The Cybersecurity Framework's Role in the Heartbleed Saga

If you’re wondering who’s using the federal government’s Cybersecurity Framework and what impact it’s having, you don’t have to look far.

The framework guided the response to Heartbleed, the notorious security vulnerability in OpenSSL encryption software, White House Cybersecurity Coordinator Michael Daniel said during the Gartner Security & Risk Management Summit in Maryland last week. He called the Heartbleed response a real-world example of the framework in action.

“In responding to Heartbleed, the federal government worked through all of [the] steps outlined in the Framework (Identify, Detect, Protect, Respond, Recover) and [in] so doing validated its efficacy as an approach to cybersecurity,” Daniel’s prepared remarks state.

The Department of Homeland Security played a central role in coordinating a response to Heartbleed for the dot-gov domain. In April, Phyllis Schneck, deputy under secretary for cybersecurity for DHS’ National Protection and Programs Directorate, gave an overview of what that response entailed. DHS worked with agencies to ensure network defenses could detect “someone trying to use the exploit and in many cases to block those attempts,” Schneck wrote in a DHS blog post.

But even the best framework can’t protect what it doesn’t have access to. Following the government’s immediate response to Heartbleed, Schneck told senators at a May hearing that DHS’ efforts were delayed by a lack of explicit statutory authority to scan agencies’ networks, Federal News Radio reported.

"So as fast as we could, we went door-to-door and got a letter of authorization from each agency, working with each lawyer, to make sure that we could scan their systems. That cost us five to six precious days in some cases," Schneck said. "The whole world knew about this vulnerability and all the information they could capture, while we were lawyering. If we had the clarification in law that this was our role, we would have gotten started a lot faster."