Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

OMB Issues Guidance on EDR Implementation for Federal Agencies

The Office of Budget and Management issued a memorandum to the heads of federal executive departments and agencies last week providing guidance on the implementation of Endpoint Detection and Response (EDR) solutions as required under Executive Order 14028.

The memorandum, written by Shalanda D. Young, OMB's acting director, details the specific milestones that agencies must meet and requires the Cybersecurity and Infrastructure Security Agency (CISA) to have access to agency EDR deployments within 90 days and it must develop a process to monitor the agencies to ensure the security software is deployed and operating correctly.


Bill Rucker, president of Trustwave Government Solutions.

"The executive order is a step in the right direction," noted Bill Rucker, president of Trustwave Government Solutions. "The memorandum will get those people that were sitting on their hands to move."


The memorandum reminded Federal agencies of the requirement to implement EDR as a proactive cybersecurity measure under Executive Order 14028, which was signed by President Joe Biden in May. The executive order required federal agencies to meet set deadlines to accomplish specific tasks for implementing the security measures listed in the executive order.

Rucker pointed out that requiring EDR to be implemented is one thing but tracking the reams of data that an EDR solution will generate is not easy, and this is where Trustwave Government Solutions  can fit into the equation.

"The expertise of Trustwave Government Solutions at Managed Detection and Response (MDR) can help. We can bring in threat intelligence, put the data together in such a way so decisions can be made, and inform them if we find something," he said. 

The federal government believes EDR will improve agency capabilities for early detection, response, and the remediation of cybersecurity incidents on their networks. Additionally, EDR will provide enterprise-level visibility across components, bureaus, and sub-agencies to better detect and understand threat activity.

The Memorandum's Requirements

Young's note detailing the implementation of EDR, starting with CISA's responsibilities. CISA has 90 days to develop a process for continuous performance monitoring to ensure EDR solutions are properly deployed and operated. CISA must coordinate with the Chief Information Officer Council to provide recommendations to OMB to accelerate EDR efforts and develop and publish a technical reference architecture and maturity model. Within 180 days, CISA and the CIO Council must develop a playbook of best practices for EDR solution deployments.

The executive order also requires agencies to undertake specific tasks as they deploy and further develop their EDR solutions.

Other agency requirements:

  • Within 120 days, conduct an analysis, in coordination with CISA, to assess the status of their EDR capabilities by identifying any gaps in existing EDR deployments.
  • Coordinate with CISA for current and future EDR solution deployments to confirm that the solution aligns with CISA's technical reference architecture and appropriate data is gathered from the broadest number of endpoints.
  • Agencies must provide CISA with access to their current and future EDR solutions to enable proactive threat hunting activities and a coordinated response to advanced threats and to facilitate, as appropriate, network access to CISA personnel and contractors supporting the implementation of the EDR initiative.
  • Ensure that EDR solutions are appropriately resourced and staffed by working with their Chief Financial Officer and OMB Resource Management Office to confirm that sufficient funding is programmed to maintain the EDR tool through its lifespan and account for any potential updates or licensing requirements.
  • Ensure that endpoint data is consolidated, retained, and archived in a manner that supports analysis and insight, to be defined in the technical reference architecture developed by CISA.
  • Ensure that EDR solutions are consistent with applicable privacy and statistical laws and policy.

The Executive Order and EDR

Under section 7 of Executive Order 14028, it states: "Federal Civilian Executive Branch (FCEB) Agencies shall deploy an Endpoint Detection and Response initiative to support proactive detection of cybersecurity incidents within Federal Government infrastructure, active cyber hunting, containment and remediation, and incident response."

"EDR combines real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities," Young said in her memorandum.

She noted that compared to traditional security, EDR is necessary as it provides the increased visibility necessary to respond to advanced forms of cybersecurity threats, such as polymorphic malware, advanced persistent threats, and phishing. In addition, EDR is a component needed for transitioning to a zero-trust architecture.


Latest Trustwave Blogs

Mining Operations: Critical Cybersecurity Threats & Trends Revealed

Cybersecurity professionals often point out that threat actors do not differentiate when choosing a victim. To an attacker, a hospital is as useful a target as a law firm or even a mining operation....

Read More

Phishing: The Grade A Threat to the Education Sector

Phishing is the most common method for an attacker to gain an initial foothold in an educational organization, according to the just released Trustwave SpiderLabs report 2024 Education Threat...

Read More

Unlocking Cyber Resilience: UK’s NCSC Drafts Code of Practice to Elevate Cybersecurity Governance in UK Businesses

In late January, the UK’s National Cyber Security Centre (NCSC) issued the draft of its Code of Practice on Cybersecurity Governance. The document's goal is to raise the profile of cyber issues with...

Read More