DeRusha, who was appointed to the federal CISO position in January 2021, played a critical role in the development of the White House’s artificial intelligence executive order, in addition to the Biden administration’s 2021 executive order on cybersecurity and the corresponding national cybersecurity strategy and implementation plan. 

“Since day one of the Biden Administration, Chris has been instrumental in strengthening our nation’s cybersecurity, protecting America’s critical infrastructure, and improving the digital defenses of the Federal government,” Clare Martorana, federal chief information officer, said in a statement. “I wish him the best, and know he will continue to serve as a leading voice within the cybersecurity community.”  

As the federal CISO, DeRusha oversaw the 25-member council of his chief information security officer peers and spearheaded the protection of federal networks, while also managing agencywide implementation of multifactor authentication and supporting the coordination of the nation’s broader cybersecurity as the deputy national cyber director. 

DeRusha will also leave behind that role, the Office of the National Cyber Director confirmed.

“From the beginning of the Biden-Harris Administration, and even before, Chris DeRusha has been a steady, guiding leader,” National Cyber Director Harry Coker Jr. said in a statement. “As Deputy National Cyber Director with ONCD — while continuing his excellent work as Federal CISO — he has been a trusted and valued partner. 

“Chris’s keen insights, experience, and judgement have been integral to the work we’ve done and what we will continue to do to strengthen our Nation’s cyber infrastructure. I’m grateful for his commitment to the American people and to the Biden-Harris Administration. All of us at ONCD wish him the very best in his next chapter,” Coker added.

Speaking during Scoop News Group’s CyberTalks event last November, DeRusha touted the White House’s coalition-building efforts and “meaningful cooperation” as a means to reaching its overarching cybersecurity goals.  

“We cannot achieve any meaningful progress on managing cyber risk as one nation,” DeRusha said. “And this administration is definitely committed to working with our like-minded partners on shared goals.”

A month earlier, during the Google Public Sector Forum, DeRusha said that after “decades of investments in addressing legacy modernization challenges,” the Biden administration was poised to address “massive” long-term challenges on everything from AI strategy to combating ransomware. 

“We’ve taken on pretty much every big challenge that we’ve been talking about for a couple of decades,” DeRusha said. “And we’re taking a swing and making” progress.

Prior to his current stint with the federal government, DeRusha served as CISO for the Biden presidential campaign and stayed on with the transition team’s technology strategy and delivery unit. DeRusha had previously worked as the CISO for the state of Michigan.

OMB did not reveal DeRusha’s last day or where he is headed next. 

Federal News Network first reported the news of DeRusha’s departure.

The post DeRusha stepping down from federal CISO role appeared first on FedScoop.

“For the first time in history, the civilian government, we have a comprehensive inventory of our asymmetric cryptography across all the agencies and their critical systems,” Nick Polk, senior adviser to the federal CISO, said Tuesday at GDIT’s Emerge Quantum event, produced by FedScoop.

Scientists and researchers have predicted that as cryptanalytically relevant quantum computers come into existence, they will be capable of breaking the public-key cryptography used in encryption across much of the world today. As such, the Biden administration in 2022 issued National Security Memorandum-10 acknowledging the threat and setting a course of action to protect against it by migrating to post-quantum cryptography. Subsequently, the Office of Management and Budget issued guidance last fall setting requirements for federal agencies to complete that migration by 2035.

Looking back on the time since those policies were issued, Polk pointed to inventorying as the “biggest area of progress we’ve seen and the most important.”

“So, this inventory that, you know, sounds like … we have a spreadsheet of cryptography, is really critical because now the agencies have a baseline for understanding where that cryptography is in all their systems,” Polk said.

Earlier this year, FedScoop reported on agencies’ progress in meeting an early deadline to inventory their encryption systems — a process that will happen every year through 2035 as required by the guidance — and found mixed results.

Acknowledging that, Polk said: “We didn’t get it perfect the first time.” But that’s why it’s an “iterative process” that will improve each year.

“What it has given us is, you know, essentially, the foundation for the roadmap that agencies are going to be creating once [the National Institute of Standards and Technology] does release their post-quantum cryptography standards to actually program out and plan out their migration to PQC,” he said, referencing NIST’s forthcoming quantum-resistant cryptographic algorithms — three of which should be officially released next year.

Beyond working with agencies on inventorying, OMB is also working to figure out how much money agencies will need to complete this migration, and Polk claimed there’s been some iterative progress there as well.

“This is going to be a costly endeavor. And so we need to figure out, you know, how we can actually effectively represent that cost requirement in the president’s budget request over the next 10-12 years,” he said.

A major part of this, Polk explained, is exploring “how we can use the purchasing power and the kind of tech ecosystem stewardship of the federal government to work with different private sector partners to actually … make sure that cost is accurately represented in contracts or different services the government uses.”

The post Federal agencies take ‘most important’ first step with inventorying cryptography ahead of quantum migration, OMB official says appeared first on FedScoop.

The Federal Information Security Modernization Act of 2023 on Wednesday passed mark-up by the Senate Homeland Security and Governmental Affairs Committee, and will now be debated by lawmakers on the floor of the upper chamber.

The long-awaited reform bill seeks to improve coordination between the Office of Management and Budget, the Cybersecurity and Infrastructure Security Agency, the Office of the National Cyber Director, as well as other federal agencies and contractors.

If enacted, it will also codify the role of the federal chief information security officer, who would work within the Office of the Federal CIO.

The legislation provides additional authorities to CISA for responding to cyber breaches on federal civilian networks and also codifies aspects of President Biden’s Executive Order on Improving the Nation’s Cybersecurity.

HSGAC Chair Gary Peters, D-Mich., and Sen. Josh Hawley, R-Mo., are sponsoring the Senate bill. Companion legislation is being led through the House by Reps. James Comer, R-Ky., Jamie Raskin, D-Md., Chairman and Ranking Member of the Committee on Oversight and Accountability, and Nancy Mace, R-S.C. and Gerry Connolly, D-VA.

Commenting on the bill, Sen. Peters said: “This bipartisan, bicameral bill will modernize federal cybersecurity standards and ensure that government systems – and the information they store – are safe and secure.”

Sen. Hawley said: “I am encouraged Congress is taking bipartisan action to improve and modernize the cybersecurity of the federal government. As cyberattacks continue to expose federal technology vulnerabilities, particularly from foreign adversaries like the CCP, it is imperative we bolster our cybersecurity networks and defend our national security.”

The post FISMA reform bill advances in Senate appeared first on FedScoop.

A department spokesperson confirmed the appointment to FedScoop and said the IT leader would start work in the new role on Oct. 10.

The Departmental Offices bureau at Treasury provides leadership in economic and financial policy, terrorism and financial intelligence, financial crimes, as well as general management.

Adams will bring over 15 years of IT experience to the role. According to LinkedIn, he spent more than a decade within the U.S. Air Force, including a stint as the chief information officer of the National Space Defense Center. He also spent more than a year in the private sector as a senior cybersecurity specialist at telecom giant AT&T.

The mission of the cyber security program at the Treasury Department is to develop and implement security policies to secure the federal government’s financial infrastructure. These include the production of coin and currency, the disbursement of payments to the American public, revenue collection and the borrowing of funds necessary to run the federal government.

The Treasury Department has a $829 million cyber budget in 2022 and Congress is expected to increase this to approximately $970 million for 2023 based on the Treasury’s budget request.

Adams has received multiple master’s of science degrees in IT and digital forensics from Trident University International, according to his LinkedIn, and a Bachelor’s degree in Psychology from Chapman University. 

The post Christopher Adams to join Treasury as CISO of Departmental Offices bureau appeared first on FedScoop.

Language included in new proposals would enshrine the presidentially appointed role in law and reaffirm the reporting line of the cybersecurity leader to the federal chief information officer.

The Office of the Federal CISO was created in September 2016 within the Office of Management and Budget. Since the start of the Biden administration, the role has been carried out by senior cybersecurity official Chris DeRusha, who has since also been named deputy national cyber director for federal cybersecurity.

The proposal comes as part of a discussion draft of new FISMA reform legislation released Tuesday by Reps. Carolyn Maloney, D-N.Y., the chairwoman of the House Committee on Oversight and Reform, and committee ranking member James Comer, R-Ky.

“There is established in the Office of the Federal Chief Information Officer of the Office of Management and Budget a Federal Chief Information Security Officer, who shall be appointed by the President,” the draft bill says. It specifies that the Federal CISO will work with the Federal CIO on a range of issues including cybersecurity strategy, information security and privacy

The new legislation would also redouble agencies’ focus on the implementation of zero-trust security principles and also assign the responsibility for operational coordination in the aftermath of a cyberattack to the Cybersecurity and Infrastructure Security Agency. In addition, it would replace point-in-time risk management assessments with monitoring under the Continuous Diagnostics and Mitigation (CDM) program. The bill includes language intended to promote security principles like endpoint detection and response and vulnerability disclosure programs as well.

Lawmakers have repeatedly sought to reform FISMA since it was established in 2014 and in October last year proposed a bill that would update the legislation to require agencies to notify Congress of cyber breaches within five days.

The latest draft bill was discussed Tuesday at a hearing held by the Committee on Oversight and Reform. Testifying at the hearing, former Federal CISO Grant Schneider supported proposals included in the new draft bill that would clarify cybersecurity responsibilities across agencies.

“Since the last update to FISMA, Congress has established the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security as well as the National Cyber Director within the Executive Office of the President,” Schneider said. “These have been important additions to the federal cybersecurity ecosystem and require clarification of roles and responsibilities with respect to federal cybersecurity. I recommend Congress clarify the roles and responsibilities at a high level and direct the President to clarify them in more detail.”

During the hearing, Ross Nodurft, representing the Alliance for Digital Innovation, called for cybersecurity roles and authorities among federal agencies to be updated, along with cyber incident reporting protocols.

“As agencies modernize technology, move to cloud-based environments, take steps to enhance security, and migrate to zero trust architectures, oversight offices must also modernize the measurements used to track agency progress and measure security,” Nodurft said.

The Government Accountability Office conducted a recent audit of FISMA across government and found uneven implementation of cybersecurity policies and practices among federal agencies. Jennifer Franks, GAO’s director for IT and cybersecurity, shared the findings from that report as a backdrop for Tuesday’s hearing.

“For fiscal year 2020 reporting, IGs determined that seven of the 23 civilian Chief Financial Officers Act of 1990 (CFO) agencies had effective agency-wide information security programs. The results from the IG reports for fiscal year 2017 to fiscal year 2020 were similar with a slight increase in effective programs for 2020,” Franks said.

The post Latest FISMA reform proposals would codify federal CISO role appeared first on FedScoop.

DeRusha said during Palo Alto Networks’ Ignite ’21 event that he and his team at the Office of Management and Budget are “actively spending time trying to find new models” to attract cybersecurity talent to join the government and he pointed to USDS’s “tour-of-duty” model as an example of how the federal government can attract tech specialists to work with the federal government for short terms, typically less than two years.

The idea is that such a team would deploy “on-the-ground support … similar to what you see with U.S. Digital Service model, what they do for delivery,” DeRusha said. “Not fully the same model, but can you come up with something that looks like that for the cyber security side is something that we’re actively exploring.”

DeRusha credited USDS as a “really good model” because it not only attracts top technical talent to the federal government but also because it takes a user-centered approach when working with agencies.

“They get lots of highly skilled technical talent to come do tours of duty and tours of service. I think that’s the thing that we want to tap into is what model should we create on this side to get that same spirit of interest in serving?” he said. “And then how do we effectively deploy it in a way that is needed and useful, that we don’t make assumptions? And we don’t want to say you need ‘x’ and then find out that we were wrong. It really needs to be organic, with the agencies explaining to us what they need, and then also building a solution for that.”

As DeRusha — now dual-hatted as deputy national cyber director — leads the administration’s work to modernize cybersecurity under the recent cybersecurity executive order, he said building a strong cyber workforce is an integral part of a “three-legged stool,” along with strategy and funding, needed to implement cyber reforms.

“And if you don’t have any one of those three working symbiotically, it’s going to be really hard to make progress,” he said.

DeRusha is far from the only one in government exploring ways to narrow the cybersecurity skills gap in government. Earlier this week, the Department of Homeland Security launched a new system of its own to enable more effective recruitment, development and retention of cybersecurity talent.

The post Federal CISO teases idea of a USDS-like program to attract cyber talent appeared first on FedScoop.

The Office of Personnel Management, General Services Administration and the departments of Homeland Security and Education will receive support for new proposals through the distribution, which in total hands out $311 million to agencies for projects largely focused on addressing cybersecurity, data privacy concerns and the move to zero trust. The board did not reveal the repayment terms for each project.

It is the seventh funding round since the TMF was established and responds directly to the Biden administration’s cybersecurity executive order, which mandated federal agencies to make rapid improvements in digital security.

OPM will receive $9.9 million in support for a zero-trust networking project, which is focused on protecting the privacy of two million civilian federal employees whose data is housed at the agency.

GSA has received a total of $231.4 million for three separate projects. The agency has been given $29.8 million to improve its zero-trust architecture, and $187.1 million to improve digital security at federal government authentication service Login.gov. It will also receive $14.5 million to support the rollout of interagency collaboration site Max.gov.

DHS will receive $50 million in support for a technology integration program intended to “more efficiently, effectively, and humanely process noncitizens encountered at our Southwest Border.”

The Department of Education has been awarded $20 million to assist with the adoption of zero-trust architecture, which the department says will help to protect the data of over 100 million students and borrowers that it supports.

The TMF board has also selected one classified project, for which no further funding details were available.

Commenting on the awards, Federal CIO Clare Martorana said: “The $1 billion for the Technology Modernization Fund was provided in the American Rescue Plan for essential emergency relief, and is a vital part of the administration’s response to the COVID-19 pandemic and the significant cybersecurity incidents impacting federal operations.”

“The administration is maximizing the flexibility of the TMF to modernize high-priority systems, elevate the foundational security of federal agencies, accelerate the growth of public-facing digital services, and scale cross-government collaboration and shared services. These first ARP awards represent a set of strategic investments to improve technology at scale across all of these areas,” she added.

The TMF in March received $1 billion through the American Rescue Act — the largest injection of funds since it was established in 2017. The additional infusion was intended to boost support for projects where service upgrades could be shared across agencies, that address immediate security gaps, or would improve the public’s ability to access government services.

After receiving the additional $1 billion, the TMF board introduced a prioritization process for funding certain projects and introduced a new degree of repayment flexibility.

The TMF has historically operated under a full repayment model, meaning that agencies are expected to adhere to a repayment plan, where projects are expected to yield financial savings that the agencies pay back within five years. However, the TMF board is now able to consider projects where partial repayment or minimal repayment is likely, based on assessments of the scope of projects.

Funding for the latest project awards will be distributed incrementally and will be tied to performance targets and delivery milestones. The selected projects will be reviewed quarterly by the TMF board to ensure they are on schedule and milestones are met.

TMF projects are proposed in a two-phase process, and agencies in the second step – the full project proposal – are expected to provide detailed financial information, and if necessary, make the argument why repayment flexibility should be extended.

Prior to the additional $1 billion injection earlier this year, the TMF in total had received $175 million in funding. The fund was created by the Modernizing Government Technology Act, signed by then-President Donald Trump.

Editor’s note: This story was updated to include a per-project breakdown of new funding awards.

The post Technology Modernization Fund support awarded to 7 new agency IT projects appeared first on FedScoop.

A merger will allow the more than 15 agencies and 15 vendors participating to begin zero trust logistics and building and showcasing proofs of concept, said Gerald Caron, director of enterprise network management in the State Department‘s Bureau of Information Resources.

Caron co-chairs the agency working group and developed a zero-trust architecture that subgroups are using to define use cases.

“While the government is doing their deliveries and getting level set on requirements and architectures and definitions and concepts and use cases … we are feeding that to the vendors, so they can get started,” Caron said during an ATARC event Thursday.

Caron helped stand up ATARC’s Trusted Internet Connection 3.0 Demonstration Center, a physical test environment allowing federal agencies to try out cloud and infrastructure solutions for securing their networks.

With ATARC’s TIC 3.0 Working Group deemed a success, its members were grandfathered into the Zero Trust Working Group “because we believe TIC fits into the overall architecture of zero trust,” Caron said.

Continuous Diagnostics and Mitigation (CDM) Program Manager Kevin Cox has further agreed to join the working group and work with its members as his program transitions toward a zero-trust concept. That way the CDM program will get direct feedback from government officials and vendor representatives.

And Federal Chief Information Security Officer Chris DeRusha will have someone from his office participate in the working group as well.

“Having those two entities, I think, makes this working group pretty powerful — for lack of a better term,” Caron said. “It’s great participation, and we’re really influencing the government at this point.”

The working group will demystify zero trust by providing technical requirements agencies can use, said Trafenia Salzman, security architect at the Small Business Administration.

“It’s really helpful as an architect or an engineer or an analyst to be able to implement that in your environment,” said Salzman, who co-chairs the Zero Trust Working Group.

Salzman’s team at SBA is currently inventorying security tools and gathering information on processes before it implements a zero trust plan for the agency.

Meanwhile Caron is helping implement zero-trust infrastructure at the State Department and also serving as acting chief information officer for the Department of Health and Human Services Office of Inspector General.

HHS OIG is also inventorying security tools with plans for a multi-year, multiple project zero trust program.

“I’d rather be effective than compliant, so I think zero trust really focuses on effectiveness because you focus on what you want to protect,” Caron said. “I really believe in that, and compliance can fall into place as you go.”

The post ATARC intends to merge agency and vendor zero trust working groups appeared first on FedScoop.

Sandoval posted to the Federal CIO Council website’s blog late last week wrapping up National Cybersecurity Month and detailing the administration’s recent efforts to bolster cybersecurity. He is now listed as the Federal CISO on the council’s membership page, and his own LinkedIn suggests he joined the role in October. A source close to his hire confirmed he started last month.

The most recent Federal CISO, Grant Schneider, vacated the role in August when he took a job as senior director of cybersecurity services for Venable.

Rumors began to swirl in early September when sources close to the role claimed that Sandoval — the controversial former Trump campaign staffer and adviser who also served a stint as acting CIO of the Department of Veterans Affairs — was positioned as the likely next federal CISO.

“This year has brought cybersecurity to the forefront of everyone’s mind. As a community, we had to come together and found ourselves thrust into an environment facing challenges which not only affected our agencies, but our community as a whole,” says the post authored by Sandoval.

He goes on to tout the administration’s “substantial progress” around things like developing coordinated vulnerability disclosure policy, further adopting cloud and artificial intelligence, increasing focus on supply chain security and more.

Sandoval has been a rising star in the Trump administration since starting as the head of data operations for the president’s 2016 run for president. He then served as a White House adviser on the transition team embedded with the Treasury Department, where he reportedly clashed with career officials and was placed in the department’s basement, according to Politico.

His time at the VA was filled with reports of scandal, too. He was alleged to have spent time strongarming VA officials to pledge their allegiance to Trump and his political leadership. ProPublica described him in 2018 as one of the VA’s “shadow rulers,” taking orders from Trump associates based out of his Mar-a-Lago Club in Florida.

When members of Congress caught wind of Sandoval’s appointment as acting CIO at the VA, they sent a letter to department leadership expressing their alarm at the development and raising concerns over “serious character concerns that should disqualify Mr. Sandoval for this position.” The letter references that Sandoval is the subject of a lawsuit alleging he “slandered, harassed and sexually discriminated against” a fellow Trump campaign staffer. That lawsuit is ongoing, according to lawyers of the plaintiff.

The Office of Management and Budget made no official announcement on Sandoval’s hire.

Correction: Nov. 11, 2020. The story originally referred to the lawsuit against Sandoval as a closed matter. The lawsuit is still ongoing and hasn’t been resolved, according to the plaintiff’s lawyers.

The post Camilo Sandoval takes over as Federal CISO appeared first on FedScoop.

The Federal CIO Authorization Act of 2018 — sponsored by Reps. Will Hurd, R-Texas, and Robin Kelly, D-Ill. – aims to make the Federal CIO a presidentially appointed position that reports directly the Office of Management and Budget director, instead of the deputy director, as it currently does. Suzette Kent is the current Federal CIO.

The bill, which passed 391-41, also proposes codifying the Federal CISO role as a presidential appointee position, providing a clear line of accountability and leadership for the federal IT infrastructure at a time where cybersecurity has become a pivotal issue for the government. The CISO would continue to report to the CIO under the legislation. Grant Schneider is currently the Federal CISO.

“Americans should be able to trust their government to keep their information safe,” Hurd said in a statement. “This bill helps keep the vast information stored by the federal government secure from hackers by making clear that the Federal CIO is in charge of the security of our data across the government.”

Kelly said the bill modernizes the government’s approach to IT by reauthorizing and renaming the Office of E-Government as the Office of the Federal Chief Information Officer and calling on the CIO to deliver a report to Congress on how to consolidate IT operations across the federal enterprise.

“By codifying and reauthorizing the federal CIO and CISO roles, we will continue streamlining government IT processes. This effort is part of our larger push to finally bring government into the 21st century,” she said in a statement.

Hurd and Kelly unveiled the bill in September as another proposal to empower the top federal IT official to take the reins of the government’s approach to technology.

Both Congress and the White House have been actively trying to give both the Federal and agency CIOs more authority to determine the path of IT modernization with legislation like the 2015 Federal IT Acquisition Reform Act (FITARA) and an executive order signed in May.

The Senate does not have a companion bill. The bipartisan support for Hurd and Kelly’s measure suggests that even if the Senate doesn’t act this year, the bill will return in 2019 in the Democrat-controlled House.

The post Plan to elevate Federal CIO passes in House appeared first on FedScoop.