Federal Chief Information Security Officer Chris DeRusha said the Technology Modernization Fund (TMF) board – on which he sits – is looking to agencies that won awards from the fund earlier this year to pursue zero trust security projects to act as a group of pathfinders who can inform the zero trust transition work of other Federal agencies going forward.
DeRusha shed light on the board’s thinking during remarks on November 18 at the Palo Alto Networks Public Sector Ignite online conference.
He said that zero trust project bids from agencies were high on the list of the TMF board’s priorities as it looked at the initial wave of proposals competing for $1 billion of funding that TMF received from Congress under the American Rescue Plan Act. The board told agencies in May that it would prioritize proposals involving high-priority system modernization, cybersecurity, public-facing digital systems, and cross-government services and infrastructure.
In the first round of awards announced on September 30, three agencies – Office of Personnel Management, Education Department, and General Services Administration – scooped up $60 million of funding for projects to hasten their transition to zero trust security architectures.
“A billion dollars is a fantastic opportunity and we are using it strategically,” DeRusha said in explaining the awards process. “A key focus, but not the only focus, is security-driven projects,” he said.
“Understanding, all of us, that the zero trust journey is so new, we really tried to prioritize projects that came in,” he said. “Our first reviews and awards, many of the ones we did prioritize, were zero trust project proposals from agencies.”
In explaining the awards process to agencies looking for zero trust funding, DeRusha said, “the great thing here for you is you get your funds to do this in FY2022, while most folks are having to make the requests for the FY2023 budget cycles, and then re-justify after a year.”
“In the TMF model, we’re saying you can come justify to the board, and as long as you’re staying on task throughout and showing that you are doing good project management, you will get the three or four years’ worth of funds that you need to be able to rely on to have a successful implementation,” he said.
“What we said also is … we want you to help provide your own books and help the rest of your colleagues across government learn from what you’re learning,” he said. “And we’d like you to accept the systems from us if we see that it would be useful.”
“It was just a very good organic experience, frankly, being on the board, just to share a desire to move out now, be humble about what we don’t know” but “confident that we do know where we’re headed, and in our ability to sort of be agile along the way and help one another,” he said.
“I think that’s how you can be successful in something that’s big,” DeRusha said. “The TMF is a good chunk of our strategic approach here to make sure that we are learning how you do this well in practice and testing all those assumptions.”
New NCD Role Benefits
Elsewhere during his remarks, DeRusha talked about the benefits to the Federal cybersecurity effort of his recently announced dual-hat role as deputy national cyber director for Federal cybersecurity, in addition to Federal CISO.
“Every time I’m out speaking with my industry counterparts, I’m reminded of their imperative to reimagine themselves every few years just to stay competitive,” DeRusha said. “Although that’s not the standard model for government, I think that it’s important for us to acknowledge that those same forces driving industry change are affecting us in the 100-plus Federal civilian agencies that I am chartered to protect.”
“So, when I look at and think about the creation of the National Cyber Directorate, it’s an acknowledgment, I think, that we need to continue to evolve, and in trying new things in government here as well,” DeRusha said.
“When we look at the dual-hat role, where I’ll be where I’m now both the Federal chief information security officer and deputy director for Federal cybersecurity, we’re trying something new and we’ll learn from it and make appropriate adjustments along the path,” he said.
“It’s a really good beneficial relationship with both sides,” DeRusha explained. “OMB gets the benefit of the resources and the platform that is being built within the NCD,” and NCD will benefit from the “direct conduit now into OMB’s budgetary management decision-making process, so it’s a really good partnership and we’re just excited to be doing it,” he said.