Acting federal cyber chief outlines his three priorities for the next year
The U.S. government’s acting chief information security officer outlined his three priorities for federal cyber officials over the next year at a cybersecurity event in Washington on Tuesday, emphasizing the need for collaboration across the government.
During a fireside chat at the Billington Cybersecurity Summit, acting cyber chief Michael Duffy said focusing enterprise cyber defense, increasing operational resilience, and securing a modern U.S. government are the areas he’s outlined as priorities for the next year in conversations with the federal cyber leaders on the CISO Council.
He also previewed an upcoming tabletop exercise the CISO Council will be doing in the next month to address operational resilience.
That exercise will be a “frank conversation” among the CISOs about readiness and is intended to extend beyond just technology and to processes as well. For example, they’ll assess whether agencies have the right people on call for an incident that needs interagency collaboration and if those leaders know what collaboration should look like if an incident occurs within the agency.
“That’ll help me better understand where we need to shape the policy perspectives — the changes in the mechanisms that we have as an interagency — for the foreseeable future,” Duffy said of the exercise.
Priorities breakdown
Duffy’s priorities, when taken together, point to a desire for a whole-of-government approach to cybersecurity, ensuring that gaps aren’t exploited by bad actors.
On the enterprise cyber defense priority, specifically, Duffy described it as a matter of leaders thinking about things like vulnerability management, supply chain or incidence responses not just for their own agency, but across the enterprise as well.
“How can we take aspects of the enterprise cyber defense mission and identify the expectations of individual agencies to actually fit into that interagency ecosystem?” Duffy said.
That priority aligns directly with the second one on increased operational resilience, Duffy said. For that mission, he said it’s incumbent upon agencies to act now rather than waiting for the next cyber crisis to shape the next 10 years.
Much of the past decade was influenced by incidents, such as the 2015 breach of sensitive data at the Office of Personnel Management or the 2019 SolarWinds cyberattack that impacted the public and private sectors, Duffy said.
“The challenge right now is we can’t wait to see what’s next. We have to start acting now,” Duffy said.
He emphasized interagency collaboration as a means to achieve that goal and said that cyber leaders must ensure they’re harnessing all of the capabilities across government and sharing best practices.
“Adversaries don’t see agency lines,” he said. “This is why that enterprise approach is so important, because those gaps, those gray zones, between agencies, are exactly what adversaries are looking to take advantage of, and we’ve seen that happen.”
Finally, on his third priority on securing a modern U.S. government, Duffy said the focus is how agencies are looking at data and how the American people interact with the government. Those topics, he said, are important as the government looks to use AI and implement post-quantum cryptography, among other areas.
While he didn’t go into as much detail about that priority, Duffy pointed to previous work on that front in the Federal Zero Trust Security Guide, which was a collaboration between the federal CISO and CDO councils published in October 2024.
