Connect with us

Hi, what are you looking for?

Cyber Security

Critical Update: The Federal CISO Is Prioritizing Flexibility for Agencies

In a new age of cyberattacks, Chris DeRusha says agencies must have more room to implement practices that enable constant vigilance.

It’s almost that time again. Every fall agencies wait for the Office of Management and Budget to release instructions on how they should shape annual reports they have to make on the state of their information security. But this time the process is happening after two massive intrusions compromised several government agencies and there will be some important changes.

Federal Chief Information Security Officer Chris DeRusha told Nextgov’s Critical Update the biggest thing agencies can expect going forward is an understanding of how demanding the current reporting process is and an appropriate narrowing of the scope of things they have to focus on at any given time.

Agencies are required to report to OMB on their information security under the Federal Information Modernization Act. They review their posture against hundreds of controls described for various functions in the National Institute for Standards and Technology’s cybersecurity framework.

DeRusha believes paring down the list of things agencies are reviewing to the most essential functions satisfied by practices like continuous monitoring will yield better results than previous years’ efforts on that front.

“It’s been a goal for a while, but we’re doubling down on that and making sure that we’re giving agencies some space to be able to focus on that,” he said. “And that’s going to mean maybe asking them less often about all of their control implementations … We won’t necessarily review all controls every year. We’re going to focus on a subset.”

Along with continuous monitoring, the FISMA 2022 guidance will cover things like penetration testing—part of a class of operations referred to as “red teaming.”

“We call this ground truth testing or tested security, whatever you want to call it,” he said. “We’re looking at red teaming, pen-testing, vulnerability disclosure programs, smart patching based on threat intel. … These are high-impact activities.”

And mindful of the various levels of resources available to individual agencies, DeRusha said the FISMA guidance will continue to reflect the approach OMB took in developing guidance on the implementation of zero trust programs, as required by a major executive order issued in May.

To address the fact that agencies are in very different places along the road to implementing modern cybersecurity practices, DeRusha said, “One of the things you can do is you can leverage capability, maturity models. I’m a big believer in that.”

“You’re … going to see us in the FISMA 22 metrics and guidance take a similar approach where we’re going to really try to assess the maturity level of some key capabilities, the controls and the security activities, that are getting outcomes,” he said.

The conversation with DeRusha also hits on his transition from other CISO jobs and why he doesn’t see a new Federal Acquisition Security Council as the be-all-end-all for supply chain security, especially after the attacks on IT management firm SolarWinds and Microsoft Office 365’s on-premises servers.

Listen to the full episode below or download from Apple Podcasts, Google Podcasts or your favorite platform.

Source: https://www.nextgov.com/podcasts/2021/10/critical-update-federal-ciso-prioritizing-flexibility-agencies/186364/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

A top Defense Department official described the private sector as “absolutely essential” in implementing the agency’s new cyber strategy. A top Defense Department official...

Cyber Security

The agency is utilizing a relaunched cybersecurity coordination center and additional programs to significantly ramp up interactions with key partners, a top official said....

Cyber Security

How a cornerstone cybersecurity program has evolved from information collection to active defense. The Cybersecurity and Infrastructure Security Agency has used its Continuous Diagnostics...

Cyber Security

The nation’s cyber defense agency is building onto White House efforts to secure schools’ systems nationwide with the help of major education software companies....

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO