Federal CISO DeRusha leaving

Mike Duffy, the associate director for capacity building in the cyber division at CISA, will take over for DeRusha on an acting basis.

Chris DeRusha, the federal chief information security officer, is leaving after more than three years in the role.

The Office of Management and Budget confirmed DeRusha is leaving. Federal News Network also has learned that Mike Duffy, the associate director for capacity building in the cyber division at the Cybersecurity and Infrastructure Security Agency at the Homeland Security Department, will take over on an acting basis.

Chris DeRusha is leaving after three years as  the federal chief information security officer.

“Since day one of the Biden administration, Chris has been instrumental in strengthening our nation’s cybersecurity, protecting America’s critical infrastructure, and improving the digital defenses of the federal government,” said Clare Martorana, the federal chief information officer, in an email statement to Federal News Network. “I wish him the best, and know he will continue to serve as a leading voice within the cybersecurity community.”

Duffy will begin his detail next week, according to an internal email obtained by Federal News Network.

DeRusha joined OMB in January 2021, coming over from the Biden presidential campaign. He also worked as CISO for the state of Michigan and spent five years at DHS and two years as a senior cyber advisor for the White House.

OMB didn’t say when DeRusha’s last day would be nor where he is heading next.

“From the beginning of the Biden-Harris administration, and even before, Chris DeRusha has been a steady, guiding leader. As Deputy National Cyber Director with ONCD – while continuing his excellent work as federal CISO – he has been a trusted and valued partner,” said National Cyber Director Harry Coker, Jr., in a statement to Federal News Network. “Chris’s keen insights, experience, and judgement have been integral to the work we’ve done and what we will continue to do to strengthen our nation’s cyber infrastructure. I’m grateful for his commitment to the American people and to the Biden-Harris Administration.  All of us at ONCD wish him the very best in his next chapter.”

DeRusha has played a key role in advancing many of the White House’s cyber priorities, including the writing of and the implementation of zero trust strategy, and overseeing the federal agency responsibilities outlined in President Joe Biden’s cyber executive order, particularly around software security and applying phishing resistant multi-factor authentication.

Ross Nodurft, the executive director of the Alliance for Digital Innovation (ADI), an industry association and a former OMB cyber chief, said DeRusha’s impact across the government has been significant.

“Chris DeRusha, his teams at OMB and ONCD, and his partners at CISA and across the CISO community have made significant strides in making our federal government more secure and resilient. In many cases, Chris has guided federal agencies into security postures and architectures that are ahead of many commercial companies,” Nodurft said. “He has driven governance processes that prioritize risk management and helped make cybersecurity a consideration in the beginning of technology decisions as opposed to a bolted on afterthought.  The government will miss his leadership, energy and vision.  ADI is thankful that Mike Duffy will be stepping in to keep up the drumbeat of cybersecurity and zero trust implementation and modernization.”

Over at CISA, Duffy said Shelly Hartsook, the deputy associate director, would be taking over for him on an acting basis. During his tenure at CISA, Duffy took on several large priorities, including modernizing the continuous diagnostics and mitigation (CDM) program, helping agencies implement the zero trust maturity model and helping to stand up and advance several cyber shared services for agencies.

Duffy said in his email to staff that it was an “honor to answer the call” to be acting federal CISO and advance the administration’s cyber priorities during this time of change.

“Mike Duffy will do an outstanding job as the acting federal chief information security officer.  As associate director here at CISA, he has spearheaded efforts to evolve and operationalize our Continuous Diagnostics and Mitigation program, unveiled a new enterprise-wide approach to operational cybersecurity alignment, and led the expansion of CISA’s cybersecurity shared services to critical infrastructure,” said CISA Director Jen Easterly in a statement. “Mike’s vast experience, strong partnership acumen, and strategic approach to federal cybersecurity will make for a seamless transition and continue to drive sustained progress across the federal government.”

A former government official, who didn’t get permission to speak to the press, said Duffy is an excellent choice to be the acting federal CISO.

“I can only think of a few people who can hit the ground running as quickly and efficiently as Mike will in his role as acting federal CISO,” the former official said. “From continuing the modernization of the federal enterprise to collaborating with both domestic and international, private and public partnerships, increasing the focus on critical infrastructure and securing elections, Mike is well-positioned to lead the office.”

This story will be updated as more details emerge.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Cyber Leaders Exchange 2023: OMB’s Chris DeRusha on tactical zero trust progress, culture change

    Read more
    Getty Images/iStockphoto/gintas77Cybersecurity

    Federal CISO doubles down on phishing-resistant MFA following Lapsus$ review

    Read more
    Federal News Radio pinwheel icon

    DeRusha says new 2023 cyber metrics reflect agility needed in today’s environment

    Read more

    Veteran of White House, DHS steps into federal CISO role

    Read more