Zero Trust Cyber Exchange: Federal CISO Chris DeRusha on state of zero trust efforts

With every new federal cybersecurity initiative, agencies tend to follow up with a simple, and fair, question: “How do we pay for it?”

Agencies already are spending more than $10 billion annually on cybersecurity-specific programs and projects. Adding more to their proverbial to-do lists therefore can provoke a feeling of adding more weight to the already over-burdened shoulders of federal chief information security officers.

For the Biden administration’s move toward zero trust, the Office of...

READ MORE

Shape

Zero Trust Cyber Exchange: OMB

You can’t just be a CISO and implement something like this. It just impacts the organization too broadly.

With every new federal cybersecurity initiative, agencies tend to follow up with a simple, and fair, question: “How do we pay for it?”

Agencies already are spending more than $10 billion annually on cybersecurity-specific programs and projects. Adding more to their proverbial to-do lists therefore can provoke a feeling of adding more weight to the already over-burdened shoulders of federal chief information security officers.

For the Biden administration’s move toward zero trust, the Office of Management and Budget not only thought of the funding question ahead of the memos and strategies, but it also seems to have a plan to address the “unfunded mandate” moniker that new initiatives usually receive.

Chris DeRusha, federal chief information security officer and deputy national cyber director for federal, said funding the 19 requirements agencies must address by the end of fiscal 2024 deserves the attention it’s getting.

“We really need to put a premium on investing more in the space. But that’s not the only thing. We also need to ensure that procurement systems are moving fast and that we’re staying focused on hiring and removing barriers to get the talent that we need,” DeRusha said during Federal News Network’s Zero Trust Cyber Exchange.

“In fiscal 2022, agencies were able to reprioritize some funding and also the SolarWinds reserve money that we set aside bolstered at least those nine agencies’ cybersecurity opportunities, and those are aligned completely with zero trust implementation and the EO priority.”

For 2023, OMB asked that cyber submissions be aligned completely with the government’s zero trust strategy, he said. “We did data calls around the zero trust strategy capabilities and said, ‘These are the ones you need to prioritize.’ ” By doing that, DeRusha believes that agencies will be able to be granular in their 2024 budget requests and have even more success implementing program goals.

While obtaining 2023 and 2024 funding still has a long road ahead, Congress has shown its support to increase funds for cyber projects.

Zero trust popular for TMF funding

Additionally, OMB still has more than $700 million in the Technology Modernization Fund (TMF) from the American Rescue Plan Act windfall. Of the last nine projects for which the TMF Board made awards, five were for zero trust projects or efforts related to improving agency cybersecurity.

“We know from our interactions with the board that [agencies are] making meaningful progress in implementing these tools,” DeRusha said. The projects include:

  • Building out endpoint detection and response capabilities.
  • Improving security operations center (SOC) maturity through security orchestration, automation and response (SOAR) tools.
  • Getting better visibility with secure access service edge (SASE) tools.
  • Establishing a core project management office.
  • Hiring Tier 3 technical support staff to augment skills agencies historically have had trouble acquiring.

Even so, DeRusha said funding from Congress and through TMF will not solve all the issues. The TMF-funded projects are providing lessons learned about tools, processes and what is needed to successfully implement zero trust capabilities, he said.

“We have quarterly check-ins with those agencies, and we’re getting to know the project managers that they’re hiring and getting to really pressure-test specific investments. Where are they in their procurement cycle? What challenges are they facing?” DeRusha said. “It’s really helpful because every agency is going to have the same supply chain disruption problem on a certain type of software or hardware. So knowing that is really helpful because then it allows us to make better policy and oversight governance decisions across the board.”

The agencies using TMF funding to accelerate their move to zero trust capabilities also are giving OMB more insight into what should have been in the strategies that each agency sent in late March, he added.

Trends in agency zero trust plans

A couple of key trends emerged from the agency-level plans, DeRusha said: enterprise identity, network architecture, and improving how to manage and secure data.

Additionally, agencies have put governance processes in place to manage the transition to zero trust. “You need a clear, strong lead in the agency to really start to make progress in implementing that many tasks across big federated agencies,” he said. “We’ve certainly seen that, but agencies have also broken ground on a number of initiatives.”

For instance, many agencies have begun work on enterprise identities. “That makes sense,” DeRusha said, since identity is the core starting point for zero trust and, wherever possible, OMB wants to see the most investments around that.

Another investment focus has been around planning for and improving network architectures — moving toward microsegmentation. That’s followed up by managing and securing data.

Projects include discovering where agency data is located, using tools to auto label data to ensure it’s accurate and adjusting how agencies ingest and share cyber data, DeRusha said.

“That’s relatively new technology in the field that needs to be integrated across the full culture all the way sometimes down to touching the end user and how they work with documents differently and/or transmit them in email, for example. I’ve implemented these capabilities in the past, and they are culture changes,” he said. “We’re excited to see that agencies are taking these things on in their plans.”

Interagency data effort underway

OMB, the Federal CISO Council and the Federal Chief Data Officers Council also are providing some help for agencies in how they manage data through a new working group focused on data classification schemas.

“The goal is to have a good systemized way of doing this and to give sanity to the workforce,” DeRusha said, adding, “You can’t just be a CISO and implement something like this. It just impacts the organization too broadly.”

The working group is still in its formative stage. Right now, it has about 10 members — volunteers from the CDO and CISO councils who have begun meeting, he said. Over the long term, the working group will give the large councils data schemas for review, help develop a best-practice approach and ensure broad buy-in.

Meanwhile, OMB also is focused on establishing a secure software development framework. It has been talking to agencies, industry and other experts to develop the new model and policy.

“Our policy guidance will be successful if we build out the right rollout plan,” DeRusha said. It needs to be more than just a compliance framework. The government must incentivize vendors to build secure development practices into the fabric of their organizations, he said.

“That is the goal,” DeRusha said. “We want to really just make sure we’re reinforcing that.”

The policy is in the formal clearance process at OMB and close to release.

More information from the Cyber Safety Review Board as well as from the Federal Acquisition Security Council (FASC) around proposed cyber contract clauses also is coming soon.

DeRusha was quick to caution that while there may be a desire to market tools as zero trust, industry must be “cautious around not overselling what each tool can do. All of these tools are crucial components of a zero trust strategy in achieving zero trust principles.”

It can be confusing when agencies are told that a specific tool is going to complete zero trust for them, he said. Despite that, DeRusha said the partnership with industry has been fantastic so far, and “we really look forward to continuing it.”

To listen to and watch all the sessions from the 2022 Federal News Network Zero Trust Cyber Exchange, go to the event page.

Featured speaker

  • Chris DeRusha

    Federal Chief Information Security Officer and Deputy National Cyber Director for Federal, OMB