The Department of Veterans Affairs appointed Lynette Sherrill as the agency’s new CISO and deputy assistant secretary for information security Aug. 28. Sherrill, who has been serving in an acting position, succeeds Paul Cunningham who left the position in February.
"I am proud to announce that Lynette Sherrill is named the Deputy Assistant Secretary for Information Security and CISO for VA effective August 28," VA CIO Kurt DelBene said. "Ms. Sherrill will lead cybersecurity programs and risk management activities to protect Veterans and ensure secure and reliable operation of VA information systems."
As CISO, Sherrill will lead VA’s Office of Information Security (OIS), which establishes the vision, defines the strategy and leads the implementation of the agency's enterprise-wide cybersecurity program.
Sherrill is also driving efforts to implement continuous evaluation of systems and metrics, coordinating cybersecurity responses across the enterprise and provide cybersecurity architecture, monitoring and incident response across Veterans Health Administration, Veterans Benefits Administration and National Cemetery Administration.
Prior to her promotion, Sherrill served as acting CISO for seven months, where she was responsible for high-profile efforts, including the development of VA’s new Zero Trust First Cybersecurity Strategy. Before that, Sherrill served as the executive director of enterprise command operations at the VA, where she supervised the enterprise service desk, enterprise command center and major incident problem management teams.
"As she begins her role as the permanent CISO, I’m confident she will continue to lead with vision and passion in service of our nation’s Veterans,” DelBene added.
VA also appointed Faith Roy as deputy CISO and executive director for cybersecurity integrations, logistics and planning in OIS where she will provide information security multi-year programming, budget formulation and execution consistent with strategic goals and objectives. She will also help develop plans and strategies to optimize information security and privacy programs and develop IT initiatives in response to critical IT security and privacy concerns.
The permanent appointments follow a June 2022 House Committee on Veterans’ Affairs Subcommittee on Technology Modernization hearing where Michael Bowman, director of the IT and security audits division at the VA Office of Inspector General’s (OIG) Office of Audits and Evaluations, said that the VA’s fiscal year 2021 Federal Information Security Modernization Act (FISMA) audit showed “limited progress.”
To improve its cybersecurity posture, DelBene said VA is assessing its cyber readiness and bolstering its strategy through hiring cyber engineers, building out zero trust and allocating additional resources to secure critical assets.
"There's nothing more important than cybersecurity,” DelBene said during Digital Government Institute’s 930gov conference last month. “Just getting people to understand that even before that next feature, being secure is what's more important ... cybersecurity needs to be a single kind of dial tone that always works.”