Cyber Leaders Exchange 2023: OMB’s Chris DeRusha on tactical zero trust progress, culture change

The Biden administration’s zero trust strategy and implementation plan is filled with objectives and deadlines. The 19 actions help outline the North Star that agencies must strive for over the next year.

The real change that the Office of Management and Budget is driving through this new approach to cybersecurity has little to do with technology or even new capabilities. It has more to do with cultural changes taking hold,” said Chris DeRusha, the federal chief information security officer, during Federal News Network’s Cyber Leaders Exchange 2023.

“My favorite thing to hear sometimes from a chief information officer or a chief information security officer is, ‘I’m doing this because it’s the right thing, and I want to do it — and not because you told me.’ That’s great actually because it means that we are on the right path, and we got it right,” DeRusha said.

“I think we got it right because we did engage the community before we wrote it, before we issued it, and we did public comment. By and large, it’s getting traction because it is what agencies want to be focusing on. It put structure around their effort. It put timelines and put pressure, and it’s gotten us more money than I think we would have gotten without it.”

The culture change isn’t just happening among CIOs and CISOs, he added. Agency deputy secretaries and other leaders have bought in to the importance of zero trust too.

DeRusha said OMB is holding agencies accountable at senior levels through the CISO Council and through the President’s Management Council, which is made up of deputy secretaries and other deputies.

“We have at least a couple opportunities a year to get in there and talk to the PMC. We’re looking at risk management type of stuff there and that covers a pretty broad gamut,” he said.

DeRusha has found the council’s candid feedback useful in creating guidance that’s clearer and more helpful.

Zero trust focus extends beyond CISO teams

The attention around the implementation of zero trust isn’t just limited to agencies. Anne Neuberger, deputy assistant to the president and deputy national security advisor for cyber and emerging technology on the National Security Council, also is talking to deputy secretaries and other leaders about the changes and why they are so important.

“What happens is those deputies start getting regularly briefed because they’re going to be ready for the next meeting. It gets into their standard briefing process,” DeRusha said. “We definitely hear that from the CIOs and CISOs when we ask. We hear, in most cases, that they’ve got at least a monthly or sometimes quarterly, but usually monthly meeting where they’re briefing their deputy and showing their dashboards and talking about the barriers.”

These discussions and attention have led to agencies requesting more money for zero trust activities.

By OMB’s calculation, agencies requested about $5.5 billion in total for cybersecurity in the fiscal 2024 budget, DeRusha said.

“What’s important about that is what’s behind that number, and what’s behind that number is a system of data collection. Not only do we have the strategy, we have agency implementation plans, and we have budget data calls that go out to the agencies, or they’re required to map their cyber investment requests around those different categories,” he said.

The budget requests from agencies detail specific spending plans against roughly 40 cyber capabilities that the federal CISO team clearly defined and aligned to the zero trust pillars, DeRusha said. “We’re able to actually visualize what we’re talking about, and year-over-year not just have the business intelligence aggregated top view of it, but we’re able to drill down in each agency to that layer.”

Cyber budgets face tough path for 2025

DeRusha said that budget breakdown lets OMB ask smarter questions about investments and where agencies need the most help.

Work is just beginning on fiscal 2025 budget requests, and DeRusha said the cyber data is helping identify priorities. But the administration also knows that agencies will have to make some trade-offs in the 2025 request that they didn’t have to make the past few years.

“We’re eyes wide open to that, and I think the good thing for us is because we’ve been working on the data for a couple years now, we’re fairly well positioned to have good judgments on where do you just need a little bit more to get over the hump on ‘X.’ I’m just hoping that as we get into this, that’s going to be what guides us through this cycle,” he said.

“I don’t want to get ahead of the budget request, but none of us responsibly are predicting that we’re going to get what we did the last two years,” he said, noting that the government pumped $1.5 billion and then another $2.7 billion into cybersecurity for a 27% increase in federal cyber requests over two years.

“That’s pretty fantastic,” he said, adding that even with a tighter budget forecast that he predicts the government will continue to make the investments necessary to maintain its cyber posture.

All of this discussion about culture change and senior leadership attention is critical for the success of zero trust. But DeRusha said OMB isn’t losing sight of the tactical progress taking place, particularly around technologies like multifactor authentication, encryption and single sign-on.

DeRusha said OMB found most agencies have overwhelmingly implemented multifactor authentication at the network layer and are moving toward implementing phishing-resistant MFA as well.

Pushing federal zero trust protections to the app layer

But he said the challenge now will be to move these technologies down to the application layer and to continue the shift away from the traditional perimeter security.

“A big principle of the zero trust strategy is we’ve got to have this as you authenticate into all these critical resources individually — to have that segmented approach of protection,” DeRusha said. “We are making a lot of progress, but also there are some hard use cases where there are some laggards or maybe there’s old contracts in place that need to be updated and maybe the vendors are requiring new funds to implement it. We’ve put money toward this, but still, in certain cases, projects need to be planned.”

A key goal is for agencies to do more to stop bad actors in their tracks. That is why the zero trust implementation strategy emphasizes data encryption at rest and in transit along with the phishing-resistant MFA.

“We’ve also been measuring and tracking the progress of logging and endpoint detection and response capabilities. So there are quite a number of things that we’ve been tracking progress on,” DeRusha said. “We know our adversaries are going to keep innovating, and you’ve got generative artificial intelligence — and new trends will continue to come.”

There’s no finish line, he pointed out. But the government is on a good path and moving in the right direction, he said. “We are in a far better position than we were.”

Agencies still have a year before the initial set of deadlines come due. OMB intends to continue to help agencies push through and advance their cyber postures.

“In the end, where there’s still challenges, those are at least known now to the agencies so that they can manage that risk, accept it or make new investments around addressing it,” DeRusha said. “Overall, we are making a lot of progress tactically, but culturally, is the most important thing here.  But I predict we’re going to stay on this path because it’s one that everybody sees is the right path.”

For more on cyber tips and tactics, visit the Federal News Network Cyber Leaders Exchange 2023 event page.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.