It was announced in early October that the Department of Homeland Security has been granted the authority to regularly scan federal civilian agencies for network vulnerabilities.
When the Heartbleed vulnerability was discovered last spring, DHS officials were delayed for as long as 10 days before being able to help agencies mitigate the effects because of regulations within the federal information security and management act, which governs federal government IT security. According to a statement made by Shaun Donovan, director of the Office of Management and Budget, the federal government’s response to Heartbleed and other cybersecurity vulnerabilities have proven the need for a more formalized process to identify and defend against cyberattacks.
Enhancing agency security with increase scanning
Donovan went on to say that the new authority afforded to DHS supplements the security operations already in place by most agencies to include network scans. The additional protections provide consistent scanning that is more adept at quickly identifying vulnerabilities and threats that may have government-wide implications. OMB’s new directive aims to tear down the barrier stopping DHS from performing checks of agency systems without having to wait for Congress to pass FISMA reform legislation.
“In a rapidly changing technological environment, we must have robust procedures, policies and systems in place to protect our nation’s most sensitive information,” Beth Cobert, OMB deputy director for management, wrote in a White House blog announcing the initiative. “Growing cybersecurity threats make it ever more important for the federal government to maintain comprehensive information security controls to assess and mitigate emerging risks.”
Cobert added that the new process will allow for DHS to respond faster and more effectively to cybersecurity vulnerabilities and incidents.
While DHS is being given greater authority to scan networks, there is still a requirement for agencies to give permission for their networks to be scanned. However, prior authorization only pertains to the ability to perform scans on an ongoing basis. Scans in response to a newly discovered threat performed on an urgent basis don’t require authorization ahead of time. The OMB’s new directive also requires agencies to report any cyber-related incidents that deal with a confirmed loss of integrity, confidentiality or availability to the DHS Computer Emergency Readiness Team. Such occurrences must be reported within one hour of the information reaching the agency’s top-level computer security team or IT department.