Chris DeRusha, who wears the dual hats of Federal Chief Information Security Officer (CISO) and Deputy National Cyber Director for Federal Cybersecurity in the Office of the National Cyber Director, charted some near-term policy goals on the security front during a keynote address on May 19 at MeriTalk’s Cyber Central May 2022 – Mission: Cyber Resilience in-person conference.
Among other goals, the Federal CISO pointed to coming developments on Federal government contract rules that don’t currently allow for sufficient sharing of cyber incident data, and secure software development rules teed up in President Biden’s May 2021 cybersecurity executive order.
He also hinted at further possible steps on workforce development, and making public some details from Cyber Safety Review Board findings.
On the contracting front, DeRusha talked about an upcoming Federal Acquisition Regulation rule that will be put out for public comment to allow for cyber incident sharing with government entities where such sharing may not be permitted under current rules.
“Some people want to share, but they can’t,” he said. “So if that’s a problem, we can fix that.”
“There is a FAR (Federal Acquisition Regulation) rule that will come up for public comment, you will all get a chance to take a look at the contract clauses that we propose, and it will be a conversation, and then we’ll move forward,” he said.
DeRusha called secure software development “a huge focus” of the cybersecurity executive order, and said “we’re going to be very careful in how we roll that out.”
The National Institute of Standards and Technology (NIST), he said, “has come up with a fantastic secure software development framework, a great collection of best practices. What we want to do is ensure that companies adopt and follow them.”
“We don’t want a new compliance framework, we don’t want people checking the box and saying ‘to work with government, I have to do this and so we’re going to find a way to say that.’ No, we really want adoption here,” he said.
“We’ve been listening and trying to work together so that we can come up with a way to move forward that works for everyone, and roll this out in a consistent way across programs,” he said. The forthcoming policy, he pledged, “very much takes into account all the feedback that we’ve received.”
“That will be coming out in the coming months,” DeRusha said.
The Federal CISO said the move to seek industry comment follows a strong response to the zero trust policy that the Office of Management and Budget proposed following the release of the cybersecurity executive order.
“We wrote that with you all, and I think we got something like 120 to 130 independent submissions in our public comment period,” he said. “For those keeping track on government documents receiving public comments, it got more interest than we tend to see, and it was really good feedback … we really tried to take that and build it into the policy,” DeRusha said.