Federal Chief Information Security Officer Chris DeRusha said today that working to update the Federal Information Security Management Act (FISMA) – and generate more useful Federal agency cybersecurity metrics as a result – are among his top priorities currently.
DeRusha has voiced support for FISMA reform in recent public remarks, and he expanded on that thinking during an August 4 address at an event organized by FCW.
The Federal CISO said today that his three top priorities are working to implement President Biden’s cybersecurity executive order and its directive for Federal agencies to move to zero trust security architectures, helping to leverage the Technology Modernization Fund (TMF) to address security risks posed by legacy IT systems, and taking a “hard look” at FISMA and the cybersecurity requirements that it puts on Federal agencies.
On the FISMA front, DeRusha explained that one of the hoped-for outcomes of changes to the law would be in requirements to measure agency cybersecurity performance.
“That’s something that Congress is also very interested in,” said DeRusha. He said draft legislation has been produced, and that “we’re very excited to work together” with lawmakers on that effort.
The current FISMA statute dates to 2014, he noted. “It was the last time we codified those responsibilities across Federal government, and you know what’s changed since then, so that would be a great opportunity to dig into cybersecurity a little bit deeper,” he said.
Expanding on the FISMA-related goals, DeRusha said that “our goal is to shift from untested security to tested security … . it won’t be easy, and it will be a bit of a transition.”
“We’ll be starting to this year incrementally move the way that we measure performance and agencies towards risk-based models, to form risk-based cyber budgeting, and really just be focused on reducing the attack surface, and focusing on controls, and in more detailed ways, that are really getting the highest bang for the buck outcomes,” DeRusha said. “We’ve got to align those strategic goals with FISMA,” he said.
“In the President’s Management Agenda, something we’re working on new [is to] to streamline the requirements for existing qualitative performance reporting,” DeRusha said. Security assessments, he said, are due to be augmented with independent testing, and red-team penetration testing exercises.
As for coming administration FISMA guidance to Federal agencies, DeRusha said, “I think you’ll start to see some changes” for 2022.
That guidance, he said, will take into account the priorities in the cybersecurity executive order, and then include requirements for metrics to measure success. Some of those, he said, will need to be “data collection exercises,” but the broader push will be for data about the sufficiency of security subjected to penetration and red-team testing.
That data, in turn, will inform the conversation on “how are you addressing what you’re finding, what is it leading towards [regarding] new investments that you need to make, and how do we support those investments or barriers to success that you’re facing,” he said.
Enterprise View, TMF Funding
DeRusha emphasized how the administration is trying to address cybersecurity threats and risks at the governmentwide enterprise level, and how the government can “lift all ships” on the security front.
“As the Federal CISO, I need to view the Federal government through an enterprise lens, and across government, we’re working hard to solve a lot of the same problems,” he said. “That means we really need to be thinking about the strategies to improve cybersecurity as a whole and have an enterprise mindset to be successful.”
On the cybersecurity executive order writ large, DeRusha said that the Office of Management and Budget (OMB) is due to issue policy guidance to Federal agencies beginning later this month. “That’s something that we’re working very hard on right now,” he said.
With developing Federal policy aiming to create a roadmap for agencies to improve security, part of agencies’ subsequent work with OMB, he said, will be to develop “sound, multi-year” plans to invest in implementation efforts.
“One of the things that we’ve struggled with for many years” is “the sufficiency of funding for cybersecurity,” DeRusha said.
“If we can get to a point where we agree that the strategy is adopting the right framework, emphasizing the right capabilities, describing the right outcomes at each maturity level, and then choosing the right starting points for agencies to go onto this road, we will have something that we can start assessing,” he said.
“There will be opportunities to fund these through agency budgets by baking them into their budgets,” he said, adding that “the Technology Modernization Fund is a really good vehicle to start investing.”
“But to achieve success here, it’s really going to be a journey throughout an entire organization, requiring senior leadership sponsorship at the agency head level, governance, tight alignment with the CFO within the agency and with OMB on the budget side, [and] a skilled workforce to implement,” he said. “There’s a lot of core variables in the pieces here that need to come together,” DeRusha said.
Speaking of funding activity, he said the TMF has been “chugging really hard in ensuring that projects … moving forward to the final phase have the highest probability of success, the highest value to the public,” and measurable security outcomes.
He said the TMF board was continuing to accept proposals to distribute its more than $1 billion in available funding and encouraged agencies to make funding proposals.
Some agencies, he said, “may be waiting to see some of our zero trust guidance come out, which I think is reasonable, but it is also reasonable given the state of affairs … to form your plan now and then work with the board to adjust and add flexibilities as OMB guidance starts to come out. So I don’t think agencies need to wait.”