CISA to Access Agencies' Endpoints, Help Enhance SecurityOMB Memo: Agencies Have 90 Days to Allow CISA to Begin Reviewing EDR Status
In an effort to bolster endpoint protection within the U.S. government, the White House is ordering federal agencies to allow the Cybersecurity and Infrastructure Security Agency to access existing deployments. It is also setting timelines for improving the protection of these endpoints - from workstations to mobile phones and servers.
A new memorandum from the Office of Management and Budget sets a 90-day deadline for CISA to assess existing endpoint detection and response, or EDR, deployments. CISA and respective agencies will then adhere to specific deadlines on improving the endpoint controls.
The directive stems from President Joe Biden's executive order on cybersecurity, issued in May, which aims to holistically modernize federal cybersecurity (see: Biden's Cybersecurity Executive Order: 4 Key Takeaways).
The executive order describes how government agencies should evaluate the software they buy and mandates that executive branch agencies deploy multifactor authentication, endpoint detection and response, and encryption.
The OMB memo partially addresses an area perceived as a weakness for the government in the wake of the SolarWinds supply chain attack, which was initially detected in late 2020.
In the SolarWinds attacks, which is suspected to have been committed by a Russian government-backed group, some 100 organizations were breached globally, including nine federal agencies. It is believed the hackers persisted on the breached networks for months before detection (see: SolarWinds Attack Spurring Additional Federal Investigations).
'Reactive to Proactive'
The memo, authored by OMB acting Director Shalanda D. Young, notes that Biden's executive order directs the federal government to adopt a robust endpoint detection and response solution as part of a shift "from a reactive to a proactive posture."
"EDR provides the increased visibility necessary to respond to advanced forms of cybersecurity threats, such as polymorphic malware, advanced persistent threats, and phishing," the memo states. "Moreover, EDR is an essential component for transitioning to zero trust architecture, because every device that connects to a network is a potential attack vector for cyber threats."
Commenting on the memo, Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance, tells ISMG: "This directive will ensure that departments and agencies are prepared for even the most advanced cyber criminality models that make it difficult to detect until it's too late. EDR … [investment] will be an essential step in keeping bad actors at bay."
Justin Fier, director of cyber intelligence and analytics at the firm Darktrace, who has supported the U.S. intelligence community, says, "The White House memorandum … demonstrates the further enforcement of best practices and basic cybersecurity measures by the Biden administration. … [But it also] means the federal government is largely behind the curve in adopting [EDR], and begs the question: Can the administration catch up in time before the landscape shifts yet again?"
The White House timelines include:
- Agencies to provide CISA access to current EDR deployments within 90 days;
- CISA to develop a performance monitoring process to help agencies within 90 days;
- Also within that span, CISA to coordinate with the Chief Information Officer Council to provide recommendations to OMB and publish a technical architecture and maturity model;
- At 180 days, CISA and the CIO Council to develop a playbook of best practices.
At 120 days, agencies will be responsible for:
- Conducting an analysis, alongside CISA, to assess EDR capabilities and coordinate on current and future solutions;
- Ensuring that solutions are resourced and staffed by coordinating with respective CFOs and OMB's Resource Management Office;
- Ensuring that endpoint data is used properly while adhering to CISA's guide and that solutions recognize privacy laws and policies.
Government Officials on Biden's Cyber Strategy
In recent months, federal officials have named endpoint protection one of the key pillars of the Biden executive order and called it paramount to the modernization of the U.S. government.
Speaking at the Mandiant Cyber Defense Summit last week, Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger said, "The president signed … an executive order to rapidly roll technologies out across the federal government … in terms of five specific areas that we know dramatically reduce the risk of a cybersecurity attack, and if one happens, reduce the risk of it being broadly impactful.
"[This includes] things like multifactor authentication, encryption of your data, endpoint detection, having a fully managed security operation center, and logging, so that you can detect anomalous activity, find if something has occurred and recover."
Neuberger said that by prioritizing the technologies - including endpoint detection and response - Biden is putting "aggressive but achievable" timelines in place to "lead in this area."
Similarly, Roger Grimes, data-driven defense evangelist for the cybersecurity firm KnowBe4, echoed the White House's recent rhetoric, noting: "Voluntary compliance does not work. Letting each agency decide on its own what to do and when, does not work. … Now, we just need to see more of [this] … requiring more and more cybersecurity mitigations with central, aggressive oversight."
Danny Lopez, former HM consul general for the U.K.'s Foreign and Commonwealth Office, adds, "Federal cyber leaders are pushing for a more secure future for the U.S." Lopez, currently the CEO of security firm Glasswall, says that endpoint protection and other technologies named by the administration, "are critical elements in an effective cybersecurity stack."
In March, CISA's acting director at the time, Brandon Wales, told the Senate Homeland Security and Governmental Affairs Committee that the government's Einstein program - a perimeter-based intrusion detection system - was not equipped to combat persistent cyberattacks such as SolarWinds. He also told the committee that CISA would explore new tools for endpoint detection to help combat supply chain attacks.
Other Releases From OMB and CISA
OMB has also partnered with CISA to release draft guidance on implementing zero trust policies across government networks. OMB and CISA recently reviewed public comments.
And last week, CISA released the first version of its Trusted Internet Connections 3.0 Remote User Use Case to outline security measures for agencies allowing remote users on their network.