DHS to Scan Agencies' IT for VulnerabilitiesScans Seen as Hastening Response to Cyber-Incidents
Prompted by Heartbleed bug and other vulnerabilities, the White House is giving the Department of Homeland Security authority to conduct regular and proactive scans of federal civilian agency networks.
"The federal government's response to the Heartbleed security vulnerability highlighted the need to formalize this process, and ensure that federal agencies are proactively scanning networks for vulnerabilities," OMB Director Shaun Donovan says in a memorandum to heads of executive departments and agencies.
Annual cybersecurity guidance issued Oct. 3 by OMB establishes the scanning process that the administration contends will allow for faster and more comprehensive responses to major cybersecurity vulnerabilities and incidents.
Need for Robust Procedures
"In a rapidly changing technological environment, we must have robust procedures, policies and systems in place to protect our nation's most sensitive information," Beth Cobert, OMB deputy director for management, says in a White House blog posted Oct. 3, announcing the initiative. "Growing cybersecurity threats make it ever more important for the federal government to maintain comprehensive information security controls to assess and mitigate emerging risks."
Because of the current law that governs federal government IT security, the Federal Information Security and Management Act, DHS was delayed up to 10 days from helping agencies to mitigate the Heartbleed vulnerability last spring, DHS Deputy Undersecretary for Cybersecurity Phyllis Schneck said in a September interview (see FISMA Reform Awaits Another Day).
In an interview with the Lawfare blog, Schneck explained that when DHS wanted to scan civilian agencies systems for vulnerabilities, some agencies' lawyers balked, which Schneck said wasted valuable time. "To their credit, the lawyers were looking at the legal ways that we'd be getting on the network," Scheck says in the interview. "We lost a lot of time" - seven to 10 days - "and gave the bad guys an advantage with that. So, we're looking to mitigate that [moving] forward."
The new directive from OMB is meant to remove that barrier from preventing DHS from scanning agencies' systems for vulnerabilities, even without Congress passing FISMA reform legislation, which is stalled in Congress.
DHS's Phyllis Scheck on delayed response to the Heartbleed vulnerability.
In conjunction with the announcements of the proactive scanning program, DHS published its fiscal year 2015 annual FISMA metrics for agencies' chief information officers. The FISMA metrics are the result of a yearlong inter-agency process to improve the quality of the metrics. "Ultimately, these metrics are more than just a compliance exercise - they will get us closer to determining whether our processes are actually making us safer," Cobert says.
DHS also updated the U.S. Computer Emergency Readiness Team incident notification guidelines, which Cobert says streamline the way agencies report cybersecurity incident information to US-CERT, while improving US-CERT's ability to quickly respond to emerging cybersecurity threats.
Instituting New Procedures
According to the new directive, DHS will:
- Scan continuously Internet accessible addresses and public facing segments of federal civilian agency systems for vulnerabilities without prior agency authorization on an emergency basis where not prohibited by law.
- Maintain a mechanism for the reporting of federal department and agency website and system vulnerabilities. Contracted third parties and cloud service providers should report vulnerabilities to the relevant agencies who should in turn report to DHS.
- Continue to deploy consolidated intrusion detection and prevention capabilities to protect federal department and agency information and information systems.
The new guidance also requires agencies by Nov. 14 to provide DHS with an authorization for scanning of Internet accessible addresses and systems and furnish a complete list of all Internet accessible addresses and systems, including static IP addresses for external websites, servers and other access points and domain name service names for dynamically provisioned systems.