In the letter, released Monday afternoon, the Virginia senator asks Homeland Security Secretary John Kelly and Office of Management and Budget Director Mick Mulvaney what steps they took to ensure that the patch Microsoft issued in March was promptly applied to computer networks of federal agencies and their contractors.
A DHS official told CyberScoop that some federal agencies were able to use new capabilities under the government-wide Continuous Diagnostic and Monitoring, or CDM, program to scan their systems and identify any potentially vulnerable machines on their networks.
The situation appears to be “a major, long-term economic problem when costly, critical systems with double-digit expected lifespans are supported by software only expected to be supported for four or five years,” Warner wrote.
Democratic Sen. Mark Warner has written to federal officials asking for details about how agencies patched their systems to protect them against the fast-spreading WannaCry ransomware. White House homeland security adviser Thomas Bossert told reporters during the daily briefing Monday that no federal systems had been infected, but Warner noted in his letter that despite a National Institute of Standards and Technology recommendation that security-related software updates “be installed within a defined timeframe (in many cases seven to 30 days for critical patches),” the Government Accountability Office last year found “numerous instances where agencies failed to comply with those deadlines.”