As both Federal chief information security officer and the deputy National Cyber Director, Chris DeRusha has a lot of visibility into Federal efforts to boost cybersecurity. At the AWS Summit in Washington, D.C., today, DeRusha expressed both pride in the Office of Management and Budget’s (OMB) Zero Trust strategy, while also acknowledging that the policy represents only the beginning of zero trust implementation across Federal civilian agencies.
DeRusha said that while the plan is just starting point, the input he has received from industry – along with the interest he’s seen across the Federal government – has made him hopeful for the future of zero trust architecture implementation at the Federal level.
“The way that I think about strategy is it’s a few things,” DeRusha said. “It’s not the full plan; it’s the beginning. It’s one of the readiness activities where we act as the Federal government and [say] what we need to do to get to that first baseline level of maturity in all the services and capabilities.”
DeRusha said that the Federal Zero Trust Strategy elicited a lot of industry feedback, including what he estimated were 130-140 independent submissions during the public comment period.
“One of the things that I think our office is most proud of is we put a lot of policy is this zero trust strategy, in large part because we built it together with industry,” DeRusha said. “People generally aren’t that interested in government policy.” He said the policy benefited from corporate and security research input, and that OMB “listened to whatever we could.”
With all the feedback and the strategy in place, OMB is now able to build out the policy across all agencies and, once all agencies hit a benchmark metric, will be able to review and analyze the lessons learned from the first phase of implementation, he said.
Between the zero trust strategy memo and President Biden’s executive order on cybersecurity, DeRusha said everybody in the Federal government is generally headed towards zero trust architectures. He called that mass shift towards understanding what the strategy means one of the “key benefits” of the memo.
Learning With Help From CISA and TMF
While DeRusha said the strategy – along with the COVID-19 pandemic – is pushing zero trust adoption forward, challenges and barriers to adoption remain. In order to overcome some of those, DeRusha said the Federal government is “leaning on” the Cybersecurity and Infrastructure Security Agency (CISA) for help.
The Federal CISO said that with help from CISA, his office has repurposed a CISA cybersecurity training program to completely revolve around issues included in the cyber EO.
“We just refabricated that whole program to be all about [cyber] EO support,” he said. “The highest level [of attendance] we’ve ever had was with the zero trust workshops and like 700, 800 people.”
He said that marked more than double the most interest he had ever seen in a CISA-led workshop.
DeRusha – who in addition to his dual roles at OMB and NCD also sits on the board of the Technology Modernization Fund – said that the early implementers of zero trust work funded by the TMF are also helping him learn how agencies are doing with implementation.
“We have regular oversight meetings [for those TMF zero trust projects] … and we’re learning,” he said. “And that’s really helpful because you don’t always get that granular when you’ve got 100-plus agencies. I want to know how that’s going, how it’s working because everybody needs the exact same thing.”
“We’re building out to implementation, and if we can have some higher level policy prescriptions, do things maybe centrally, or we can have more orders that can be centralized, or – once we determine where all the common requirements are for the journey – where agencies are struggling and don’t have enough skill sets, then maybe we have some new approaches to giving those orders,” he said. “We don’t have to have every agency learn on its own.”
“It’s going to be a journey,” DeRusha concluded. “It’ll be challenging, and I think the first thing is just being humble about it. You’ll never get one of us to walk here and say, ‘We’re going to have zero trust in two years.’ That’s a ridiculous statement. But we’re going to make some real progress.”