Federal CIOs and CISOs from every agency will be involved in creating new governmentwide cybersecurity guidelines set to be issued as part of President Biden’s recent cybersecurity executive order, according to Federal CISO Chris DeRusha.
DeRusha said Tuesday his office is working with the Federal CIO and CISO councils to ensure information security leaders from across government are involved in drafting the new guidelines.
“Obviously this is a pretty big executive order…it really is an all-of-government exercise,” he said at CyberTalks 2021, hosted by CyberScoop. “CIOs and CISOs will be included in the drafting of every aspect of the guidance. They are going to need to implement them, so they are more than welcome to help us develop them and to make them successful.”
The cyber executive order, issued last month by the Biden administration, requires the Office of Management and Budget to issue a slew of new cybersecurity rules for agencies. It includes a mandate that the OMB should work with the Department of Homeland Security and the General Services Administration over the next 90 days to develop a federal cloud-security strategy and guidance.
Commenting more broadly on the government’s response to last year’s SolarWinds hack, DeRusha said there remains a way to go until basic security measures such as multi-factor authentication and endpoint detection are implemented uniformly across government agencies.
He noted also the importance of senior agency leaders having appropriate emergency plans in place that can be followed in the event of another major cyberattack.
“Agencies need a consistent playbook for senior leaders to work through when an incident like SolarWinds occurs,” he said.
Modernizing federal cybersecurity is just one element of the larger cybersecurity EO. It also calls for increased sharing of threat information between the government and private sector, and for the development of baseline software supply chain security standards for any software sold to the federal government.
Additionally, the order calls for the creation of a national Cybersecurity Safety Review Board, akin to the National Transportation Safety Board.