawing down security [risks],” Chris De Rusha said, noting that is “another metric that I'll look at for judging how well we're doing.” 

The TMF—a central loan fund for agency IT upgrades—received a $1 billion boost as part of the American Rescue Plan and a mandate to relax the repayment requirements for critical cybersecurity and pandemic-related projects.

The federal CISO spoke during the annual Billington Cybersecurity Summit Thursday where he also highlighted the importance of penetration testing and vulnerability management programs, two activities stressed in a massive bill senators have proposed for updating the Federal Information Security Modernization Act of 2014. FISMA 2021 cleared the Senate Homeland Security and Governmental Affairs Committee Wednesday and, among other things, instructs the director of the Office of Management and Budget to issue new guidance to agencies for evaluating their information security practices. 

De Rusha said he is working to “shift from the model we've been in where we're looking at all these controls and saying ‘you know, we believe we're doing this well’ to measuring progress through the tested activities I just talked about. That's a new challenge and we're, you know, we're taking it on. We're looking at making some of these changes in our FISMA guidance.” He also said he’s sympathetic to the amount of reporting agencies have to do on points that are not always in alignment. 

“I want to spend our time smarter, you know, and that means freeing up a little space too, which is something that we're going to try to figure out how to do,” he said. “I think if we keep saying do that and then this and then this and then this, well, then you have 100 things and they’re incongruent. … We need to help agencies with that problem.”

The senators’ FISMA update would also codify parts of a May executive order centered on implementing the concept of zero trust, something De Rusha on Thursday described as the government’s “cornerstone cyber program.” Noting that federal agencies are at various levels of maturity toward achieving zero trust, he also floated the idea of using the TMF to create a shared services program specifically for helping them get to the desired end-state.

“That is a place where we got a billion dollars in the emergency appropriation earlier this year, and we're really focusing on security projects and so for example, it could be an avenue where we seek out and create a project like this to fill any new gaps that we discover,” he said, also pointing to shared services programs at the Department of Homeland Security, the General Services Administration and other agencies.

And some agencies have already turned to the fund to address their cybersecurity issues. Last week OMB announced six agency projects—three of which focused on zero trust efforts—will receive about $311 million from TMF.

The FISMA bill also proposes additional instructions for the evaluation of TMF proposals, which agencies submit to a review board where De Rusha is an alternate member. It says the OMB director should consider the protection of high value assets and the inclusion of appropriate cybersecurity measures, including supply chain risk management plans, in awarding funds.