National Cyber Director Explains Appointment of Federal CISO to His Office


The move comes amid confusion about the roles and responsibilities of various federal cybersecurity leaders.

National Cyber Director Chris Inglis said the appointment of Federal Chief Information Security Officer Chris DeRusha as a deputy within his office is not a statement on their respective power to make decisions about cyber budgeting.

“That is not a subjugation of his authorities to the National Cyber Director,” Inglis said Thursday during an event hosted by the Center for Strategic and International Studies.

The move was first reported by The Washington Post early Thursday and was followed hours later by a tweet from Inglis describing the appointment as a dual designation. DeRusha will continue to serve as federal CISO and welcomes Iglis’ entrance into the federal cyber policy space despite confusion from lawmakers about who’s supposed to be doing what. He and Inglis both say they simply need more people on their closely related jobs.   

Inglis said his office will likely have 75 to 80 people—a number too small for the mission. “That's not a dodge-the-bullet moment, that means that if we're to actually make a contribution we have to work with and through others, which is why yesterday we announced that, Chris DeRusha, the Federal CISO has been appointed as the Deputy Director for National Cyber for the purposes of federal cybersecurity," he said.

Inglis acknowledges the importance of clear roles and responsibilities for the purpose of accountability, a big selling point in the push for Congress to create his office. On Thursday his office published a statement of strategic intent to lay out the official duties of his office.

“It's an alignment and harmonization such that we'll make sure that what we do, we do together,” Inglis said of DeRusha’s new appointment, “so that if you're a CISO in the federal enterprise, and you hear us each speak, we're finishing each other sentences. We're not going to give conflicting guidance. It will always be complementary.”

During a recent hearing on the issue, Inglis told Sen. Rob Portman, R-Ohio, he is accountable for cybersecurity of federally owned and leased estates, but that he is also responsible for assigning that accountability to others.

“Yes sir, I am ultimately the accountable person. Now, my job is to make sure that that accountability has been allocated properly to agency and department heads, to [the Cybersecurity and Infrastructure Security Agency] for being the operational entity coordinating the defense, to [the Office of Management and Budget] for issuing the right directives,” he said. “As the coach, I need to make sure those roles are properly assigned, properly executed.”