The Federal CISO's Approach to Cybersecurity in a Post–SolarWinds World   

Walter Bibikow/Getty Images

The federal chief information security officer is moving ahead with congressional priorities for the .gov enterprise, as lawmakers fail to pass bipartisan incident reporting legislation and other changes to the Federal Information Security Modernization Act.

After a year of large–scale incidents that jolted policy makers into action, Federal Chief Information Security Officer Chris DeRusha is trying to make it easier for agencies to focus on what really matters, in part by reducing their reporting burden.

Attacks targeting federal software suppliers like Microsoft and the IT management firm SolarWinds spurred a May 2021 executive order that aims to increase visibility across agencies and could lead to changes in federal acquisition regulations.

And the fact that the resulting breach of several federal agencies came to light not through internal reports but from the voluntary disclosure of a prominent cybersecurity firm, which was also a victim of the attacks, had Congress scrambling to update the incident reporting obligations of public and private entities. 

Lawmakers across the political divide eventually reached a consensus on how to move forward, including through changes to the Federal Information Security Modernization Act of 2014, but failed to attach their legislation to the annual “must-pass” defense authorization bill.  

Enter DeRusha. The following interview was adapted from Nextgov’s Critical Update with the federal CISO in 2021 and has been edited for length and clarity.

NG: How do you plan to measure effectiveness and progress in cybersecurity?

DeRusha: It's a great question, and it is one of the greater challenges that everyone has in corporations or governments globally. 

One of the things you can do is you can leverage capability, maturity models, and I’m a big believer in that. If you look at what we're doing in the draft zero trust strategy that we put out for public comment, that's what we're trying to do there. We're setting a baseline of targets for specific investments and activities that we'd like agencies to complete over a three-year time horizon. And we're doing that on top of a capability maturity model, where we're saying how we can achieve a sense of benchmarking and how agencies are doing against each other as we move forward. 

So, a year or two years from now, we should have some pretty good data on how well agencies are doing and implementing this strategy and be able to sort of measure progress, at least on the plan. And if we do this right—which we think we are on the path toward doing with all of the great input that we received from industry and academia—this is the plan and this is the security modernization strategy. 

It is not the whole answer. To measure progress in your entire cyber risk management program is challenging, but this is a core set of capabilities, and you're also going to see us in the FISMA ‘22 metrics and guidance take a similar approach. 

NG: How do your plans line up with what lawmakers are hoping to do?

DeRusha: We want to improve transparency and specificity in reporting incidents to Congress. That's a key priority of theirs and it’s a shared priority, improving information sharing about incidents within the executive branch. That's something you see that we've covered also in the executive order. 

A big [priority] is moving agencies toward rigorously tested security, continuous monitoring. It’s something that we've been working on for years, but we're putting a lot of attention on that and sort of moving away from these periodic point in time assessments. With the pace that our adversaries are evolving capabilities, that's just not effective. So we're really trying to ramp up and move faster and focus on understanding our security posture on a continuous basis. 

Again, that’s been the goal for a while, but we're doubling down from that in making sure that we're giving agencies some space to be able to focus on it. And that's going to mean maybe asking them less often about all of their control implementations. 

In other words, we won't necessarily review all controls every year; we're going to focus on a subset. The point is, you need to give and take some, you know, to allow agencies to have the space and time to focus on some of these operational imperatives.

NG: How can the federal government help improve the security of technology agencies are purchasing given budget restraints?

DeRusha: Well, I actually think that agencies do a pretty good job of using [the General Service Administration’s] contract vehicles. And then you also have the [Homeland Security Department’s Continuous Diagnostics and Mitigation] program where agencies can leverage tools that have been vetted by [the Cybersecurity and Infrastructure Security Agency], by their experts, and [agencies] can trust and rely on those as best in grade technology. 

So, you know, I think that agencies are working to do that, and where they're not I'm sure there's always opportunities for improvement there, but we definitely do always reinforce and support an enterprise approach. 

NG: You chair the multi-agency Federal Acquisition Security Council which has the power to recommend bans on overly risky technology for use by the federal government, and some have suggested that body shape federal supply chain policy going forward. How do you see the role of the FASC in the age of supply-chain attacks like SolarWinds?

DeRusha: I don't think that the FASC was stood up to address an incident like occured in SolarWinds. There's plenty of lessons learned there for that company, about their cyber hygiene, that they needed to address and do differently. And companies should be paying attention to that and other supply chain attacks that we've seen. 

That said, when you look at the FASC’s remit, what we're talking about varies really considering a number of risk factors to determine, for example, if there’s foreign government influence, if there’s a high threat presence that we can observe and have evidence on, if there is vulnerability present, and if there’s a high impact. We're looking at a rigorous set of criteria to say, you know, “hey, a lot of these factors are met and this is presenting unacceptable risk to the federal government.” And I think that's when one can expect us to be making a recommendation for exclusion or removal to one of the agencies that will exercise those authorities.

​​The risks are real. What you're describing is very real and we're working as a federal government to address them. But I'm not sure that I see the FASC as the group that needs to solve all problems because when you bring that many agencies together it's a lot of coordination, it's a lot of new process that you have to run, and I think at times we should be more agile and lean than that.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.