Federal CISO Chris DeRusha said today that the ongoing solicitation of Federal agency bids for money from the Technology Modernization Fund (TMF) is drawing a lot of interest in security-related projects – one of the four primary areas that the TMF Board identified earlier this year as ones it would prioritize as it works to deploy up to $1 billion of new funding capacity from the American Rescue Plan Act.
In May, the TMF Board asked Federal agencies to submit project proposals by June 2. The board said it would give the highest priority consideration to proposals that modernize “high-priority” systems, improve cybersecurity, boost public-facing digital systems, and create cross-government services and infrastructure.
Speaking at Google Cloud’s Government Security Summit today on July 20, DeRusha said “we’ve seen a lot of really interesting agency projects coming in as proposals” for TMF funding, and “a huge focus on security.”
“The [TMF] board is prioritizing these projects … particularly the ones that have security outcomes, cut across agencies, [and] improve the public’s ability to access government services,” he said. “There are a lot of good themes here.”
“But the really exciting thing is that the [new] funds are giving us an opportunity to drive our strategic focus out of the gate, and illustrate the tone for the types of investments that we’d like to see,” he said. DeRusha added that the effort is also helping Federal officials learn “some valuable lessons by doing what we can to integrate those lessons learned into the entire Federal IT portfolio.”
Cybersecurity Order Updates
Speaking about President Biden’s cybersecurity executive order issued in May, DeRusha explained that the order’s push for Federal agencies to move to zero trust security concepts is crucial because as the government moves to “protect ourselves from all types of attacks because unfortunately, the vectors are going to continue to shift and the types of incidents are going to continue to shift.”
“What that means is we need a paradigm shift ourselves in how we approach cybersecurity across the board,” he said of the order’s focus on zero trust.
Zero trust security concepts, he said, embody the philosophy of “assuming everyone and everything is untrustworthy, until proven otherwise, by verifying every user, validating every device, and limiting access to knowledge.” He added, “there are a lot of other capabilities in play, but I do find boiling it down to these privileged principles is a helpful starting point.”
DeRusha ticked off several important initial milestones of the executive order, including setting a 60-day deadline for agencies “to really develop their own maturity assessment capability, and talk about where they’re moving on their own strategy.”
“We also tasked ourselves and the Office of Management and Budget (OMB) with drawing up a cloud security strategy with the strong focus on implementing zero trust,” the Federal CISO said. “Finally,” he said, the Cybersecurity and Infrastructure Security Agency (CISA) “is helping them truly model reference architecture so all of these things together.”
Those steps, he said, “really are going to help us define the path for agencies, which is something that I do believe we can really add value on this moment.”
The Federal government, he said, has been working “for years” on moving toward zero trust concepts and continuous monitoring of networks. “Our goal in the executive order is to really sort of tie all of this together and help agencies bring these capabilities into a final roadmap” to drive further planning and investments.
DeRusha also talked about putting in place advancements in how to measure the effectiveness and progress of Federal civilian cybersecurity efforts.
“There are a couple of things that we’re looking at for concepts of tested security, which is simply validating that systems are secure and relying less on self-attestation, so that means looking at the risk surface from the lens of our adversaries to prioritize and addressing those risks first,” DeRusha said. He added that security automation is also high on the list.