DHS’s Lessons Learned from Heartbleed

Tomas OKeefe_65x85

by Tomas O’Keefe, Senior Analyst

Virus DetectedAt a recent Washington Post event on cybersecurity recognizing National Cybersecurity Awareness Month, Deputy Secretary of Homeland Security, Alejandro Mayorkas, spoke of DHS’s “dire need” for cybersecurity legislation that better enables cyber threat information sharing and helps recruit top cybersecurity talent. While the sky isn’t falling in on Deputy Secretary Mayorkas and DHS, the failure of Congress to pass updated cybersecurity legislation has hindered the department’s ability to meet the rapidly shifting landscape of cyber threats.

DHS’s response to Heartbleed is a perfect example of this. We’re all familiar with Heartbleed, the OpenSSL security vulnerability that was revealed in April of this year, and that DHS is tasked as the executive agent in ensuring the security of all federal civilian networks. A critical issue surfaced when the Heartbleed vulnerability was revealed: while DHS had the ability to scan other civilian .gov networks to see if they were affected by the exploit, they lacked the legal authority to do so without first obtaining a permission slip from other federal departments and agencies; this lengthy process ended up taking DHS days in order to scan all US government networks for the vulnerability at a time when a patch was available and could have been quickly applied. In an October 3rd memo, OMB finally addressed this challenge, but broad security concerns still remain.

The Federal Information Security Management Act (FISMA) remains an adequate blueprint for enabling security across the .gov domain, but it really isn’t enough in an ever-evolving threat landscape. DHS is going to need new legislation to fully address the challenges of securing federal networks, and while approaches like the department’s Continuous Diagnostics and Mitigation (CDM) effort are a step in the right direction, there’s still more work to be done to improve cyber posture.

DHS officials are cognizant of the challenges they face and are certainly going to be receptive to cybersecurity vendors who can function within the already defined cyber information-sharing ecosystem. You’ll
find one of your best methods to help the government is through the CDM contracts. We’ll be addressing CDM opportunities in session: “CDM: Don’t Miss Out on Opportunity Waiting for the Big Bang “at the new Government IT Sales Summit. Find out which agencies have received a Delegation of Procurement Authority (DPA), how it can be used, and the impact it can have on your cybersecurity sales efforts.  Register by 10/15 and get $200 off.*

*Rate applies to manufacturers only.

About Tomas O'Keefe
Tom O'Keefe has over 10 years of market research experience as an Analyst and Consultant in the federal space. He also earned an MA in Political Science from George Mason University. He has covered both civilian and defense agencies and has presented to clients ranging from junior-level associates to executives from some of the largest Systems Integrators and contractors in the federal marketplace.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: