OMB Removes Hurdles that Added a Week to DHS’s Heartbleed Response
Published: October 08, 2014
When the Heartbleed security bug hit the news last spring the existing government rules slowed the Department of Homeland Security’s (DHS) efforts to respond and protect civilian agency networks by a week. Now the Office of Management and Budget (OMB) has issued new policy intended to remove those hurdles.
At a recent industry event I attended, Roberta “Bobbie” Stempfley, Deputy Assistant Secretary for Cybersecurity Strategy and Emergency Communications at DHS commented that when Heartbleed came to light the rules on the books at the time required DHS to go to each civilian department to establish a memorandum of understanding (MOA) and receive permission to scan their network for the vulnerability. Those requirements added a week to DHS’s response to the threat.
In a blog post announcing the new policy, Beth Cobert, OMB's Deputy Director for Management, said that the guidance “establishes a new process for DHS to conduct regular and proactive scans of Federal civilian agency networks to enable faster and more comprehensive responses to major cybersecurity vulnerabilities and incidents” (emphasis added.) The updated guidance applies only to civilian agency networks and does not impact classified or national security systems or networks.
DHS also released two related documents concurrent with the OMB release:
- FY 2015 CIO Annual Federal Information Security Management Act (FISMA) Metrics are the latest effort to improve the quality of the metrics to determine whether current processes are actually making agency networks and information more secure.
- Updated U.S. Computer Emergency Readiness Team (US-CERT) Incident Notification Guidelines streamline the way agencies report cybersecurity incident information to US-CERT while improving US-CERT’s ability to quickly respond to emerging cybersecurity threats.
In another account from the event, Sempfley noted that when OMB, DHS and the Federal CIO Council looked at the existing rules that impeded the Heartbleed response "we found that to be a very easy thing to change."
As is so often the case, policies and procedures that stand in the way of rapid response do not get changed until an event raises awareness to the roadblocks in place. In the case of Heartbleed, it appears that DHS and the rest of the civilian agencies dodged the bullet and were minimally impacted. Let’s hope federal cybersecurity policy makers can stay on the proactive side of that equation from now on.