New OMB Guidance Empowers DHS To Scan Civilian Networks Regularly
By Christine Kern, contributing writer
The Office of Management and Budget (OMB) has released guidance that gives The Department of Homeland Security (DHS) the authority to scan unclassified civilian systems and addresses for cyber threats, in part due to the agency’s recent inability to quickly respond to malware attacks like Heartbleed and Shellshock, according to FedTech Magazine.
“The federal government's response to the ‘Heartbleed’ security vulnerability highlighted the need to formalize this process, and ensure that federal agencies are proactively scanning networks for vulnerabilities,” Office of Management and Budget Director Shaun Donovan said in an Oct. 3 memo to department heads. “This year's guidance clarifies what is required of DHS and federal agencies in this area.”
The new guidance on Improving Information Security and Privacy Management Practices, is significant because for the first time, it “establishes a new process for DHS to conduct regular and proactive scans of federal civilian agency networks to enable faster and more comprehensive responses to major cybersecurity vulnerabilities and incidents,” according to Beth Cobert, OMB’s deputy director for management in a blog post.
In the blog post, Cobert explained, “This new process complements existing agency information security operations, to include network scans, and will provide a consistent scanning methodology that quickly identifies risks and vulnerabilities that may have government-wide implications.”
The DHS concurrently published the FY 2015 Chief Information Officer (CIO) Annual Federal Information Security Management Act (FISMA) Metrics and Updated U.S. Computer Emergency Readiness Team (US-CERT) Incident Notification Guidelines. The FIFMA Metrics are designed to move the industry closer to finding better security practices, while the US-CERT Incident Notification Guidelines are designed to streamline the way agencies report cybersecurity incidents and improve the response to emerging threats.
But according to NextGov reporter Aliya Sternstein, the new process unveiled last week by DHS does more than just ensures networks stay safe — it also provides DHS with the unprecedented power to monitor these public-facing civilian agency networks.
DHS officials told Nextgov “in the past, the department would have to obtain essentially permission slips from agencies before using Einstein and scanning their systems,” Sternstein wrote, referring to the diagnostic hardware and software suite currently used to detect and prevent cyber-attacks. “Officials added that DHS now has 110 agreements from agencies to scan for vulnerabilities.”
The new guidance also means that now if an agency detects any type of data interruption or data breach, they must report the incident to DHS within one hour of the confirmed data loss. Previously the requirement was that agencies only had to report incidents involving the compromise of personal information.