The Office of Management and Budget is attempting to solve one of the big holes in federal cybersecurity exposed by the Heartbleed vulnerability a few months ago.
The White House is giving the Homeland Security Department the authority to regularly conduct proactive scans of certain civilian agency networks.
Beth Cobert, OMB’s deputy director for management, said in a blog scheduled to be posted later this afternoon and obtained by Federal News Radio, this new process will “enable faster and more comprehensive responses to major cybersecurity vulnerabilities and incidents.”
Agencies also have to provide DHS with the authorization to scan their Internet accessible websites and systems.
“This mechanism should supplement existing agency information security operations to include network scans, and is intended to provide a consistent scanning methodology that can quickly identify threats and vulnerabilities that may have governmentwide implications,” OMB Director Shaun Donovan wrote in the guidance, which Federal News Radio also obtained.
This new mandate for DHS is one of a handful of changes to the annual Federal Information Security Management (FISMA) Act guidance OMB is issuing Oct. 3.
OMB added this new requirement for DHS to scan civilian agency networks in the aftermath of the Heartbleed vulnerability. During that time, DHS had to get permission from agencies to scan their networks, which delayed its mitigation strategy by a few days.
DHS made it clear in May during a House hearing that it needed Congress to give it more authorities to scan agency networks.
Andy Ozment, the assistant secretary of the Office of Cybersecurity and Communications in DHS, told Federal News Radio in an interview before OMB issued the FISMA guidance that when DHS doesn’t have the explicit authorities that it needs and Congress wants them to have, it makes everything harder.
“When this Heartbleed vulnerability came out, a key question obviously was, is the federal government vulnerable to it, in how many places and when have we fixed it? Departments and agencies did and should scan themselves to see where they were vulnerable,” Ozment said. “However, at the same time, if you are taking an enterprise approach, if you are the White House say, and you want to say departments and agencies are scanning themselves and they are telling me they are vulnerable with eight computers, I want to be able to double check and make sure we can verify that. Second, I, as the White House, want to be able to stay on top of this and say, ‘This department isn’t moving fast enough and I need you to do it faster. So for both of those reasons, I need someone to scan the government and tell me where I stand.’ There’s an additional reason, smaller departments and agencies may not be able to or chosen to scan themselves so I need that belt and suspenders for that reason as well.”
Ozment said the White House asked DHS to scan civilian agency networks earlier this year, but they could only scan a handful. He said DHS had been asking agencies to sign a memorandum of agreement (MOA) to allow their cyber experts to scan their networks for more than a year, but only a few signed the MOA.
“We spent a week, rather than scanning the government and understanding how vulnerable we were, knocking on doors, calling CIOs and asking them to sign the document,” he said. “They did and we are well postured for now. But at any time, a CIO could cancel the agreement. That’s why we need Congress to get involved.”
So, in the meantime, while Congress decides whether it will update FISMA and other cyber laws, OMB is putting in policy the requirement for agencies to give DHS the ability to scan their networks.
In the guidance, OMB says DHS shall scan Internet addresses and public-facing segments of federal civilian agency systems on an ongoing basis, and when in response to newly discovered vulnerabilities on an urgent basis, and without necessarily having prior agency authorization on an emergency basis.
DHS also will take six other steps ranging from developing a way to report website and system vulnerabilities, continuing to deploy intrusion detection and prevention capabilities, and providing agencies with specific results from their scans.
OMB said agencies must take eight steps including providing DHS with authorization to scan specific networks and systems by Nov. 14; providing them with a list of all Internet addresses and systems on a semiannual basis; entering into a MOA so DHS can deploy the Einstein program software; and providing DHS with names of vendors who manage, host or provide security for these specific types of systems.
Along with the new scanning requirement, OMB also updated FISMA metrics and security incident-response requirements.
The improved FISMA metrics came from OMB, the White House’s National Security Staff and DHS soliciting input from more than 100 federal cyber experts from the 24 largest agencies. They made more than 200 recommendations to simplify reporting requirements and to focus on outcomes such as anti-phishing and malware defense measures.
“Ultimately, these metrics are more than just a compliance exercise. They will get us closer to determining whether our processes are actually making us safer,” Cobert wrote.
Agencies also must start reporting all cyber-related incidents to DHS’ Computer Emergency Readiness Team (U.S. CERT) with a confirmed loss of confidentiality, integrity or availability within one hour of the information reaching the agency’s top-level computer security incident response team, security operations center or IT department.
In July 2006, OMB required agencies to notify U.S. CERT if any personally-identifiable information was lost or stolen. This new requirement expands that to include any potential attack, whether or not data was lost or exposed.
Donovan wrote in the memo that OMB plans to pilot these reporting changes to figure out how best to update the existing instructions for incident reporting.