DeRusha, who was appointed to the federal CISO position in January 2021, played a critical role in the development of the White House’s artificial intelligence executive order, in addition to the Biden administration’s 2021 executive order on cybersecurity and the corresponding national cybersecurity strategy and implementation plan. 

“Since day one of the Biden Administration, Chris has been instrumental in strengthening our nation’s cybersecurity, protecting America’s critical infrastructure, and improving the digital defenses of the Federal government,” Clare Martorana, federal chief information officer, said in a statement. “I wish him the best, and know he will continue to serve as a leading voice within the cybersecurity community.”  

As the federal CISO, DeRusha oversaw the 25-member council of his chief information security officer peers and spearheaded the protection of federal networks, while also managing agencywide implementation of multifactor authentication and supporting the coordination of the nation’s broader cybersecurity as the deputy national cyber director. 

DeRusha will also leave behind that role, the Office of the National Cyber Director confirmed.

“From the beginning of the Biden-Harris Administration, and even before, Chris DeRusha has been a steady, guiding leader,” National Cyber Director Harry Coker Jr. said in a statement. “As Deputy National Cyber Director with ONCD — while continuing his excellent work as Federal CISO — he has been a trusted and valued partner. 

“Chris’s keen insights, experience, and judgement have been integral to the work we’ve done and what we will continue to do to strengthen our Nation’s cyber infrastructure. I’m grateful for his commitment to the American people and to the Biden-Harris Administration. All of us at ONCD wish him the very best in his next chapter,” Coker added.

Speaking during Scoop News Group’s CyberTalks event last November, DeRusha touted the White House’s coalition-building efforts and “meaningful cooperation” as a means to reaching its overarching cybersecurity goals.  

“We cannot achieve any meaningful progress on managing cyber risk as one nation,” DeRusha said. “And this administration is definitely committed to working with our like-minded partners on shared goals.”

A month earlier, during the Google Public Sector Forum, DeRusha said that after “decades of investments in addressing legacy modernization challenges,” the Biden administration was poised to address “massive” long-term challenges on everything from AI strategy to combating ransomware. 

“We’ve taken on pretty much every big challenge that we’ve been talking about for a couple of decades,” DeRusha said. “And we’re taking a swing and making” progress.

Prior to his current stint with the federal government, DeRusha served as CISO for the Biden presidential campaign and stayed on with the transition team’s technology strategy and delivery unit. DeRusha had previously worked as the CISO for the state of Michigan.

OMB did not reveal DeRusha’s last day or where he is headed next. 

Federal News Network first reported the news of DeRusha’s departure.

The post DeRusha stepping down from federal CISO role appeared first on FedScoop.

In its FY2024 Federal Information Security and Privacy Management Requirements guidance, released Monday, OMB noted that the ubiquity and breadth of agency-used IoT devices underscores the federal government’s vulnerabilities to “new and more complex” cyber threats, a fact that necessitates the “strengthening of cybersecurity posture” of such devices. 

“Agencies must have a clear understanding of the devices connected within their information systems to gauge cybersecurity risk to their missions and operations,” the guidance states. “This includes the interconnected devices that interact with the physical world — from building maintenance systems, to environmental sensors, to specialized equipment in hospitals and laboratories.”

The guidance — which defines “covered IoT assets” as devices embedded with “programmable controllers, integrated circuits, sensors, and other technologies for the purpose of collecting and exchanging data with other devices and/or systems over a network in order to facilitate enhanced connectivity, automation, and data-driven insights across devices and systems” — comes on the heels of The Internet of Things Cybersecurity Improvement Act of 2020.

The IoT Act required the National Institute of Standards and Technology to issue IoT-related guidelines and standards, while also calling on the OMB director to review agency security policies and principles regarding the technology to ensure compliance.

OMB said it has “actively engaged with agencies over the past two years to learn about the diversity of IoT devices prevalent throughout the federal government,” setting the stage for the fresh instructions.

In addition to the IoT inventory deadline facing agencies, the guidance mandates the Chief Information Security Officer Council to stand up, within four months, a working group charged with creating IoT and operational technology playbooks that include sector-specific best practices. Those playbooks would then be distributed to agencies.  

“These efforts should leverage existing cybersecurity regimes and industry practices wherever feasible,” the guidance states, “so that IoT technology is appropriately integrated into the security frameworks and programs governing other forms of information technology.”

The post OMB guidance asks agencies to provide inventory of IoT assets appeared first on FedScoop.

NSTAC makes 24 recommendations, nine of them key, in the report with the goal of fostering a culture of zero trust in government that will ensure it becomes an enduring cybersecurity strategy, rather than just “a collection of disjointed technical security projects” — a “national imperative.”

NSTAC is a committee that provides industry-based analysis and policy recommendations to the Office of the President on how the government can improve national security and emergency preparedness telecommunications.

President Biden tasked NSTAC with conducting a three-part study into enhancing internet resilience at the same time he issued the Cybersecurity Executive Order in May 2021, requiring agencies to begin adopting zero-trust security architectures. NSTAC’s assessment of zero trust is but one part.

“Effective, lasting transformation can only be achieved through a sustained whole-of-government commitment to promoting strategic coherence, employing effective management and oversight, ensuring sustained financial investment, and fostering strong alignment of the fundamental principles of zero trust in existing federal cybersecurity programs, procedures and policies,” reads the report. “The U.S. government can, and must, act now by implementing this report’s recommendations to institutionalize zero trust and lay the foundation for a cybersecurity transformation ultimately measured in decades, not years.”

NSTAC’s key recommendations include the federal chief information security officer (CISO) and national cyber director establishing progress metrics for agencies to implement the Federal Zero Trust Strategy released in January — metrics agency CISOs or their superiors would be required to report. One such metric the Office of Management and Budget should oversee is agencies publishing one zero-trust use case with lessons learned annually and reviewing them as part of a working group convened with the National Institute of Standards and Technology, prior to updating federal policy.

OMB should have the Federal CISO Council identify governmentwide infrastructure services expected to be ubiquitous for at least five years and establish a working group to develop zero-trust maturity models protecting them, according to the report.

NSTAC also recommends OMB issue a memo clarifying how the Federal Zero Trust Strategy aligns with Federal Information Security Management Act requirements and task NIST with releasing a special publication mapping zero trust to security controls.

For its part, the Cybersecurity and Infrastructure Security Agency should establish a Zero Trust Program Office for issuing guidance, reference architectures, capability catalogs, training modules in coordination with the Department of Defense’s new Zero Trust Program Office when possible, according to the report.

NSTAC further recommends CISA create a shared security service for internet-accessible asset discovery, a new offering for agencies just beginning their zero-trust journeys, in addition to clarifying existing offerings.

NIST’s National Cybersecurity Center of Excellence should assess zero-trust technologies based on their interoperability in a special publication promoting efficient adoption. The agency should also develop and mature standards and guidelines internationally, per the report.

The last key recommendation is CISA incentivize state and local zero trust adoption with federal grants for IT security modernization.

The post Presidential advisory committee finds zero-trust push an ‘incomplete experiment’ appeared first on FedScoop.

TIC 3.0 accounts for shifts to cloud computing and other architectures in consolidating agencies’ network connections to limit cyberthreat vectors. CISA‘s guidance explains how the transition of federal networks to Internet Protocol Version 6 (IPv6) will affect network management operations and thereby TIC 3.0 adoption.

CISA released a draft of “IPv6 Consideration for TIC 3.0” in September for public comment on the first piece of guidance addressing the expanded cyberthreat landscape the protocol presents.

“To keep pace with fast-moving technology, the federal government is expanding and enhancing its strategic commitment to IPv6,” said Eric Goldstein, executive assistant director of cybersecurity at CISA, in the announcement. “With our federal partners, we thoroughly reviewed and assessed public comment to ensure this finalized guidance informs and prepares federal agencies on how to properly implement the IPv6.”

The public comment period ended in October, after which CISA adjudicated feedback with the Office of Management and Budget, General Services Administration, and Federal Chief Information Security Officers Council TIC Subcommittee.

Commenters additionally requested federal standards for implementing facets of IPv6 like stateless address auto-configuration, Dynamic Host Configuration Protocol Version 6 and asset management, which CISA plans to address with the Federal IPv6 Task Force in future guidance.

CISA may consider dual-stack environments, implementing IPv6 in the cloud and other use cases in future guidance, based on commenters’ requests.

The post CISA releases finalized IPv6 security considerations for TIC 3.0 implementation appeared first on FedScoop.

VPNs allow inherited trust to be embedded in architectures, but agencies are migrating to a zero-trust security model that takes inherited trust out of the digital system.

For instance primes on the $50 billion Enterprise Infrastructure Solutions network modernization contract all have software-defined wide area network (SD-WAN), multiprotocol label switching (MPLS), and broadband or another form of internet access offerings. And all are leveraging TIC‘s recently finalized Branch Office Use Case.

“When we talk TIC 3.0, [VPNs are] really not even being discussed as a modern solution for a lot of those architectures,” Connelly said during the IT Modernization Summit presented by FedScoop on Thursday. “So you’re scaling away from the VPN, itself.”

Instead TIC 3.0 lets agencies plan remote user access while shrinking trust zones around high-value assets to reduce their attack surface.

Agencies should include Managed Trusted Internet Protocol Services (MTIPS) and TIC Access Provider (TICAP) costs when comparing an existing VPN with a fully secure, remote user solution, said Zain Ahmed, regional vice president of Lumen Technologies.

“Agencies need to be aware because VPN doesn’t inherently provide security,” Ahmed said. “To get apples-to-apples comparison, agencies should look to VPN plus the TIC costs versus remote users as they’re examining what the new solution will look like.”

The TIC program is currently working with the General Services Administration and Office of Management and Budget to adjudicate public comments on the draft version of its Remote User Use Case. A finalized version will “ideally” be released before the end of the year with work begins on Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and email-as-a-service use cases, Connelly said.

Agencies are working with the TIC program to build out pilots in those areas, and there’s interest in zero trust, Internet of Things (IoT) and unified communications use cases as well, Connelly said.

A number of Cybersecurity and Infrastructure Security Agency programs besides TIC are running pilots including the Continuous Diagnostics and Mitigation (CDM) program and the National Cybersecurity Protection System (NCPS) Cloud Log Aggregation Warehouse (CLAW). Telework accelerated such pilots, some of which are now going through the full acquisition life cycle while others merely tested proofs of concept.

Agencies submit pilot proposals to the Federal Chief Information Security Officer Council for approval, with smaller ones tending to see more success.

“We want to have an agency that has a good technical acumen, understanding of what they’re trying to do,” Connelly said. “That’s important.”

The post Agencies moving away from VPNs as they implement TIC 3.0 appeared first on FedScoop.

The U.S. Digital Service, Federal CISO Council and General Services Administration are coordinating with the program on releasing finalized Traditional TIC and Branch Office use case documents within the next two months, although the November election could delay things. TIC policy covers the security of external connections to federal networks.

The program released core TIC 3.0 guidance in July, and the remaining initial documents will round out the government’s effort to support multiple architectures for securing agency networks, as they increasingly move their data to the cloud and their users off premise during the coronavirus pandemic. Such use cases were first outlined in an OMB memo finalized in September 2019.

“Even when those are released, we know we’re still on the hook for a number of other use cases,” Connelly said, during the TIC 3.0 SNG Live event by Scoop News Group. “The OMB memo also has in place a remote user use case, infrastructure as a service, software as a service, [platform as a service], email.”

First out of the gate will be the Remote User Use Case, which the program is looking to have a draft of by year’s end that will replace the TIC 3.0 Interim Telework Guidance released in April, Connelly said.

The interim guidance was issued in response vendor requests for anything tangible they could use to help agencies with the March-April surge in telework when the pandemic hit, Connelly said. The Department of Housing and Urban Development, State Department and GSA were among the agencies that had more than 90% of their workforce teleworking.

“There was that massive, immediate shift, so I think that’s important in terms of looking at how not only to secure those environments: secure the client side, secure the remote user,” Connelly said. “Then also how is this represented on the service side with agency users going to the cloud provider? They’ re going to infrastructure as a service; they’ re going to a SaaS or PaaS environment.”

The program will likely be positioned for a TIC 3.0 Zero Trust Use Case pretty soon, Connelly added. That could come next year along with a Partner, Research and Development Use Case.

A Program Guidebook, Reference Architecture and Security Capabilities Catalog were included in the program’s first release of finalized guidance. The first two documents will be fairly static, but the latter will be a living document that adds new capabilities and controls into use cases as they’re announced.

The forthcoming Traditional TIC Use Case details the “castle-and-moat” security strategy that’s existed at most major agencies for about a decade, Connelly said. And the Branch Office Use Case will allow agencies to network directly to the cloud or an external trust zone, rather than going through the headache of directing traffic through their TIC access point or headquarters first.

There was no word on when the Overlay Handbook might be released, but ongoing TIC pilots will feed into the IaaS, SaaS, PaaS Use Case.

From early pilots, the program learned to engage stakeholders like an agency’s security team or risk officer sooner than later to get on the same page about what’s being piloted and what it means for the agency, its authority to operate and its general support system, Connelly said.

Agencies conducting pilots also need to think of the technical acumen required when, say, a shift to a zero-trust architecture impacts its security operations center, he said.

Lastly, while some pilots last six months, others run longer, and agency or contractor personnel may see turnover during that time. Agencies must ensure some personnel can support the pilot the entire time, Connelly said.

The post TIC program in ‘final stage’ before releasing remaining initial 3.0 guidance appeared first on FedScoop.

CISA also increased the number of TIC 3.0 security capabilities in response to agencies’ expedited adoption of cloud services, which introduce new cybersecurity vulnerabilities, during the coronavirus pandemic.

The agency published final, updated draft versions of the Program Guidebook, Reference Architecture and renamed Security Capabilities Catalog released in December based on nearly 500 federal, industry and public comments received through January.

“CISA anticipates the final core TIC 3.0 guidance will better address stakeholder needs and concerns,” reads the agency’s response to the comments. “The guidance is expected to evolve to reflect technological advancements, changes in threats, and the lessons learned from TIC pilots to help ensure its usefulness to federal agencies.”

Five themes emerged within the comments that CISA clarified:

• How TIC aligns with other CISA and federal programs like the National Cybersecurity Protection System and its Cloud Interface Reference Architecture;
• Plans for templates, working groups, webinars and roadshows explaining TIC guidance, in addition to its webpage;
• Terms and diagrams in the Program Guidebook and Reference Architecture;
• Where to find current use cases;
• Plans for consideration of proposed use cases with the Office of Management and Budget, General Services Administration, and Federal Chief Information Security Officer Council.

CISA has concluded its comment adjudication period and plans to release the remaining finalized TIC 3.0 documents — the Use Case Handbook, renamed Overlay Handbook, Traditional TIC Use Case, and Branch Office Use Case — later this summer.

The post CISA finalizes trio of TIC 3.0 documents appeared first on FedScoop.