CISA Seeking Answers for Implementation of Endpoint Detection and Response Tools


The agency has an idea of what it wants from the capability but is soliciting industry input on key aspects of an enduring investment plan.

A request for information from the Cybersecurity and Infrastructure Security Agency provides insight into what federal buyers will be looking for in technology central to the Biden administration’s visibility-focused cybersecurity plan, but looks to industry for input on crucial elements.

“What minimum sets (types) of critical [Endpoint Detection and Response] data should be collected by security analysts to identify advanced threats or evidence of an active breach?” reads the RFI, responses to which are due Nov. 8. “What is[sic] the recommended retention periods per dataset to balance operational effectiveness against costs?”

The question of how long logs containing information that could provide clues into cybersecurity incidents should be maintained emerged as a sticking point following breaches at federal contractors Microsoft and SolarWinds when CISA noted limited logging capabilities of Microsoft Azure’s cloud services except at premium levels. Microsoft has since offered federal agencies a one-year free trial of advanced logging for cybersecurity auditing.

The maintenance of logs is one element in a class of offerings referred to as EDR, which is specifically mentioned in a May 12 executive order responding to SolarWinds and other major breaches. The order directs the Office of Management and Budget and the Department of Homeland Security to “issue requirements for [Federal Civilian Executive Branch] Agencies to adopt federal government-wide EDR approaches.” 

OMB recently instructed agencies to cooperate with CISA by sharing their current EDR status and coming up with plans to optimize their deployment of the technology. 

“This process involves addressing gaps in both coverage of the EDR tools across the agency’s endpoints as well as in functionality for tools that may not be fully configured to leverage functions and features of the product in alignment with CISA’s requirements,” CISA wrote in the RFI posted Thursday. “As part of this approach, CISA has defined a common set of EDR requirements to ensure that agencies gain the necessary visibility and response functionality needed to effectively detect and respond to cyber intrusions. This strategy ensures that CISA invests in market leading EDR tooling, founded on standards-based validation processes, that are proven effective against known and novel Tactics, Techniques, and Procedures.”

Among other things, CISA asked about the extent to which vendors’ EDR tools worked with other products and their incorporation of other advanced technologies such as machine learning and robotic process automation.

The government stressed that the RFI does not commit them to issuing a solicitation based on the market research, but notes that CISA and the General Services Administration may invite industry respondents for one-on-one meetings based on their responses.

In a section on experience and capabilities, the RFI also asks respondents to state whether their EDR tool is on a list of products approved under DHS’ Continuous Diagnostics and Mitigation program. “In order for your product to be considered it needs to be on the CDM APL,” it says.