In the absence of explicit statutory authority, the Office of Management and Budget released guidance last week that empowers DHS to scan unclassified civilian systems and addresses that are Internet accessible for cyberthreats.
Ambiguity regarding the department's authority to scan civilian networks has hampered its detection and response efforts. DHS’ immediate efforts to combat Heartbleed were delayed due to a lack of explicit statutory authority to scan agencies’ networks, Phyllis Schneck, deputy under secretary for cybersecurity and communications for DHS’ National Protection and Programs Directorate, testified at a Senate Appropriations Committee hearing in May.
“So as fast as we could, we went door-to-door and got a letter of authorization from each agency, working with each lawyer, to make sure that we could scan their systems. That cost us five to six precious days in some cases," Schneck said.
"The whole world knew about this vulnerability and all the information they could capture while we were lawyering," she told lawmakers. "If we had the clarification in law that this was our role, we would have gotten started a lot faster.”
The OMB memo for the first time “establishes a new process for DHS to conduct regular and proactive scans of federal civilian agency networks to enable faster and more comprehensive responses to major cybersecurity vulnerabilities and incidents,” according to Beth Cobert, OMB’s deputy director for management.
The guidance does not pertain to classified or national security systems and networks. In the memo, OMB director Shaun Donovan said the new requirement is “based on assessments of emerging threat activities.”
Among its points, the OMB memo authorizes DHS to:
• Scan civilian networks on a regular and urgent basis, “to include without prior agency authorization on an emergency basis where not prohibited by law”
• Continue deploying consolidated intrusion detection and prevention capabilities to protect federal information systems
• Provide agencies with their specific results of DHS scanning and reports
• Offer additional risk and vulnerability assessment services for agencies upon request
Federal agencies have been directed to provide DHS with an authorization for scanning their Internet-accessible IT assets. They also are to ensure that third-party vendors tasked with securing their external websites and servers provide the necessary authorization for DHS to scan those systems. Agencies must work collaboratively with OMB and DHS to address any security risks and vulnerabilities associated with those assets and promptly report incidents to the U.S. Computer Emergency Readiness Team (US-CERT).
“Agencies may consider providing the results of the DHS scans to their Office of Inspector General, as appropriate,” the memo states. DHS ultimately will have access to security vulnerability reports that cloud providers share with their agency customers and the Federal Risk and Authorization Management Program, or FedRAMP.
In addition to the DHS security scans, the government is pushing for agencies to adopt automated software tools that can continuously scan their networks. These near-real time security checks can detect all hardware and software with access to their networks and verify whether technology is properly configured, among other capabilities.