How should agencies prepare for federal security scanning?

What do agencies need to consider before going through the Department of Homeland Security's network security scanning? Expert Mike Chapple answers.

The U.S. Office of Management and Budget recently granted the Department of Homeland Security the authority to scan civilian agency networks for potential threats, and new regulations for compliance with the Federal Information Security Management Act (FISMA) require agencies to agree to this scanning. What do government agencies need to consider now that parts of their networks are essentially being scanned by a third party?

Beth Colbert, deputy director of the Office of Management and Budget, recently wrote a White House blog post outlining steps that the government is taking to enhance the security of federal information systems. Among those measures is a provision that allows the Department of Homeland Security (DHS) to conduct "regular and proactive scans of Federal civilian agency networks to enable faster and more comprehensive responses to major cybersecurity vulnerabilities and incidents."

What does this mean to affected federal agencies? The bottom line is that there's now someone looking over their shoulders to make sure that they're living up to security standards. Overall, this move should increase the federal government's cybersecurity posture by ensuring every network is scanned using a consistent method and that those results are compiled and reported by a quasi-independent party. These security scanning procedures will include all public-facing segments of Federal civilian agency systems and will occur on both a scheduled basis and in response to any urgent security vulnerabilities. All federal agencies must cooperate with these scans by taking seven steps:

  1. Provide DHS-written authorization to perform scans and renew that authorization twice each year
  2. Provide DHS with a list of all Internet accessible systems and IP addresses every six months and provide five-day advance notice of any IP range changes
  3. Sign a Memorandum of Agreement with DHS for the deployment of intrusion prevention systems
  4. Provide DHS with the names of any vendors involved in the management or security of Internet-accessible systems
  5. Provide DHS a point of contact for technical issues related to scans
  6. Work with OMB and DHS to mitigate any vulnerabilities identified by the scans
  7. Report security incidents to the U.S. Computer Emergency Response Team

If an agency is facing these scans, the best thing to do is make sure its systems are actually secure. It should already be conducting security scanning as part of the agency's information security program. In fact, Colbert points out in her blog post that "this new process complements existing agency information security operations, to include network scans." If an agency runs its own scans and quickly remediates any vulnerabilities, it will be in good shape when the DHS runs its scans. On the other hand, if the vulnerabilities aren't remediated in a timely fashion, at least its own scans will provide advance warning of the report card the agency will face.

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Next Steps

Learn about FISMA compliance and the move toward continuous monitoring

Dig Deeper on Security operations and management