Federal Chief Information Security Officer (CISO) Chris DeRusha said this week that the Federal civilian government has made considerable progress on both the tactical and culture fronts in efforts to implement zero trust security architectures at Federal agencies that stem from the Biden administration’s 2021 cybersecurity executive order.
Speaking during a Federal News Network event on Sept. 12, the Federal CISO said that tactical progress on implementing the M-22-09 Federal Zero Trust Strategy issued in January 2022 is evident across a large number of areas including agency planning, budgeting, and top management engagement.
“We’re down the road,” on implementing the policy, DeRusha said. “What we did early on was we actually spent a lot of time developing specific implementation plans with all the agencies … There’s a bunch of actions that they needed to complete within sort of some specific timeframes, and some, over a three-year period.”
“We’ve just been tracking the progress of all that,” he continued. “We’ve been using that strategy to drive our budget priorities and drive our budget processes and data calls around that, so that’s been a really exciting opportunity.”
In addition to those tactical gains, DeRusha pointed to the necessary security culture changes that the zero trust strategy is also driving across the government.
“We’re just starting to kind of see the culture change, and … the pickup for different agencies,” he said.
“My favorite thing to hear sometimes from a CIO [chief information officer] or a CISO is … ‘I’m doing this because it’s the right thing, and I want to do it … not because you told me.’”
“That’s great … because it means that we are on the right path, and we got it right,” DeRusha said. “I think we got it right because we did engage the community before we wrote it,” and then solicited comment on the preliminary version of the zero trust strategy, he said.
The strategy, the Federal CISO said, is “getting traction because it is what agencies wants to be focusing on … and know that we need to be.”
“It’s put structure around that, it’s put timelines, puts pressure, it’s gotten us more money than I think we would have gotten,” he said. “The word that I’ve been using is momentum – it’s really moving us.”
“All of our data, all of our metrics to FISMA, are aligned around measuring the progress of work [and] we’re seeing movements … [on] tactical things, but really important things like MFA [multifactor authentication] and encryption,” DeRusha said. “After two years of steering at that, and putting a lot of high level of accountability and agency on that, we’re seeing serious movement.”
“Overall, I would say lots of progress tactically, but you know, culturally is the most important thing here,” DeRusha said. “We’re on a road that I think we’re just tackling the left to right after that three-year period concludes. But I predict we’re going to stay on this path, because it’s one that everybody sees is the right path.”