Federal Chief Information Security Officer Chris DeRusha explained today that the foundational elements of the Continuous Diagnostics and Mitigation (CDM) program are fundamental to moving Federal government network security to zero trust concepts and that implementation of the program only becomes more important as cyber threats increase.
Delivering a keynote address at MeriTalk’s CDM Central: the Age of Cyber Defenders virtual conference on May 12, DeRusha recapped the CDM program’s four core capabilities – asset management, user and access management, network security management, and data protection management – and said that “focusing on these fundamentals is absolutely critical.”
Running through the list of high-profile cyber assaults that have come to light in recent months, DeRusha said, “we can talk all about the latest attacks … but we’ve got to get the fundamentals right.”
“As we move toward concepts like zero trust, I would say that getting precise implementation of these core capabilities that we’re talking about in CDM has only grown in importance when we realize what we’re going to need to do, and really get granular about that with zero trust architecture and principles,” the Federal CISO said. “A lot of those capabilities … we’ve been working on, and making great progress on, so I’m excited about that,” he said.
“Zero trust is a road to travel, and it’s a goal, but it’s really important, and something that we’re going to be talking a lot about,” DeRusha said.
DeRusha also explained that he was involved with the inception of the CDM program in 2012, and acknowledged that while the program is challenging for agencies to implement, the fruits of that labor are well worth effort. “It’s definitely a big challenge [and] is becoming more and more important that we get this right together,” he said.
The Federal CISO also said he was looking forward to full deployment of the latest-generation of CDM dashboard technology, both at the agency and the Federal levels.
“I don’t know about you, but I’ll tell you the past few years learning how I can manage security problems using business intelligence tools and using data visualization and being able to take the top-line picture and drill down to the specific area where my problem lies … and then be able to ask smart questions … has been game-changing,” he said.
The upgraded dashboard ecosystem, he said, “really will help shape the direction that I’d like to move … dashboards are critical to that.”
Speaking of the Federal-level dashboard, DeRusha said, “that is of great interest to … ensuring that we’re getting this regularly updated view of the cybersecurity posture across the Federal government.” He added, “When you look at the events that we’ve faced over the past four months, it’s just crucial,” he said. “We have to figure this out, we need to do it fast.”
DeRusha said that the Office of Management and Budget (OMB) is working with the Cybersecurity and Infrastructure Security Agency (CISA) on “what may need to be adjusted” regarding the dashboards. He also applauded an ongoing data quality management program focused on generating standardized data from agencies to the Federal dashboard. “Obviously that’s something that together we need to build with agency feedback and input, and get it right,” he said.
“Getting the Federal dashboard vision fully implemented, it’s going to take effort by all of us here,” he said. “We need to figure it out because we’ve got to quickly correlate these threats across the Federal enterprise.”
“This is, in my view, the best way that we can do that through the CDM program, and through these dashboards, [and] is I think the best shot we’ve got of realizing that that vision of enterprise risk management, which in my job is really what I’m after,” he said.
Cloud Security Outlook
DeRusha also talked about the continuing migration of Federal systems to cloud services, and the security implications of that shift. For the Federal government, he said, “we can move in that direction, and we can get some of those benefits, but we’ve got to do it securely and we’ve got to make sure people are deploying security configuration baselines [and] they understand what those are.”
Making sure “that we’ve got the whole security model in place for cloud is something that’s a focus area,” he said.
“What I love about the CDM model, overall, is that we can continue to learn … we can make adjustments to the program, we can make adjustments to the delivery model, and we can do all this to keep pace with advances in the technology that’s coming,” he said. “We can continue to bring the new technology in and keep it updated. And we can also add new priority capability areas … as we can and will continue to learn lessons.”
Being able to adjust quickly, he said, improves the government’s ability to meet changing tactics employed by attackers. “We’re going to need to do that, it’s pretty obvious now I think after the events of the past few months,” he said.
The Federal CISO also endorsed possible changes to the Federal Information Security Modernization Act (FISMA) of 2014 but did not get into much detail about what changes may be needed. Describing the law as the vehicle that orders Federal agencies to implement cybersecurity strategies and programs, DeRusha noted that a lot has changed since 2014.
“We do agree with our congressional colleagues who are looking to kind of open that up and take a look at it and make some potential updates,” DeRusha said. “We’re looking forward to working with Congress on that this year.”
Earlier this week, the chairman and ranking member of the Senate Homeland Security and Governmental Affairs Committee called for FISMA changes in areas including the degree to which Congress should be notified about major cybersecurity incidents.
Commenting generally on the pace of security tasks, DeRusha said, “I think it means right now a lot of sleepless hours and a pretty never-ending to-do list if your experience is anything like mine.” Referring to recent high-profile attacks, he said, “there’s a lot of new work put into place for the Federal teams that are managing networks.”
“Whether you’re a Federal employee or a contractor or one of the vendors … that supports the Federal ecosystem, I really appreciate everything you’ve been doing,” he said. “It takes this fully committed group of people that are joining here today, working together to make sure that we as a Federal government and our critical infrastructure partners are able to deliver the services to the American public that are needed.”