Federal Chief Information Security Officer (CISO) Chris DeRusha today offered an expansive set of ideas for how Congress may undertake reform of the Federal Information Security Modernization Act (FISMA) of 2014 to bring the existing law up to speed with the fast-moving security improvement work underway throughout the Federal government following the release of President Biden’s cybersecurity executive order in May.
DeRusha – whose office is taking a large role in implementing the executive order – has been on the record for possible changes to FISMA, but his discussion of the issue on July 21 at CrowdStrike’s Fal.Con for Public Sector 2021 event offered a more detailed picture of what the Federal CISO would like to see.
Speaking in May at MeriTalk’s CDM Central – the Age of Cyber Defenders event, DeRusha said he was looking forward to working with Congress on a possible FISMA update this year, but did not provide much detail on priorities for that process.
In his remarks today, DeRusha recapped his recent remarks about progress on the executive order, but said that “another big priority for me and our office is taking a hard look” at FISMA and “answer the question, what’s working well and what’s not, in how FISMA is driving us to manage enterprise risk for civilian government.”
“I think that’s really important, given the moment we’re in right now,” he said. “You’re looking at all these matrices, trying to unpack what we need to do differently, and I think we also need to go back – not just in our different implementations to trust others – but in how we’re using policy to drive into programs and priorities … this is something extremely important for us to do.”
DeRusha made no hard-and-fast recommendations for reform but talked about two areas he’d like to see Congress focus on.
The first of those, he said, involves testing and validating security arrangements, rather than relying on “self-attestation” by agencies. That would involve agencies moving “in a path toward more rigorous application of security testing” through red and blue-team exercises and penetration testing, and building out vulnerability disclosure programs, he said.
“Agencies did a great job of building and putting those programs in place, but we need to ensure that they’re being used,” DeRusha said. He added that “having security researchers on our team, working with us to identify tough-to-spot vulnerabilities” in agency security is “really important.”
Taking that approach, he said, will “help us look at the risk surface from the lens of our adversaries and the ways that they are looking at our risk, [and] help us prioritize and address those risks first.”
The second area he suggested was increasing security automation.
“This is a continual push that we’ve been on a path for over a decade of using continuous monitoring tools, and using that standardized data to improve awareness, reduce costs,” and boost the quality of security reporting, he said.
“There are a lot of benefits to increasing your automation and improving risk management,” and to the government’s ability to prioritize security issues, he continued.
“What do I mean by that? … We want to help agencies better understand their risks and help explain those risks to executives in the most effective way possible,” DeRusha said. “The goal of course is to ensure that they’re getting all the resources and access to capital that they need” for security, he added.
DeRusha pointed out that while expected funding awards to Federal agencies via the recent $1 billion into the Technology Modernization Fund (TMF) are “great,” the government also needs to “focus inside agencies and ensure that TMF as a supplement is not replacing” regular funding flows for security within agency budgets.
Elsewhere in his remarks, DeRusha touched on the executive order’s directive for Federal agencies to move to cloud services.
“Another key pillar to our success in the security modernization journey is going to be embracing the cloud,” he said, particularly as agencies try to improve citizen service delivery with digital-only transactions. “It’s critical for the Federal government to continue to make progress in this direction, and expand market access to these commercially available solutions,” he said.
