In early 2024, when the federal government got wind of certain Ivanti vulnerabilities, it immediately advised civilian executive branch agencies to disconnect these solutions to prevent potential compromise and credential theft. Thanks to recent federal directives, agencies were able to quickly shift to a zero trust solution and resume operations with minimal effort and downtime.
Chris DeRusha, Federal Chief Information Security Officer (CISO) at the Office of Management and Budget (OMB), recently shared illuminating insights at a fireside chat I hosted during Zscaler’s recent public sector summit in Washington D.C. DeRusha and I spoke about the implementation of the OMB’s 2022 zero trust executive order and the transformative changes sweeping through technology and culture in the federal government.
A strategic mandate for the federal government
DeRusha's tenure has coincided with a pivotal moment in federal cybersecurity that led to a strategic reassessment of security frameworks across hundreds of diverse federal agencies. The reassessment led to the realization that zero trust is more than just a security protocol: it’s a fundamental shift in cybersecurity strategy. Zero trust requires both modernizing security practices and standardizing security approaches across all federal agencies. To achieve this, the OMB set out to transform both technologies and mindsets.
Realigning performance metrics
After the SolarWinds attack impacted both commercial businesses and government agencies, the White House issued its May 2021 Executive Order on Improving the Nation's Cybersecurity. The order and its subsequent follow-up served as catalysts for the adoption of zero trust principles by federal agencies. These directives mandate agencies achieve specific goals by the end of the 2024 fiscal year with a clear imperative: new methodologies are necessary to proactively mitigate risks. DeRusha responded by crafting a three-year action plan with well-defined milestones and measurable outcomes. His plan leveraged new frameworks and maturity models.
“We completely refactored the way that we measure progress. We used our existing FISMA frameworks and made our M-22-09 goals the core metrics for the past couple of years. So we now can look at several years’ worth of data to see how we are progressing with all the actions we have directed—and we're able to get super specific,” said DeRusha.
These outcome-based metrics became the cornerstone of the federal zero trust initiative. The new reporting approach provided not only greater breadth but also more depth.
Metrics drill down into granular details, including phishing-resistant defenses and multi-factor authentication (MFA) implementations, as well as system- and user-level security outcomes. Hardware tracking improved, too. Anti-phishing technologies, MFA encryption, encryption for data at rest, and endpoint detection and response (EDR) are all tracked in critical systems.
Of course, no major change is easy. DeRusha admitted that there were challenges managing stakeholder expectations during the transition to outcome reporting. But confidence grew over time as both qualitative measures and outcome trend lines steadily climbed.
Zero trust for successful outcomes
For DeRusha, pivoting to zero trust solutions was critical to the success of the new strategy. New reporting demonstrated significant gains in speed, throughput, and significantly lower latency. Agencies realized these benefits by switching to a cloud-based zero trust service that combines network and security-as-a-service functions so that, when federal agencies were alerted to the Ivanti vulnerabilities, there was no hesitation in transitioning hundreds of thousands of employees from VPN to a zero trust solution in a matter of days. The speed of this technology shift demonstrated the maneuverability made possible by the simplicity of its underlying architecture.
Transforming the federal government culture: aligning budgeting, resources, and frameworks
Apart from positive security outcomes resulting from zero trust, DeRusha also noted that federal agency culture is moving toward a zero trust mindset, where cybersecurity is prioritized because it’s recognized as beneficial to the organization. Cybersecurity budgeting has become more strategic.
He explained that CFOs at federal agencies and its OMB resource management offices have come to rely on the new outcome-based metrics reporting to quantify the value of the agency investment. These metrics support the Administration’s cybersecurity appropriations requests for civilian agencies, which have increased by 30% in two years to $13 billion.
While these advances at the federal level are encouraging, DeRusha acknowledged that there is room for growth in terms of orchestration and funding across the regional, state, and local landscape. Prior to his most recent roles at the federal level, he served as the CISO for the State of Michigan, so he understands the concerns faced by state and local governments.
Over the past decade, cyberattacks—especially advanced persistent threats—have expanded to target regional, state, and local governments and under-funded utilities. DeRusha is working to address the funding issue by standardizing grant guidance for cybersecurity. While it’s challenging for under-resourced utilities to incorporate some requirements, he emphasized that progress is being made with the help of stakeholder input.
The Technology Modernization Fund provides a funding model that reimagines how the government uses IT to deliver a simple, seamless, and secure digital experience to the American public. The fund has supported investment in zero trust implementations and galvanizing individuals to accelerate implementations. Additionally, the fund helps agencies respond to unexpected cybersecurity events or technology modernization needs.
“I'm so excited about the progress I've seen every quarter, particularly with the zero trust investments we've made,” said DeRusha.
Looking toward a more resilient future
As the federal government continues its zero trust journey, DeRusha underscores the importance of harmonization and accountability. He points out that governments—in the U.S. and in other countries—can navigate the evolving threat landscape and strengthen their cybersecurity posture by leveraging existing frameworks and fostering collaboration with stakeholders. Moreover, prioritizing collaboration, innovation, and strategic alignment can catalyze federal agencies to embrace zero trust principles to enhance resilience. As DeRusha noted, proactive engagement and a forward-thinking mindset are equally important in shaping a secure future for federal agencies and stakeholders.
“We're hitting critical mass now. There’s a huge momentum around zero trust, and I think harmonization is going to really help us alleviate some of the duplication and create consistency and better outcomes if we all focus on contributing our ideas and standardizing our approach,” DeRusha said.
What to read next:
Industry briefing: Securing critical infrastructure for the digital age [video]
Whole-of-state cybersecurity: What it means and why it matters