Agencies have seen a deluge of new guidance and standards released since President Joe Biden’s May cybersecurity executive order, and a top White House cyber official says the government is now shifting into the execution phase of the sprawling directive.
Since the order was issued six months ago, the National Institutes of Standards and Technology has released a definition of “critical software,” and the White House has directed agencies to identify all such software on their networks.
The White House Office of Management and Budget also released a draft zero trust strategy, outlining the security architecture that underpins the executive order’s push to overhaul federal cybersecurity practices.
Agency zero trust implementation plans were due earlier this month. OMB has also issued separate directives on endpoint detection and logging requirements.
Those are just a few of the policy documents released since the EO was signed. Chris DeRusha, federal chief information security officer at the White House Office of Management and Budget, said it’s time to start executing on those plans.
“We’ve got a lot of the policy direction set, implementation plans in place, and now it’s just execution,” DeRusha said during a Nov. 18 conference hosted by Palo Alto Networks. “And so we’re really shifting into that phase of, how do we ensure that agencies are resourced to achieve these ambitious goals? And how do we help them along the way, you know, in all using all of our tools here in the White House.”
DeRusha said identification of assets and detection of vulnerabilities are crucial components of the administration’s zero trust strategy, as well as forthcoming Federal Information Security Modernization Act guidance for 2022.
Earlier this month, the Cybersecurity and Infrastructure Security Agency also released a binding operational directive requiring agencies to patch a series of known vulnerabilities. Agencies had two weeks to patch vulnerabilities discovered this year, and six months to remediate those identified between 2017 and 2020.
OMB is focused on ensuring agencies aren’t just aware of the vulnerabilities that are on their networks, but also have the resources to remediate them, DeRusha said.
“I don’t think it’s fair to continue to have a model where security teams discover things, dump them on the laps and say, ‘Now my job is done, and I’m going to track your progress,’” DeRusha said. “We really have to think about the creation of these programs in aggregate, and all the way through to, how do we get the successful outcome. And that means oftentimes, ensuring a plan in place is in place at least give that remediation assistance along the way.”
US cyber service?
DeRusha also said he’s “actively exploring” whether to establish a cybersecurity service akin to the U.S. Digital Service. The USDS was established during the Obama administration and brings in technology talent from the private sector to do short tours of duty working on technology modernization issues.
“I don’t think it needs to be exactly the same as what we see on the USDS side, but they’ve learned a lot and they’ve got a really good model in place where they get lots of high skilled technical talent to come do a tour of duty into our service,” DeRusha said. “I think that’s the thing that we want to tap into, is what model should we create on this side to get that same spirit of interest in serving?”
DeRusha said he also wants to ensure the program is deployed in a way that’s “needed and useful.” He said it would be tailored to agency requirements.
“It really needs to be organic, with the agencies explaining to us what they need, and then us building a solution for that,” he said.
A new dual-hat
The federal CISO was also recently given a second title as deputy national cyber director for federal cybersecurity within Chris Inglis’ new office at the White House. As the national cyber director, Inglis serves as “a principal advisor to the president on cybersecurity policy and strategy, and cybersecurity engagement with industry and international stakeholders,” according to the White House.
Inglis has said his new office is looking to bring “unity of effort” to U.S. cybersecurity efforts. DeRusha said his new dual-hatted position brings benefits to both the new cyber office and OMB.
“OMB gets the benefit of the resources and the platform that is being built within the NCD, and NCD has the benefit and direct conduit now into OMB’s budgetary management decision making process,” he said. “So it’s a really good partnership.”