Top US Gov’t CISO Details Zero-Trust Strategy Race

After an executive order mandated that US federal agencies adopt a zero-trust security strategy by 2024, security leaders had to spring to action quickly.

Shane Snider , Senior Writer, InformationWeek

November 16, 2023

3 Min Read
Chris DeRusha, federal CISO in the US Office of Budget and Management (OMB), speaks at Forrester's Nov. 15 Security & Risk event.Photo by Shane Snider

At a Glance

  • Government technology security leaders are racing to meet zero-trust requirements by 2024.
  • Federal CISO says his team had to make a solid starting point and be flexible with a diverse set of organizations’ needs.
  • He says a critical eye is helpful and welcomes input from top industry experts.

If an enterprise wants a lesson in quickly forming a zero-trust strategy for a sprawling organization, they should look to the US federal government’s effort to make all agencies compliant by 2024. That’s what Chris DeRusha, who was appointed federal CISO in the Office of Budget and Management (OMB) in 2021, had to figure out quickly.

He used his keynote talk on Wednesday during Forrester’s Security & Risk event in Washington, D.C., to give an overview of the government’s daunting cybersecurity efforts and how that strategy could be used in other organizations.

DeRusha estimates there are just over 100 agencies involved with the zero-trust strategy, including Transportation Security Administration (TSA), Federal Emergency Management Agency (FEMA), the Secret Service, the Coast Guard, and many other sensitive and high-profile civilian government bodies.

“But honestly, if you really broke it down into the independent operating units, there are hundreds, and they’re all across the spectrum of capability and resources,” he said.

So how does a manager wrangle the security needs of that many organizations when there’s a need to move quickly and decisively?

A Starting Point

“It felt like, ‘This is it,’" DeRusha said. "The things we’ve been talking about for the past decade and working about … it’s all happening to us right now. We needed to figure out how we’re going to galvanize and try to insert energy and focus into federal agencies to really drive forward on the things that we’d been working on for well over a decade. But we were struggling to make meaningful progress.”

Related:US Federal Agencies Face Multiple Cloud Challenges

The team had a starting point: a 170-page document that laid out the fundamental goals. But such a Herculean task -- streamlining a zero-trust plan to be shared by diverse organizations -- would require more than words on a page. “I remember reading it, and saying, ‘This is really interesting, and useful and feels right.’ But no one was going to interact with that," he said. "So, this was a foundation. We needed a focused action plan.”

An action plan and hard deadlines helped get some organizations on the right path, but others without resources in place needed extra attention. “We decided, let’s go and meet each agency where they’re at … let’s work with each of them to have their own tailored implementation plans,” DeRusha said. Large organizations with smaller departments and groups can take a similar hands-on approach, encouraging each unit to develop its own plan that works.

Getting Outside Input

After a public comment period produced 120 independent responses from academics, industry leaders and other experts across the country, giving guidance on best zero-trust practices, the team had intellectual capital to back up the lofty plan. Those responses helped organizations with different needs custom tailor their own plans to become compliant. All the while, budget restraints had to be considered.

Related:US Probes Microsoft Email Breach, Cloud Security

“For us [budget] was super important," DeRusha said. "Some governments and I think in big companies, you need to do this planning as well. And you need to justify that the resource spend is tied to some strategy that is probably going to get some good outcomes. That’s the formula for a budget officer signing off.”

An important step for any organization, no matter the size, is to define what zero-trust means to that organization. “We took the whole big government apparatus, and we just focused it and made this big bet on what we call 'zero trust,'" he said. "I can tell you what that means for us, and that’s not what it means for everybody. It was a lot of work to be able to see that. But you’ve got to build something that takes away the noise. And you do have to take that feedback and those criticisms seriously and build something that's defensible to install.”

Related:CISA Rolls Out Program to Protect Critical Infrastructure From Ransomware

DeRusha said OMB is on track to see the zero-trust requirements are met by the 2024 deadline.

“We’re pushing through,” he said.

Read more about:


About the Author(s)

Shane Snider

Senior Writer, InformationWeek, InformationWeek

Shane Snider is a veteran journalist with more than 20 years of industry experience. He started his career as a general assignment reporter and has covered government, business, education, technology and much more. He was a reporter for the Triangle Business Journal, Raleigh News and Observer and most recently a tech reporter for CRN. He was also a top wedding photographer for many years, traveling across the country and around the world. He lives in Raleigh with his wife and two children.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights