DeRusha, who was appointed to the federal CISO position in January 2021, played a critical role in the development of the White House’s artificial intelligence executive order, in addition to the Biden administration’s 2021 executive order on cybersecurity and the corresponding national cybersecurity strategy and implementation plan. 

“Since day one of the Biden Administration, Chris has been instrumental in strengthening our nation’s cybersecurity, protecting America’s critical infrastructure, and improving the digital defenses of the Federal government,” Clare Martorana, federal chief information officer, said in a statement. “I wish him the best, and know he will continue to serve as a leading voice within the cybersecurity community.”  

As the federal CISO, DeRusha oversaw the 25-member council of his chief information security officer peers and spearheaded the protection of federal networks, while also managing agencywide implementation of multifactor authentication and supporting the coordination of the nation’s broader cybersecurity as the deputy national cyber director. 

DeRusha will also leave behind that role, the Office of the National Cyber Director confirmed.

“From the beginning of the Biden-Harris Administration, and even before, Chris DeRusha has been a steady, guiding leader,” National Cyber Director Harry Coker Jr. said in a statement. “As Deputy National Cyber Director with ONCD — while continuing his excellent work as Federal CISO — he has been a trusted and valued partner. 

“Chris’s keen insights, experience, and judgement have been integral to the work we’ve done and what we will continue to do to strengthen our Nation’s cyber infrastructure. I’m grateful for his commitment to the American people and to the Biden-Harris Administration. All of us at ONCD wish him the very best in his next chapter,” Coker added.

Speaking during Scoop News Group’s CyberTalks event last November, DeRusha touted the White House’s coalition-building efforts and “meaningful cooperation” as a means to reaching its overarching cybersecurity goals.  

“We cannot achieve any meaningful progress on managing cyber risk as one nation,” DeRusha said. “And this administration is definitely committed to working with our like-minded partners on shared goals.”

A month earlier, during the Google Public Sector Forum, DeRusha said that after “decades of investments in addressing legacy modernization challenges,” the Biden administration was poised to address “massive” long-term challenges on everything from AI strategy to combating ransomware. 

“We’ve taken on pretty much every big challenge that we’ve been talking about for a couple of decades,” DeRusha said. “And we’re taking a swing and making” progress.

Prior to his current stint with the federal government, DeRusha served as CISO for the Biden presidential campaign and stayed on with the transition team’s technology strategy and delivery unit. DeRusha had previously worked as the CISO for the state of Michigan.

OMB did not reveal DeRusha’s last day or where he is headed next. 

Federal News Network first reported the news of DeRusha’s departure.

The post DeRusha stepping down from federal CISO role appeared first on FedScoop.

Between the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology and the Office of Management and Budget, 49 of the 55 requirements in President Joe Biden’s order aimed at safeguarding federal IT systems from cyberattacks have been fully completed. Another five have been partially finished and one was deemed to be “not applicable” because of “its timing with respect to other requirements,” per the GAO.

“Completing these requirements would provide the federal government with greater assurance that its systems and data are adequately protected,” the GAO stated. 

Under the order’s section on “removing barriers to threat information,” OMB only partially incorporated into its annual budget process a required cost analysis.

“OMB could not demonstrate that its communications with pertinent federal agencies included a cost analysis for implementation of recommendations made by CISA related to the sharing of cyber threat information,” the GAO said. “Documenting the results of communications between federal agencies and OMB would increase the likelihood that agency budgets are sufficient to implement these recommendations.”

OMB also was unable to demonstrate to GAO that it had “worked with agencies to ensure they had adequate resources to implement” approaches for the deployment of endpoint detection and response, an initiative to proactively detect cyber incidents within federal infrastructure. 

“An OMB staff member stated that, due to the large number of and decentralized nature of the conversations involved, it would not have been feasible for OMB to document the results of all EDR-related communications with agencies,” the GAO said.

OMB still has work to do on logging as well. The agency shared guidance with other agencies on how best to improve log retention, log management practices and logging capabilities but did not demonstrate to the GAO that agencies had proper resources for implementation. 

CISA, meanwhile, has fallen a bit short on identifying and making available to agencies a list of “critical software” in use or in the acquisition process. OMB and NIST fully completed that requirement, but a CISA official told the GAO that the agency “was concerned about how agencies and private industry would interpret the list and planned to review existing criteria needed to validate categories of software.” A new version of the category list and a companion document with clearer explanations is forthcoming, the official added. 

CISA also has some work to do concerning the Cyber Safety Review Board. The multi-agency board, made up of representatives from the public and private sectors, has felt the heat from members of Congress and industry leaders over what they say is a lack of authority and independence. According to the GAO, CISA hasn’t fully taken steps to implement recommendations on how to improve the board’s operations. 

“CISA officials stated that it has made progress in implementing the board’s recommendations and is planning further steps to improve the board’s operational policies and procedures,” the GAO wrote. “However, CISA has not provided evidence that it is implementing these recommendations. Without CISA’s implementation of the board’s recommendations, the board may be at risk of not effectively conducting its future incident reviews.”

Federal agencies have, however, checked off the vast majority of boxes in the EO’s list. “For example, they have developed procedures for improving the sharing of cyber threat information, guidance on security measures for critical software, and a playbook for conducting incident response,” the GAO wrote. Additionally, the Office of the National Cyber Director, “in its role as overall coordinator of the order, collaborated with agencies regarding specific implementations and tracked implementation of the order.”

The GAO issued two recommendations to the Department of Homeland Security, CISA’s parent agency, and three to OMB on full implementation of the EO’s requirements. OMB did not respond with comments, while DHS agreed with GAO recommendations on defining critical software and improving the Cyber Safety Review Board’s operations.

The post Cybersecurity executive order requirements are nearly complete, GAO says appeared first on FedScoop.

Previously, members of the cybersecurity community including regulated entities, academics and nonprofits had until Sept. 15 to submit their comments. They now have until Oct. 31.

The White House earlier this month issued a request for information as it seeks views on how to harmonize and streamline new proposed cybersecurity regulations across all sectors of the U.S. economy.

In particular, the White House wants to understand how updated requirements for the critical infrastructure sector could be harmonized with requirements for other industries.

In an updated note in the Federal Register, ONCD said it “seeks input from stakeholders to understand existing challenges with regulatory overlap, and explore a framework for reciprocity in regulator acceptance of other regulators’ recognition of compliance with baseline requirements.”

“‘Harmonization’ as used in this RFI refers to a common set of updated baseline regulatory requirements that would apply across sectors. Sector regulators could go beyond the harmonized baseline to address cybersecurity risks specific to their sectors,” it added.

In March, the Biden administration issued a new national cybersecurity strategy, which included measures to impose minimum security standards for critical infrastructure and to shift the responsibility for maintaining the security of computer systems away from consumers and small businesses onto larger software makers. 

That document represented a shift from the White House’s more recent approach to cybersecurity, veering from its long-standing emphasis on information sharing and collaboration toward a more strictly regulated approach.

The post ONCD extends deadline for comments on new sector cybersecurity requirements appeared first on FedScoop.

Ragsdale moves into the role Aug. 14 from technology company Two Six Technologies, where most recently he was vice president for Department of Defense strategy.

Prior to working at Two Six Technologies, he held senior cybersecurity and cyber operations roles at the Department of Defense, including as acting director of defense research and engineering for modernization, where he was responsible for driving DOD-wide innovation.

In the new post, he will focus on leading work to strengthen the cyber workforce across the United States, including through measures announced as part of the White House’s National Cyber and Workforce Strategy, which was announced on July 31.

That document called for collaboration across government, industry and civil society groups to work together to increase the number of cybersecurity workers and urged an overhaul of the U.S. immigration system. The strategy also petitioned Congress to introduce new legislative measures to ensure foreign-born cyber workers that have been trained in America are able to stay in the country.

Commenting on Ragsdale’s appointment, former ONCD Director Chris Inglis said: “Dan is a national treasure whose innumerable contributions to the cybersecurity profession over the course of three decades have inspired my work and thousands of others fortunate to have been mentored by him. His skills, experience, and leadership abilities will be an invaluable resource for the ONCD mission, in particular for the Technology and Ecosystem Line of Effort.”

According to the Department of Commerce-backed cybersecurity labor market tracking website CyberSeek, there are currently more than 663,000 cybersecurity jobs open across the country. 

The post ONCD names Daniel Ragsdale as cyber workforce and education leader appeared first on FedScoop.

In a Nov. 18 memo, the White House set out the deadline and said government departments would be expected to subsequently provide an annual vulnerability report until 2035.

The fresh guidance comes amid fears that significant leaps in quantum technology being made by countries hostile to the United States, including China, could allow existing forms of secure encryption to be cracked much more quickly.

In September, the National Security Agency issued guidance in which it set out requirements for owners and operators of national security systems to start using post-quantum algorithms by 2035.

In the Nov. 18 memo, OMB said agencies should focus their efforts first on producing an inventory for their most sensitive systems.

The White House said also that within 30 days, federal agencies should designate a cryptographic inventory and migration lead for their organization, and within 90 days of the memo publication, the Office of the National Cyber Director in coordination with OMB, CISA and the FedRAMP Program Management Office would produce instructions for the collection and transmission of inventory of crypto-vulnerable systems.

OMB said also in its memo that agencies would be required to submit to both the ONCD and the White House an assessment of extra funding needed for the adoption of post-quantum cryptography within 30 days.

It added that a working group for post-quantum cryptographic systems will be established, which will be chaired by the federal chief information security officer. 

In a statement, Federal CISO Chris DeRusha said: “The Biden-Harris Administration is working to ensure U.S. leadership in the emerging field of quantum computing.”

“This global technology race holds both great promise and threats,” he added. “We are prioritizing our efforts to secure the Federal Government’s sensitive data against potential future compromise by quantum computers; this action signifies the start of a major undertaking to prepare our Nation for the risks presented by this new technology.”

The post White House gives federal agencies May 2023 deadline to provide list of quantum-vulnerable cryptographic systems appeared first on FedScoop.

Rajan joined the executive branch on Oct. 24, after previously working as an entrepreneur-in-residence at Cornell University’s New York City-based technology, business, law and design campus, Cornell Tech.

Prior to this, she was chief technology officer at The Polaris Project, according to her LinkedIn, and before that was a tech policy fellow at the Aspen Institute.

Earlier in her career, Rajan was chief technology officer of the nonprofit Callisto, which is a social enterprise that develops software used to fight sexual assault and sexual coercion in the workplace.  

She has also worked on government projects as a deployment strategist for Palantir, and before that worked as a technologist at Johnson and Johnson’s Janssen Healthcare Innovation business.

Commenting on her appointment, Office of the National Cyber Director Deputy Principal Director Kemba Walden said: “We are excited to welcome Anjana to the Office of the National Cyber Director. Her wealth of experience is already a great asset to our team and an important voice in our work.”

The National Cyber Director serves as a principal adviser to the president on cybersecurity policy and strategy and plays a key role in leading cybersecurity engagement with industry and international stakeholders.   

The Office of the National Cyber Director was established by the National Defense Authorization Act for fiscal 2021.

Earlier this week, an ONCD official underscored that the administration is seeking “bold and ambitious” ideas from a recent request for information on how best to augment the United States’ cyber workforce.

Speaking Monday at a webinar hosted by the POPVOX Foundation, ONCD Director for Cyber Workforce and Education Strategy Suzanne Nielsen said the government will review even some of the most out-of-the-box ideas because of the volume of fresh talent needed to fill currently vacant cyber positions.

The post White House appoints Anjana Rajan as assistant national cyber director for technology security appeared first on FedScoop.

Speaking Monday at a webinar hosted by the POPVOX Foundation, ONCD Director for Cyber Workforce and Education Strategy Suzanne Nielsen said the government will review even some of the most out-of-the-box ideas because of the volume of fresh talent needed to fill currently vacant cyber positions.

She said: “The scale of the challenge, the speed at which it’s in our benefit as a country to address it are all on a grand scale … [S]o please be bold and ambitious, and we really appreciate those ideas.”

In particular, the Office of the National Cyber Director (ONCD) in its request for information (RFI) included an option to submit “Gordian knot” suggestions, which is intended to elicit possibly highly unusual solutions.

Early this month, the White House launched the RFI, which was issued with the intention of collecting wide-ranging evidence on how the government might bring new talent to the public sector and all areas of industry. Unlike many RFIs that solely seek feedback from vendors, this one asks for input from cyber students and practitioners as well.

The RFI responses will be reviewed once the submission deadline closes at 11:59 a.m. EDT on Nov. 3, 2022, and according to the White House will guide the ONCD’s development of the National Cyber Workforce and Education Strategy.

ONCD plans to group responses to the Cyber Workforce, Training and Education Request for Information RFI into broad categories like digital awareness, as well as specific bins like election training for cyber specialists. But there’s a hope some will be never-before-seen ideas.

Response reviews will run into December, and ONCD wants to get through presentations for any respondent who requests one by early February.

Speaking alongside Nielsen at the webinar, Deputy National Cyber Director for Technology and Ecosystem Security Camille Stewart Gloster said the government recognizes it cannot develop a national strategy alone.

She said: “That’s why it’s a whole-of-nation strategy; that’s why we’re engaging all of you … [M]uch of this will be a charge to industry, a charge to the education sector, a charge to a bunch of discrete stakeholder groups to take their piece and run with it.”

Alongside industry and other respondents, nonprofit cyber workforce champions such as Craig Newmark Philanthropies are also prepping responses.

“I’m really encouraged by the national cyber director in the White House making cyber workforce and related cybersecurity education a big priority,” said Craig Newmark, who previously founded Craigslist. “This RFI is a real, big, important part of that because we need to move forward together as a country.”

The post Biden administration seeking ‘bold and ambitious’ ideas from cyber workforce RFI says WH official appeared first on FedScoop.

The FBI is looped in more quickly when cyber incidents are reported, Walden said, during CrowdStrike’s Fal.Con 2022 cybersecurity conference in Las Vegas. And while the information may be used in investigations, it’s also shared among operational agencies including the Cybersecurity and Infrastructure Security Agency to identify and attribute the criminal actor responsible, and where possible help the victim rebuild critical infrastructure and recover assets.

Information sharing really started to improve with the signing of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in March and subsequent convening of the Cyber Incident Reporting Council in July, Walden said.

“My hope — and I think I’m seeing this happen in a better way — is that the victim company contacts the FBI right away, and if not the FBI, then CISA or the police,” Walden said. “But contacting the FBI, we’re seeing more federal cohesion on the back end.”

Funds for the Office of the National Cyber Director were only appropriated in November, but the policy and strategy entity is responsible for connecting all the operational cyber agencies governmentwide. That means improving agencies’ cohesion and working with the Office of Management and Budget to ensure they’re adequately funded to achieve cyber aspirations.

When the Biden administration was preparing to sanction Russia over its invasion of Ukraine, ONCD helped ensure classified cyber information was downgraded, so it could be provided to the financial sector so companies could protect their networks.

“We need to scale that,” Walden said.

“Ultimately we’re focused on shifting the burden of risk, providing more responsibility — both in the federal government and those enterprises in the private sector that can bear that risk — but also focused on future resilience,” she said.

Tech companies can assist ONCD in that regard by adopting a resilience-by-design approach with their products to protect against basic supply chain vulnerabilities, allowing agencies to focus on bigger challenges, Walden said. 

President Biden’s executive order on securing the supply chain issued in February 2021 further included a review of the federal procurement process and cyber incentives.

“Those are the types of concepts that we are trying to infect everyone with,” Walden said.

The post ONCD senior leader says FBI and operational cyber agencies have improved incident info sharing appeared first on FedScoop.

In fiscal 2024, executive agencies will be held to investing in a trio of cyber priorities: improving the defense and resilience of government networks by focusing on zero trust implementation and IT modernization; deepening cross-sector collaboration to defend critical infrastructure; and “strengthening the foundations of our digitally-enabled future.”

In addition to seeking adequate funding to support this work, OMB and ONCD will jointly “review agency responses to these priorities, identify potential gaps, and potential solutions to those gaps,” says the memo, signed by OMB Director Shalanda Young and National Cyber Director Chris Inglis.

“OMB, in coordination with ONCD, will provide feedback to agencies on whether the priorities are adequately addressed and consistent with the overall cybersecurity strategy and policy—aiding agencies’ multiyear planning through the regular budget process,” the memo says.

Much of the memo, however, is a rehash from earlier strategy documents and executive orders this administration or others have issued previously — such as pushing for the “accelerated adoption and use of secure cloud infrastructure and services, leveraging zero trust architecture,” and “exploring, as appropriate and within the bounds of their statutory authorities, alternative skills-based hiring and pay incentive practices to ensure skilled talent has access to opportunities in the IT and cyber workforce.”

The post OMB sets cyber priorities for fiscal 2024 ahead of agency budget submissions appeared first on FedScoop.

Together with the White House Office of the National Cyber Director, Department of Commerce and other agencies, DOL will recruit employers, industry sector associations, labor unions, educational providers, and community-based organizations to join or launch registered apprenticeships through National Apprenticeship Week running Nov. 12-20, 2022.

Registered apprenticeships are career pathways, often for underserved communities, where employers offer future workers pay, mentorships, classroom instruction and a nationally recognized credential, and the Biden administration is championing them to fill nearly 700,000 open cyber jobs nationwide. The Cybersecurity Apprenticeship Sprint was announced at the White House’s National Cyber Workforce and Education Summit, one month after President Biden signed into law a bill creating a federal rotational cyber workforce program.

“These newly trained workers will help protect our critical infrastructure, advance our digital way of life, strengthen our economy and improve access to cybersecurity career paths for underrepresented communities — especially women, people of color, veterans and people with disabilities,” said Labor Secretary Marty Walsh.

DOL’s Office of Apprenticeship will work with employers to launch apprenticeship programs within 48 hours using vetted standards, and the National Institute of Standards and Technology‘s National Initiative for Cybersecurity Education (NICE) is also looking to partner. NICE offers an apprenticeship locator.

About 42,260 cybersecurity apprentices are a part of 714 programs currently with 199, a 28% increase, created since Jan. 20, 2021.

“The Cybersecurity Apprenticeship Sprint is a creative initiative, which will encourage a swath of new talent into the cybersecurity workforce by bootstrapping highly visible and valuable work experience and by focusing on inclusivity and diversity as a primary objective,” said Casey Ellis, founder of Bugcrowd, which offers its vulnerability disclosure platform to agencies, in a statement.

The post Labor Department announces 120-day cybersecurity apprenticeship sprint appeared first on FedScoop.