OMB opts for zero trust goals in lieu of impossible deadline

The Office of Management and Budget didn’t mandate that agencies have zero-trust architectures within a few years of its draft strategy because that’s not possible, according to the federal chief information security officer.

Instead the Federal Zero Trust Strategy sets goals and requires actions of agencies that will help them achieve a degree of maturity in a few years, after which new goals and actions will be established, said Chris DeRusha.

The public comment period for the draft strategy ended Sept. 21, and finalizing and executing the strategy over the next three to six months is DeRusha’s top priority.

“It’s really our security modernization strategy when you read it,” DeRusha said, during the ACT-IAC Cybersecurity Summit on Wednesday.

The strategy covers a lot of capabilities the federal government has been trying to get agencies to implement for years, including asset inventories and identity and access management, he added.

Going hand-in-hand with the strategy is reform of the Federal Information Security Modernization Act, last updated in 2014. Lawmakers proposed a reform bill Monday, and part of the federal CISA’s job is to provide FISMA guidance to agencies.

The focus with FISMA reform is to get agencies to implement testing security measures, from DevSecOps to penetration testing to vulnerability disclosure programs, DeRusha said.

“The challenge is we largely do know what we need to do, but there are scarce skill sets to implement the latest and greatest technology solutions,” he added.

Agencies transition slowly as a result.

Compliance-based models also present a problem because, while they allow agencies to gauge their performance, they’re not sustainable given the dump of new federal directives like the cyber executive order or the zero trust strategy and logging memo out of OMB, DeRusha said.

“We have to help them balance those,” he said.

DeRusha’s office is helping implement a new model where the Cybersecurity and Infrastructure Security Agency and agency inspectors general assess cyber sufficiency and performance.

That model will take time to implement however, and public-private partnership is critical to its success.

“This is no time for status quo,” DeRusha said.