White House looks to step up endpoint monitoring
The Biden administration is requiring agencies to provide visibility into their endpoint detection and response efforts as part of the cybersecurity executive order.
Federal agencies are going to have to open up to the Office of Management and Budget and the Cybersecurity and Infrastructure Security Agency about their endpoint detection and response efforts.
A memo released late Friday from acting OMB Director Shalanda Young instructs agency heads to assess the state of their endpoint detection and response capabilities in coordination with CISA. The memo requires agencies to "provide CISA with access to their current and future EDR solutions to enable proactive threat hunting activities and a coordinated response to advanced threats," while also giving CISA personnel and contractors access to agency networks to support implementation of EDR tools.
The memo, which represents the second phase of implementation of a key piece of the Biden administration's cybersecurity executive order, promotes the stated goal of "centrally managing the information needed to support host-level visibility, attribution, and response with respect to agency information systems."
The order requires agencies to deploy EDR capabilities "to support proactive detection of cybersecurity incidents within federal government infrastructure, active cyber hunting, containment and remediation, and incident response."
EDR solutions are packaged within the Continuous Diagnostics and Mitigation program, administered by the Department of Homeland Security. The program provides agencies with sets of pre-approved cybersecurity solutions across a range of threats to facilitate acquisition of services. CDM is designed to give individual agencies and, at least notionally, OMB and CISA visibility into network and endpoint activity. The first three phases of CDM are supposed to be fully operational across government by September 2022. That program gets no mention in the EDR memo.
Implementing CDM has proved difficult for many large, federated agencies. Even DHS has faced headwinds getting visibility into its assets via CDM tools, according to a June, 2021 report of the agency's Office of Inspector General.
The memo puts agencies on a 90-day clock to share access to existing EDR tools with CISA, while CISA is tasked with producing recommendations on accelerating EDR adoption plus developing and publishing a "technical reference architecture and maturity model for agency consumption."
Additionally, agencies must within 120 days assess gaps in their EDR capabilities and make sure these efforts are funded and staffed and that data captured in EDR programs is usable by CISA for analysis.