White House looks to step up endpoint monitoring

security dashboard (KanawatVector/ 

Federal agencies are going to have to open up to the Office of Management and Budget and the Cybersecurity and Infrastructure Security Agency about their endpoint detection and response efforts.

A memo released late Friday from acting OMB Director Shalanda Young instructs agency heads to assess the state of their endpoint detection and response capabilities in coordination with CISA. The memo requires agencies to "provide CISA with access to their current and future EDR solutions to enable proactive threat hunting activities and a coordinated response to advanced threats," while also giving CISA personnel and contractors access to agency networks to support implementation of EDR tools.

The memo, which represents the second phase of implementation of a key piece of the Biden administration's cybersecurity executive order, promotes the stated goal of "centrally managing the information needed to support host-level visibility, attribution, and response with respect to agency information systems."

The order requires agencies to deploy EDR capabilities "to support proactive detection of cybersecurity incidents within federal government infrastructure, active cyber hunting, containment and remediation, and incident response."

EDR solutions are packaged within the Continuous Diagnostics and Mitigation program, administered by the Department of Homeland Security. The program provides agencies with sets of pre-approved cybersecurity solutions across a range of threats to facilitate acquisition of services. CDM is designed to give individual agencies and, at least notionally, OMB and CISA visibility into network and endpoint activity. The first three phases of CDM are supposed to be fully operational across government by September 2022. That program gets no mention in the EDR memo.

Implementing CDM has proved difficult for many large, federated agencies. Even DHS has faced headwinds getting visibility into its assets via CDM tools, according to a June, 2021 report of the agency's Office of Inspector General.

The memo puts agencies on a 90-day clock to share access to existing EDR tools with CISA, while CISA is tasked with producing recommendations on accelerating EDR adoption plus developing and publishing a "technical reference architecture and maturity model for agency consumption."

Additionally, agencies must within 120 days assess gaps in their EDR capabilities and make sure these efforts are funded and staffed and that data captured in EDR programs is usable by CISA for analysis.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

  • FCW Perspectives
    remote workers (elenabsl/

    Post-pandemic IT leadership

    The rush to maximum telework did more than showcase the importance of IT -- it also forced them to rethink their own operations.

Stay Connected