Agencies have 90 days to provide Cybersecurity and Infrastructure Security Agency personnel and contractors access to existing endpoint detection and response (EDR) deployments or identify future state options, according to a Friday memo.
The Office of Management and Budget issued the memo to accelerate governmentwide adoption of EDR solutions, which combine real-time continuous monitoring with data collection from endpoints like workstations, cellphones and servers for rules-based automated response to and analysis of increasingly sophisticated cyberthreats.
EDR is an essential component of zero-trust architecture, which the Biden administration required agencies to begin implementing in its cybersecurity executive order issued in May.
Polymorphic malware, advanced persistent threats and phishing necessitate a centralized EDR initiative led by CISA, according to the memo. Granting CISA access to existing EDR solutions allows for proactive threat hunting.
CISA has 90 days to develop a continuous performance monitoring process and coordinate with the Chief Information Officer Council on both recommendations for accelerating EDR adoption and publishing a technical reference architecture and maturity model. CISA and the council have 180 days to release a playbook on best practices for EDR solution deployments.
Meanwhile agencies have 120 days to conduct an analysis with CISA of their EDR capabilities and any gaps, before coordinating on deployments in accordance with the technical reference architecture. The memo requires they work with their chief financial officers and the OMB Resource Management Office to ensure proper resources and staffing for EDR tools, licenses and updates.
Agencies must also ensure endpoint data is consolidated, retained and archived for analysis in accordance with the technical reference architecture and that their solutions comply with privacy and statistical laws.