The Office of Budget and Management issued a memorandum to the heads of federal executive departments and agencies last week providing guidance on the implementation of Endpoint Detection and Response (EDR) solutions as required under Executive Order 14028.
The memorandum, written by Shalanda D. Young, OMB's acting director, details the specific milestones that agencies must meet and requires the Cybersecurity and Infrastructure Security Agency (CISA) to have access to agency EDR deployments within 90 days and it must develop a process to monitor the agencies to ensure the security software is deployed and operating correctly.
"The executive order is a step in the right direction," noted Bill Rucker, president of Trustwave Government Solutions. "The memorandum will get those people that were sitting on their hands to move."
The memorandum reminded Federal agencies of the requirement to implement EDR as a proactive cybersecurity measure under Executive Order 14028, which was signed by President Joe Biden in May. The executive order required federal agencies to meet set deadlines to accomplish specific tasks for implementing the security measures listed in the executive order.
Rucker pointed out that requiring EDR to be implemented is one thing but tracking the reams of data that an EDR solution will generate is not easy, and this is where Trustwave Government Solutions can fit into the equation.
"The expertise of Trustwave Government Solutions at Managed Detection and Response (MDR) can help. We can bring in threat intelligence, put the data together in such a way so decisions can be made, and inform them if we find something," he said.
The federal government believes EDR will improve agency capabilities for early detection, response, and the remediation of cybersecurity incidents on their networks. Additionally, EDR will provide enterprise-level visibility across components, bureaus, and sub-agencies to better detect and understand threat activity.
The Memorandum's Requirements
Young's note detailing the implementation of EDR, starting with CISA's responsibilities. CISA has 90 days to develop a process for continuous performance monitoring to ensure EDR solutions are properly deployed and operated. CISA must coordinate with the Chief Information Officer Council to provide recommendations to OMB to accelerate EDR efforts and develop and publish a technical reference architecture and maturity model. Within 180 days, CISA and the CIO Council must develop a playbook of best practices for EDR solution deployments.
The executive order also requires agencies to undertake specific tasks as they deploy and further develop their EDR solutions.
Other agency requirements:
- Within 120 days, conduct an analysis, in coordination with CISA, to assess the status of their EDR capabilities by identifying any gaps in existing EDR deployments.
- Coordinate with CISA for current and future EDR solution deployments to confirm that the solution aligns with CISA's technical reference architecture and appropriate data is gathered from the broadest number of endpoints.
- Agencies must provide CISA with access to their current and future EDR solutions to enable proactive threat hunting activities and a coordinated response to advanced threats and to facilitate, as appropriate, network access to CISA personnel and contractors supporting the implementation of the EDR initiative.
- Ensure that EDR solutions are appropriately resourced and staffed by working with their Chief Financial Officer and OMB Resource Management Office to confirm that sufficient funding is programmed to maintain the EDR tool through its lifespan and account for any potential updates or licensing requirements.
- Ensure that endpoint data is consolidated, retained, and archived in a manner that supports analysis and insight, to be defined in the technical reference architecture developed by CISA.
- Ensure that EDR solutions are consistent with applicable privacy and statistical laws and policy.
The Executive Order and EDR
Under section 7 of Executive Order 14028, it states: "Federal Civilian Executive Branch (FCEB) Agencies shall deploy an Endpoint Detection and Response initiative to support proactive detection of cybersecurity incidents within Federal Government infrastructure, active cyber hunting, containment and remediation, and incident response."
"EDR combines real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities," Young said in her memorandum.
She noted that compared to traditional security, EDR is necessary as it provides the increased visibility necessary to respond to advanced forms of cybersecurity threats, such as polymorphic malware, advanced persistent threats, and phishing. In addition, EDR is a component needed for transitioning to a zero-trust architecture.