The Federal CISO's Approach to Cybersecurity in a Post–SolarWinds World   

Walter Bibikow/Getty Images

The federal chief information security officer is moving ahead with congressional priorities for the .gov enterprise, as lawmakers fail to pass bipartisan incident reporting legislation and other changes to the Federal Information Security Modernization Act.

After a year of large–scale incidents that jolted policy makers into action, Federal Chief Information Security Officer Chris DeRusha is trying to make it easier for agencies to focus on what really matters, in part by reducing their reporting burden.

Attacks targeting federal software suppliers like Microsoft and the IT management firm SolarWinds spurred a May 2021 executive order that aims to increase visibility across agencies and could lead to changes in federal acquisition regulations.

And the fact that the resulting breach of several federal agencies came to light not through internal reports but from the voluntary disclosure of a prominent cybersecurity firm, which was also a victim of the attacks, had Congress scrambling to update the incident reporting obligations of public and private entities. 

Lawmakers across the political divide eventually reached a consensus on how to move forward, including through changes to the Federal Information Security Modernization Act of 2014, but failed to attach their legislation to the annual “must-pass” defense authorization bill.  

Enter DeRusha. The following interview was adapted from Nextgov’s Critical Update with the federal CISO in 2021 and has been edited for length and clarity.

NG: How do you plan to measure effectiveness and progress in cybersecurity?

DeRusha: It's a great question, and it is one of the greater challenges that everyone has in corporations or governments globally. 

One of the things you can do is you can leverage capability, maturity models, and I’m a big believer in that. If you look at what we're doing in the draft zero trust strategy that we put out for public comment, that's what we're trying to do there. We're setting a baseline of targets for specific investments and activities that we'd like agencies to complete over a three-year time horizon. And we're doing that on top of a capability maturity model, where we're saying how we can achieve a sense of benchmarking and how agencies are doing against each other as we move forward. 

So, a year or two years from now, we should have some pretty good data on how well agencies are doing and implementing this strategy and be able to sort of measure progress, at least on the plan. And if we do this right—which we think we are on the path toward doing with all of the great input that we received from industry and academia—this is the plan and this is the security modernization strategy. 

It is not the whole answer. To measure progress in your entire cyber risk management program is challenging, but this is a core set of capabilities, and you're also going to see us in the FISMA ‘22 metrics and guidance take a similar approach. 

NG: How do your plans line up with what lawmakers are hoping to do?

DeRusha: We want to improve transparency and specificity in reporting incidents to Congress. That's a key priority of theirs and it’s a shared priority, improving information sharing about incidents within the executive branch. That's something you see that we've covered also in the executive order. 

A big [priority] is moving agencies toward rigorously tested security, continuous monitoring. It’s something that we've been working on for years, but we're putting a lot of attention on that and sort of moving away from these periodic point in time assessments. With the pace that our adversaries are evolving capabilities, that's just not effective. So we're really trying to ramp up and move faster and focus on understanding our security posture on a continuous basis. 

Again, that’s been the goal for a while, but we're doubling down from that in making sure that we're giving agencies some space to be able to focus on it. And that's going to mean maybe asking them less often about all of their control implementations. 

In other words, we won't necessarily review all controls every year; we're going to focus on a subset. The point is, you need to give and take some, you know, to allow agencies to have the space and time to focus on some of these operational imperatives.

NG: How can the federal government help improve the security of technology agencies are purchasing given budget restraints?

DeRusha: Well, I actually think that agencies do a pretty good job of using [the General Service Administration’s] contract vehicles. And then you also have the [Homeland Security Department’s Continuous Diagnostics and Mitigation] program where agencies can leverage tools that have been vetted by [the Cybersecurity and Infrastructure Security Agency], by their experts, and [agencies] can trust and rely on those as best in grade technology. 

So, you know, I think that agencies are working to do that, and where they're not I'm sure there's always opportunities for improvement there, but we definitely do always reinforce and support an enterprise approach. 

NG: You chair the multi-agency Federal Acquisition Security Council which has the power to recommend bans on overly risky technology for use by the federal government, and some have suggested that body shape federal supply chain policy going forward. How do you see the role of the FASC in the age of supply-chain attacks like SolarWinds?

DeRusha: I don't think that the FASC was stood up to address an incident like occured in SolarWinds. There's plenty of lessons learned there for that company, about their cyber hygiene, that they needed to address and do differently. And companies should be paying attention to that and other supply chain attacks that we've seen. 

That said, when you look at the FASC’s remit, what we're talking about varies really considering a number of risk factors to determine, for example, if there’s foreign government influence, if there’s a high threat presence that we can observe and have evidence on, if there is vulnerability present, and if there’s a high impact. We're looking at a rigorous set of criteria to say, you know, “hey, a lot of these factors are met and this is presenting unacceptable risk to the federal government.” And I think that's when one can expect us to be making a recommendation for exclusion or removal to one of the agencies that will exercise those authorities.

​​The risks are real. What you're describing is very real and we're working as a federal government to address them. But I'm not sure that I see the FASC as the group that needs to solve all problems because when you bring that many agencies together it's a lot of coordination, it's a lot of new process that you have to run, and I think at times we should be more agile and lean than that.