The White House is directing agencies to let the Cybersecurity and Infrastructure Security Agency work with them on their efforts to protect endpoints, such as computer workstations and servers — an area where officials have said the federal government fell short in the SolarWinds hack.
The Office of Management and Budget issued a memo on Friday that sets a 90-day deadline for CISA, the main cyber wing of the Department of Homeland Security, to access agencies’ current endpoint detection and response deployments. It then spells out timelines for other steps to improve their endpoint defenses.
OMB says the goal is to establish “improved agency capabilities for early detection, response, and remediation of cybersecurity incidents on their networks, using advanced technologies and leading practices.”
The memo is an outgrowth of President Joe Biden’s cybersecurity executive order from May. And the focus on endpoints reflects one of the main takeaways from a March Senate hearing where then-CISA Director Brandon Wales said the agency wasn’t equipped to catch today’s hackers, like the SolarWinds perpetrators who compromised nine federal agencies, hopping from server to server to avoid notice.
OMB’s memo directs agencies to take other actions within 90 days. CISA must develop a method for continuously evaluating the effectiveness of agencies’ endpoint detection capabilities. CISA will work with the Chief Information Officer Council to recommend endpoint detection improvements and agencies.
Within 120 days, agencies must conduct an analysis with CISA of endpoint detection and response gaps, coordinate with CISA on future plans, make sure they have the right spending and staffing levels and ensure their endpoint plans are compatible with privacy. Within 180 days, CISA and the CIO Council have to publish a playbook of best approaches.
Biden officials have spoken frequently about the value of endpoint defenses. Last week, Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger identified endpoint detection as one of the most important technologies for feds to adopt, along with multifactor authentication, encryption of data, a fully manned security operation center and logging.
“We call them ‘five,’ in terms of five specific areas that we know dramatically reduce the risk of a cybersecurity attack, and if one happens, reduce the risk of it being broadly impactful,” Neuberger said at an event hosted by cybersecurity firm Mandiant.