The Biden administration didn’t waste any time naming the new federal chief information security officer. They just didn’t tell anyone Chris DeRusha started on Jan. 25.
Former Office of Management and Budget officials “broke the news” of DeRusha’s appointment and DeRusha confirmed it by changing his LinkedIn page.
Federal News Network further confirmed DeRusha’s new role with government sources. He replaces Camilo Sandoval, who was federal CISO for the last month or so of the Trump administration.
An OMB spokesperson confirmed DeRusha’s appointment later on Tuesday.
“The Biden-Harris administration has made cybersecurity a top priority, and Chris is well prepared to elevate it as an imperative across the government,” the spokesperson said. “A seasoned cybersecurity expert with strong public and private experience, Chris will manage and recruit a talented team of civil servants to launch the most ambitious effort ever to modernize and secure federal information technology and networks, and help put the U.S. government back on the path towards leading 21st century cybersecurity.”
Grant Schneider, the former federal CISO and now senior director of cybersecurity services at Venable, said DeRusha is smart, capable, and most importantly, has the trust of the administration, which will be critical for his success.
Schneider and other former and current federal cyber officials praised the Biden administration’s choice for federal CISO.
“Chris has the right experience for the job with his time at OMB working with the federal chief information officer and CISO as well as spending a number of years at the Homeland Security Department,” said Joe Stuntz, director of federal and platform for Virtru and a former OMB chief of the cybersecurity and national security unit. “A strong partnership between OMB and DHS is critical in tackling the challenging issues across agencies such as supply chain risk, moving from network-based to identity and data-focused security and being a good partner with CIOs to meet the needs of a very different working environment.”
Ross Nodurft, another former chief of OMB’s cyber branch and now a senior director for cybersecurity services at Venable, called DeRusha the right man at the right time for this role.
“He’s got the policy chops, operational understanding and leadership experience to make an impact as federal CISO,” Nodurft said. “He is also well positioned to partner with Eric Goldstein and Rob Silvers at CISA [potentially the picks to lead the Cybersecurity and Infrastructure Security Agency’s cybersecurity division and to be the director of CISA], given his previous experience at NPPD working with them. He understands the cost and impact of setting policies and he’s not afraid to roll up his sleeves and focus on implementation. He also has the ear of the right people in the West Wing, given his deft leadership and management on the Biden campaign.”
DeRusha comes into the role with a huge to-do list.
Schneider said he sees three big challenges and opportunities for DeRusha.
“First is establishing the cybersecurity roles and responsibilities of OMB, National Security Council, the National Cyber Director, CISA and the agency CISOs; second is driving supply chain risk management policies and assessments as the likely chairman of the Federal Acquisition Security Council in the midst of the SolarWinds Orion incident; and third to strengthen the partnership between OMB, CISA and agency CISOs,” he said. “My advice to Chris is to create a set of shared federal cybersecurity objectives with the NCD, NSC, CISA and agency CISOs and then maintain a vigilant focus on achieving them. Don’t let the urgent get in the way of the important.”
A current federal cyber official, who requested anonymity because they didn’t get permission to talk to the press, said DeRusha’s background in cyber and particularly with federal networks will be important as he puts his own mark on the federal CISO role.
“Chris knows the challenges, both in terms of what the adversary presents and what is needed to move the federal government forward. The key for Chris will be how he is supported from above, if he is given a strong mission,” the official said.
Stuntz said one important focus area for DeRusha is for him is to work with agency budget experts to help prioritize the right type of cybersecurity funding and projects. He said the current challenges are not just technical or agency-specific but will require new ways of operating and managing people, processes and technology.
Nodurft added DeRusha’s initial challenge will be to help agencies continue to recover from the SolarWinds incident. But the supply chain challenges remain.
“I think one of his biggest challenges will be getting his arms around the ICT supply chain issues. At the end of the last administration, there were several disparate efforts in flight focused on various aspects of managing the federal government’s cybersecurity supply chain risk,” he said. “He has a big task ahead of him to pull together those efforts and get the Federal Acquisition Security Council (FASC) running in the way Congress intended.”
Nodurft also said DeRusha must use his position to help drive “congruent policies in both the Federal Civilian agencies and DoD. I hope that he can pull together the right leaders across those spaces to make sure the security compliance efforts and the approaches to secure software development are compatible and – where possible – complementary.”
Before joining the Biden campaign as its CISO, DeRusha was CISO for the state of Michigan and spent five years at DHS and two years as a senior cyber advisor for the White House.
“I am delighted to see the Biden administration choose such a qualified CISO who brings deep government and industry cyber expertise back into the White House. In light of SolarWinds and CMMC struggles, this is the right time for an all of government approach,” said John Weiler, the executive director of the IT Acquisition Advisory Council (IT-AAC).