OMB Gives Agencies Three Months to Help CISA Monitor Networked Devices

Agencies face new deadlines to provide the Cybersecurity and Infrastructure Security Agency with access to any system they’ve implemented to track activity on devices that connect to federal networks or to get busy putting such a system in place, according to the Office of Management and Budget.

“Within 90 days, agencies should provide CISA access to current enterprise [Endpoint Detection and Response] deployments or engage with CISA to identify future state options,” reads a memo the Office of Management and Budget released Friday.

EDR tools are specifically referenced in President Joe Biden’s May 12 cybersecurity executive order in response to widespread compromises of U.S. entities, including at nine federal agencies, in connection with IT management firm SolarWinds. The executive order highlights the importance of improving visibility and instructs agencies to participate in CISA’s Continuous Diagnostics and Mitigation program. CISA has been promoting coming EDR capabilities through the CDM program but needs agencies to submit information on their endpoints in order to realize its effectiveness.

“Within 75 days of the date of this order, agencies shall establish or update Memoranda of Agreement (MOA) with CISA for the Continuous Diagnostics and Mitigation Program to ensure object level data, as defined in the MOA, are available and accessible to CISA, consistent with applicable law,” according to the executive order.

Friday’s memo from OMB Acting Director Shalanda Young also gives CISA 90 days to develop a way to monitor the performance of EDR systems and, in collaboration with the Chief Information Cfficers Council, make recommendations for OMB to speed up their implementation across the government. It also calls on CISA and the CIO Council to publish a technical reference architecture with maturity benchmarks within that time.

The memo also spells out  that agencies, in conjunction with CISA, must analyze the effectiveness of their EDR systems and identify any gaps in deployment within 120 days. The agencies and CISA must also ensure alignment of agency plans and systems with the technical reference architecture CISA produces.

OMB also noted the role of EDR tools in enabling proactive threat hunting, which CISA now has the authority to conduct on federal agencies’ networks under the last National Defense Authorization Act.