OMB Pushes Broader Use of Endpoint Detection and Response Solutions

Published: October 13, 2021

Federal Market AnalysisCybersecurityPolicy and Legislation

The latest OMB guidance is aimed at improving the visibility and detection of cybersecurity vulnerabilities and threats on federal systems.

There is no shortage these days of federal cybersecurity policy flowing out of the various entities tasked with leading the charge. A White House Executive Order on Improving the Nation’s Cybersecurity back in May set in motion multiple lines of effort, and we are now seeing more details on how these efforts will be implemented. Recently, the Office of Management and Budget (OMB) released a draft strategy for moving federal agencies towards a Zero Trust Architecture (ZTA) and the Cybersecurity and Infrastructure Security Agency (CISA) followed up with a draft Zero Trust Maturity Model (ZTMM).

Federal Endpoint Detection and Response Initiative

Among several concurrent efforts, the May EO directed CISA and OMB to develop an Endpoint Detection and Response (EDR) initiative aimed at increasing the visibility into and early detection of cybersecurity vulnerabilities and threats to agency networks. This centralized EDR initiative is to support host-level visibility, attribution, and response and support proactive detection of cybersecurity incidents within federal infrastructure, active cyber hunting, containment and remediation, and incident response. The EO also requires agencies to adopt the defined federal government-wide EDR approaches, including a capability for CISA to engage in cyber hunt, detection, and response activities. 

In-line with the May EO directives, OMB has now released implementation guidance to accelerate agency adoption of EDR solutions to move the initiative forward.

EDR Initiative Activities Planned Between Now and Early 2022

By early January 2022, CISA is charged with completing several tasks to advance the government-wide EDR initiative, according to the timelines outlined in the memorandum. These include:

  • Publishing a technical reference architecture and maturity model for agencies to use
  • Developing a continuous performance monitoring process to track agency EDR deployments
  • Developing with the Federal CIO Council recommendations to OMB on ways to further accelerate federal EDR efforts.

For their part, by January agencies are directed to provide CISA with access to their current enterprise EDR deployments and their networks to enable CISA’s proactive threat hunting activities and a coordinated response to advanced threats. Then by early April, federal agencies are tasked with assessing any gaps in the current EDR capabilities and aligning their current and future EDR deployments with CISA’s new technical reference architecture.

Contractor Implications

The obvious implications for federal cybersecurity contractors is in the area of EDR solutions, as agencies will continue to look to solutions providers to provide both threat visibility and device protection tools and capabilities. Many of these products will already be deployed across the federal landscape, so it may not be an unreasonable assumption that CISA is taking into consideration these capabilities and limitations as they develop their forthcoming technical reference architecture.  

Another noteworthy element in the memo is that agencies are to “facilitate, as appropriate, network access to CISA personnel and contractors supporting implementation of the EDR initiative.” (emphasis added.) So it is likely that there will also be opportunities for contracted services in addition to those directly associated with an individual EDR solution.