In a new age of cyberattacks, Chris DeRusha says agencies must have more room to implement practices that enable constant vigilance.
It’s almost that time again. Every fall agencies wait for the Office of Management and Budget to release instructions on how they should shape annual reports they have to make on the state of their information security. But this time the process is happening after two massive intrusions compromised several government agencies and there will be some important changes.
Federal Chief Information Security Officer Chris DeRusha told Nextgov’s Critical Update the biggest thing agencies can expect going forward is an understanding of how demanding the current reporting process is and an appropriate narrowing of the scope of things they have to focus on at any given time.
Agencies are required to report to OMB on their information security under the Federal Information Modernization Act. They review their posture against hundreds of controls described for various functions in the National Institute for Standards and Technology’s cybersecurity framework.
DeRusha believes paring down the list of things agencies are reviewing to the most essential functions satisfied by practices like continuous monitoring will yield better results than previous years’ efforts on that front.
“It's been a goal for a while, but we're doubling down on that and making sure that we're giving agencies some space to be able to focus on that,” he said. “And that's going to mean maybe asking them less often about all of their control implementations … We won't necessarily review all controls every year. We're going to focus on a subset.”
Along with continuous monitoring, the FISMA 2022 guidance will cover things like penetration testing—part of a class of operations referred to as “red teaming.”
“We call this ground truth testing or tested security, whatever you want to call it,” he said. “We're looking at red teaming, pen-testing, vulnerability disclosure programs, smart patching based on threat intel. … These are high-impact activities.”
And mindful of the various levels of resources available to individual agencies, DeRusha said the FISMA guidance will continue to reflect the approach OMB took in developing guidance on the implementation of zero trust programs, as required by a major executive order issued in May.
To address the fact that agencies are in very different places along the road to implementing modern cybersecurity practices, DeRusha said, “One of the things you can do is you can leverage capability, maturity models. I’m a big believer in that.”
“You're … going to see us in the FISMA 22 metrics and guidance take a similar approach where we're going to really try to assess the maturity level of some key capabilities, the controls and the security activities, that are getting outcomes,” he said.
The conversation with DeRusha also hits on his transition from other CISO jobs and why he doesn’t see a new Federal Acquisition Security Council as the be-all-end-all for supply chain security, especially after the attacks on IT management firm SolarWinds and Microsoft Office 365’s on-premises servers.