The White House issued new guidance last week that for the first time gives the Department of Homeland Security the authority to conduct “regular and proactive” scans or civilian agency networks for cybersecurity threats.
In a memorandum issued Oct. 3 on improving federal information security and privacy management practices, the Office of the Management and Budget essentially gave DHS the authority to scan agency networks without first receiving permission from the agency.
“In a rapidly changing technological environment, we must have robust procedures, policies and systems in place to protect our nation’s most sensitive information,” Beth Cobert, OMB’s deputy director for management, said in a blog post. “Growing cybersecurity threats make it ever more important for the federal government to maintain comprehensive information security controls to assess and mitigate emerging risks.”
Before Nov. 14, agencies will need to provide DHS the authority to scan their networks regularly and develop a semiannual list of all public-facing Internet-accessible addresses and systems. Agencies will also enter into a memorandum of agreement with DHS to use of its intrusion detection and prevention system, Einstein.
Each agency will select a person to communicate with DHS about scanning activities. The agency will also regularly provide DHS with the names of any vendors who manage or host the security for its information security systems. OMB also called on DHS to provide a blanket purchase agreement for federal, state and local entities to procure cybersecurity tools to help them improve monitoring and defense. These tools would provide near-real-time risk information to agencies, allowing them to detect and respond to incidents.
“These substantial improvements should not distract from the important work that lies ahead,” Cobert said in the blog post. “Evolving cybersecurity incidents underscore why agencies must remain ever vigilant to combat emerging threats.”
The memo also re-emphasizes questions at the forefront of potential cybersecurity legislation since late 2013, namely how can the government improve cybersecurity information sharing and which agency should ultimately be responsible for leading federal efforts. In October 2013, a cybersecurity information sharing bill was reported to have been in the works in the Senate Intelligence Committee — however, none of the cybersecurity bills introduced by the committee since have made it to the Senate floor.
The Senate’s Homeland Security and Governmental Affairs Committee, however, has put forward several bills focused on cybersecurity — specifically, reforming the Federal Information Security Management Act of 2002. Most recently, the 2014 update to FISMA was pushed out of committee and onto the floor, where it still awaits action.
Sen. Tom Carper.And although enabling DHS to regularly scan agency networks is a big step for OMB’s cybersecurity policies, work on the issue will continue, according to the memo. Cybersecurity will remain one of the Obama administration’s fiscal year 2015 cross-agency priorities.
“Ensuring the security of information on the federal government’s networks and systems will remain a core focus of the Administration as we move forward aggressively to implement new protections and respond quickly to new challenges as they arise,” Cobert said in the post.
“[The OMB memo’s] measures are consistent with the modernizations that Dr. [Sen.] Coburn, [R-Okla.] and I have been calling for in our FISMA reform bill,” Sen. Tom Carper, D-Del., told FedScoop in a statement. “Still, more needs to be done to further clarify the roles of the Office of Management and Budget and the Department of Homeland Security to move away from paperwork-heavy processes and better inform stakeholders of major cyber incidents at federal agencies.”
