Exit interview: Mitch Herckis

Mitch Herckis, the former branch director for federal cybersecurity in White House Office of the Federal CIO, recently left his post to join cloud security firm Wiz as its global head of government affairs. 

“Mitch has been integral in the administration’s efforts to transform federal cybersecurity, playing a key leadership role in government-wide implementation of the president’s executive order on cybersecurity. We wish him the best on his next chapter, and know he will continue to serve as a thought leader and vocal advocate in the cybersecurity community,” Chris DeRusha, the federal CISO and deputy national cyber director for federal, told Nextgov/FCW in a statement.

In an exclusive exit interview, Herckis reflected on his time in government and where federal security posture is headed next.

The following has been edited for length and clarity.

Nextgov/FCW: Walk us through your time here. What were the biggest challenges you faced, and what were some surprise turnouts?

Herckis: I joined in 2021. Executive order 14028 was already out there and we were determining how we would implement that. And it was a very aggressive, broad executive order brought on by the [cyber] risks seen by the administration coming off the heels of Solar Winds and some of the other sophisticated attacks that the federal government was seeing. 

I was extremely proud of the work we were able to do in getting really substantive plans from every agency as far as putting together a broad vision for federal zero trust and what that federal zero trust strategy looks like. I think we made the right decision trying to build a foundation because zero trust is really a journey and we want to define what the baseline looks like for agencies. And I think that was achieved with [the order on zero trust]. 

I think engaging with the agencies early and often and building support, whether that’d be reviewing their implementation plans or how we engage with them as they reported quarterly through their FISMA reporting to ensure that they were on the right path — we ended up in a positive place where agencies have both technologically and culturally moved towards this zero trust posture and are on a pathway to long term success. 

When it comes to the challenges, the federal government does a thousand different things. One size doesn’t fit all. So as we get past more of these enterprise systems and move to these more complex systems, often with operational technology and unique use cases, we have to be thinking more about what zero trust looks like in these unique use cases. One of the challenges that exists as we continue down that path is ensuring we don’t leave those folks behind. And we’ve been doing that through things like our [internet of things] efforts and our IoT Working Group, which was just launched.

Nextgov/FCW: On zero trust framework efforts, September is a major zero trust deadline for federal agencies. You're leaving as they’re trying to finalize that. How is progress looking?

Herckis: We’re two years into a three-year process, give or take. I’m really proud of how much support we’ve been able to give to agencies over those first few years to thrive, learn and figure out where they need to pivot along the way. 

Now we’re getting down to areas where there will be challenges and we have to solve for unique use cases. So we’re getting literally system-level data through our quarterly FISMA reports that we are able to leverage to have those real conversations with agencies about what systems have not been able to implement unique zero trust use cases have not made that transition yet and triage those and work with them. 

Moving forward, I think we’ll continue to have conversations around what those elements are, whether we know them through things like the post-quantum cryptography inventory, or through our quarterly work with FISMA. What are those systems that are just not going to make this leap and need to be modernized to meet the challenges? That’s part of the national cyber strategy implementation plan. That’s part of the work we are doing over the next several months that would identify and create plans for those systems that will not meet those [zero trust] deadlines — that’s something we are prepared for. This is not a one-person job by any means. And I’m really proud of how far this team has pushed to this and I have full faith in their ability to continue to execute all this.

Nextgov/FCW: Some folks in the security community have pushed back on zero trust terminology, labeling it as a management structure that, for some, is impossible or too cumbersome to implement. What’s your message to those who say it isn’t feasible?

Herckis: Zero trust is always a journey, right? Defining what it looks like as a foundational tool for the federal government is something that we did with M-22-09 that I’m very proud of. I think CISA did a great job with their zero trust maturity model as well. And that gives agencies a kind of progression scale where they can move forward. This will continue. This will not be a dynamic where every agency will be fully protected if they checked every box by September. That is a step forward toward being in the right posture and being in the right security framework, and then they will need to continue on that journey. Unfortunately, we have to continue to adapt to the changing tactics of adversaries out there and we need to continuously adapt to changing technology as AI becomes more functional and ingrained in security culture and in service delivery.

Nextgov/FCW: Talk about identity pilot programs like changes to CAC cards usage. Where are we with that? What about other identity management systems helping to keep agencies and their employees more secure?

Herckis: I think our communities of action around MFA, phishing-resistant MFA and FIDO2 have been really helpful in helping agencies pilot other technologies, not just [Personal Identity Verification] and [Common Access Card], but also looking at where there are gaps, and how they move toward more phishing resistant options.

PIV is a great technology. I expect it to be around the government for a long time. But it can’t be the only option because it does take time to issue cards and maintain that kind of environment. So we have to realize just like I was talking about with zero trust in general, there will be systems that this will not fit on. How do we find other phishing resistant means, or other ways that will reduce the user drag? What if employees are in remote locations or they're on a unique system and will allow for that service delivery efficient use for everyone across government? 

I think there is a big shift in how agencies are thinking about this. They’re still thinking of PIV as a primary option, but also considering that if it's taking six to eight months to onboard someone, what do they do in the interim? How do they ensure that there are options that allow for a more diverse marketplace if there are systems and platforms where the PIV card may not be the first or best use?

Nextgov/FCW: I’d imagine recent hacking incidents over the past year that have targeted these federal agencies are a good motivator for these initiatives. 

Herckis: I can’t think of a better motivator. The federal government is a high-value target for a lot of adversaries and identity is so heavily emphasized in M-22-09 because it is an area where adversaries have historically focused as an interim point, so we have to recognize that, adapt to the threats that we see and reduce the risk surface as much as possible. Regular multifactor authentication is better than username and password, but we really need to recognize there is social engineering out there. And pushing towards a phishing resistant ideal is going to do a dramatic amount to reduce the [cyber] risks against the federal government. I expect leadership will continue to push forward on that and make sure that we're finding new and innovative ways to implement that wherever possible.

Nextgov/FCW: What are you hoping the White House can achieve with these initiatives that you laid the groundwork for?

Herckis: I think the aim is to continue. Another thing important to mention is the secure by design work that’s going on and recognizing that this current framework — the vulnerability and patch cycle, maintaining secure code, having better code from the beginning, being able to quickly identify risks within existing systems and quickly remediate those risks — has to get faster just because of the speed of exploits these days. 

The FedRAMP emerging tech framework that’s due March 11 focuses on where we put our best when it comes to expediting certain cloud services. That kind of effort is going to be critical.

Nextgov/FCW: Any closing remarks, and anyone in particular you want to thank? 

Herckis: I’ve loved having this opportunity to serve on the federal government level. I’ve worked with state and local governments, both within and outside of them working with the federal government for a long time on things like cyber security and cyber risk. I really loved having this opportunity to kind of get the perspective from working with the federal CISOs and federal CIOs on the frontlines of this day. I’m really impressed by their dedication to this and I'm really proud of the kinds of foundations we've built there.

Clare Martorana and Chris DeRusha’s leadership have been invaluable, especially their clear vision for driving security and risk reduction and recognizing that these two things go hand in hand. I’m really proud of the team I've been a part of over the last three years, and just very excited to see them continue to execute and succeed.