Federal Chief Information Security Officer (CISO) Chris DeRusha explained today how the National Cybersecurity Strategy (NCS) and implementation plan released by the Office of the National Cyber Director (ONCD) earlier this year lines up nicely with the goals of improving Federal government cybersecurity, but also warned that the prevalence of legacy IT systems still being used by many Federal agencies continues to stand in the way of security improvements.
During a NextGov/FCW webinar, DeRusha talked about one of the big themes of the NCS, which he described as “work on increasing incentives to favor longer term investments in cybersecurity.”
That major goal “dovetails nicely,” he said, into what the Biden administration is trying to do to improve Federal government cybersecurity. He said that alignment is “pretty cool because it doesn’t always happen with these large strategies – a detailed implementation” plan with milestones attached, and “roles for all of the Federal agencies that are going to be working on that.”
“So when you look at that and you come back to the Federal side … there’s a big role for us to continue to play a leading role in securing Federal systems – that’s why that was in the first chapter of the National Cyber strategy,” he said.
DeRusha said he views the NCS as “building off of” the Biden administration’s 2021 cybersecurity executive order, and the “huge focus on Federal cybersecurity since the beginning of the administration.”
“What we’re talking about there is let’s keep going,” he said. However, as part of that broad effort to improve Federal cybersecurity, he said the government needs a ten-year modernization plan for legacy IT.
“Since I’ve been doing Federal government work back early in the Obama administration, we’ve been talking about … legacy IT modernization as the number one biggest rock that needs to get moved first to be able to secure our systems,” he said. “I think that’s still true.”
“We’ve made a lot of progress with the Technology Modernization Fund – just the lots of investment that’s been made,” he said. “But yeah, the continued investment that we need to make there is evident and obvious as we continue on our efforts to implement encryption” and multifactor authentication.
“Then also we’re taking everything that we’ve been doing and studying it a little bit and then building off of it,” he said, citing a shared security service model that the Cybersecurity and Infrastructure Security Agency (CISA) has been doing the Department of Justice and other agencies. “What are the characteristics of success … and what are the next services down the road that are needed – we’re studying that and we’re going to be building off of that.”
Looking to next steps on other issues, DeRusha also mentioned enterprise license agreements “and how we get more bang for the buck there,” along with “operationalization of how we work as a Federal CISO and security community.”
“CISA is getting a huge, expanding role – very, very mature now,” he said. “What else do we do – because we’re never going to be done with that … What else can we do to kind of integrate the CISOs and the shops in with CISA?”
“So we’ve tasked ourselves with an operational plan there that will kind of take us to the next level,” he said. The Federal CISO added, there is a “a lot more work and a focus on national security systems information. There’s a lot of swim lanes in the next round of things that we need to do.”
DeRusha also spoke about the benefits of his dual-hat status as Federal CISO and Deputy National Cyber Director, saying “it was something that made a lot of sense to us,” when he was appointed Deputy NCD in late 2021, “and still does.”
“The nice thing about that is we have operational fabric now, and I manage a couple of teams on each side, as one team working on Federal government oversight governance,” he said. “That’s really helped because you’ve been sitting in all the ONCD meetings [and] you understand what’s going on internationally, nationally – they have a huge mission inside that organization – and can really reinforce and feed everything we’re doing federal side and vice versa.”
“We’re running stuff on the Federal side that sort of feels like things we should be translating up as we’re developing a national strategy, so it’s worked really well to date,” he said.