The Office of Management and Budget (OMB) is giving Federal agencies a three-month deadline to make initial strides at identifying the current state of endpoint detection and response (EDR) capabilities on their networks and to start undertaking additional work with the Cybersecurity and Infrastructure Security Agency (CISA) to quicken the pace of deploying those capabilities.
OMB’s EDR directive stems from the Biden administration’s cybersecurity executive order issued in May. The order is driving forward a broad push by the Federal government to bolster network security through a variety of means including directives for further cloud service adoption, and a longer-term migration to zero trust security architectures. Also high on the order’s to-do list for Federal agencies are progress on EDR deployments, multi-factor authentication, and encryption.
Progress on EDR capabilities has been underway at Federal agencies for several years through the implementation of CISA’s Continuous Diagnostics and Mitigation (CDM) program, but Federal agency progress on that foundational aspect of the CDM program has been varied, in particular for agencies that are very large and that have numerous sub-agency components.
Broad EDR Goals
OMB explained in its October 8 directive to agencies that the EDR deployment push aims to:
- Improve “capabilities for early detection, response, and remediation of cybersecurity incidents on their networks, using advanced technologies and leading practices”;
- Create “agency enterprise-level visibility across components/bureaus/sub-agencies to better detect and understand threat activity”; and
- Create “government-wide visibility through a centrally located EDR initiative, implemented” by CISA “to support host-level visibility, attribution, and response across Federal information systems.”
Key Dates for Agencies
The OMB directive puts Federal agencies and CISA on the hook to meet several key deadlines over the next several months, and numerous operational goals after that. For agencies, the key dates and actions are:
- Within 90 days, agencies need to provide CISA with access to “current EDR deployments or engage with CISA to identify future state options”; and
- Within 120 days, conduct an analysis with CISA’s help to identify any gaps in EDR deployment.
After that – with compliance dates not specified in the OMB directive – agencies will need to:
- Coordinate with CISA for current and future EDR deployments “to confirm that the solution aligns with CISA’s technical reference architecture and appropriate data is gathered from the widest number of endpoints”;
- Coordinate with CISA to on EDR access to allow “proactive threat hunting activities and a coordinated response to advanced threats”;
- Ensure that “EDR solutions are appropriately resourced and staffed by working with their Chief Financial Officer and OMB Resource Management Office to confirm that sufficient funding is programmed to maintain the EDR tool through its lifespan and account for any potential updates or licensing requirements”;
- Ensure that “endpoint data is consolidated, retained, and archived in a manner that supports analysis and insight, to be defined in the technical reference architecture developed by CISA”; and
- Ensure that EDR solutions are consistent with applicable privacy and statistical laws and policy.
Deadlines for CISA
Separate from the directives to Federal civilian agencies, CISA’s deadlines are:
- Within 90 days, “develop a process for continuous performance monitoring to help agencies ensure that EDR solutions are deployed and operate in a manner that will detect and respond to common threats”;
- Within 90 days, in coordination with the Chief Information Officer (CIO) Council, CISA will provide recommendations to OMB on ways to further accelerate government-wide EDR efforts;
- Within 90 days, in coordination with the CIO Council, CISA will develop and publish a technical reference architecture and maturity model for agency consumption; and
- Within 180 days, in coordination with the CIO Council, CISA will develop a playbook of best practices for EDR solution deployments to achieve government-wide operational visibility.