Attacks and Vulnerabilities
Building Management Systems
CISA
Critical infrastructure
Industries
Management & Strategy
Manufacturing
Medical
Mining, Oil & Gas
News
Pharma
Technology & Solutions
Transportation
Utilities: Energy & Power, Water, Waste

CISA issues RFI to identify EDR tools, capabilities for US government organizations

October 20, 2021
EDR tools

The Cybersecurity and Infrastructure Security Agency (CISA) has released a Request for Information (RFI) to assist the U.S. administration in conducting market research focused on gaining technical feedback from the industry on tools and services that would provide sophisticated endpoint detection and response (EDR) capabilities for U.S. government organizations. The RFI responses have to be submitted by Nov. 8.

CISA intends to galvanize agency security operations center (SOC) operations by getting as close to complete coverage as possible on the agency’s selected and validated EDR platforms through a ‘gap-fill’ strategy, the RFI said. A key objective of the EDR RFI is to solicit expertise from the industry to validate and/or inform the U.S. government on best practices in process or functionality that should be considered within the context of EDR activities being currently executed.

Following the ransomware attack on Colonial Pipeline, U.S. President Joe Biden signed an Executive Order (EO) 14208 that emphasized the need to focus on improving the nation’s cybersecurity and protecting the critical infrastructure and federal government networks. The CISA was to play a large role in several aspects of the EO including early detection of cybersecurity incidents on federal government networks and improving investigative and remediation capabilities.

The EO 14028 intended to bring about decisive steps to modernize US critical infrastructure and its approach to cybersecurity by increasing visibility into threats while employing appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on its networks. At that time, the order had called for the Federal Civilian Executive Branch (FCEB) agencies to deploy an EDR initiative to support proactive detection of cybersecurity incidents within the federal government infrastructure, provide active cyber hunting, containment and remediation, and incident response.

EDR combines real-time continuous monitoring and collection of endpoint data such as from networked computing devices like workstations, mobile phones, and servers with rules-based automated response and analysis capabilities. Compared to traditional security solutions, EDR provides the increased visibility necessary to respond to advanced forms of cybersecurity threats, including polymorphic malware, advanced persistent threats (APTs) and phishing. Moreover, EDR is an essential component for transitioning to zero trust architecture, because every device that connects to a network is a potential attack vector for cyber threats.

The CISA is executing an approach where major investments in the validated EDR tools can be expanded at agencies. In this model, CISA would, in full collaboration with the agencies and their security operations staff, identify and validate specific EDR tools that are functionally capable and compatible with CISA’s mission to unify the FCEB enterprise in enabling coordinated threat detection and response.

In executing the approach, CISA is taking a risk-based approach to advance existing EDR capabilities and investments by providing additional tools to fill identified gaps at each agency’s EDR. The process involves addressing gaps across the coverage of the EDR tools across the agency’s endpoints and in the functionality for tools that may not be fully configured to leverage functions and features of the product in alignment with CISA’s requirements, according to the RFI.

As part of the approach, CISA has defined a common set of EDR requirements to ensure that agencies gain the necessary visibility and response functionality needed to effectively detect and respond to cyber intrusions, according to CISA’s RFI. The strategy ensures that CISA invests in EDR tooling, founded on standards-based validation processes, that are proven effective against known and novel tactics, techniques, and procedures (TTPs).

Another key objective of this RFI is to inform a longer-term strategy as to how EDR tools should be maintained across federal networks over a longer-term horizon based on industry input regarding future capabilities under development, the evolution of the market based on customer requirements, and novel strategies being employed by advanced threat actors.

The information provided by industry may be used by CISA to continuously modernize baseline requirements for CISA’s EDR capability to ensure that a Government baseline for EDR platforms is set at a level that is consummate to the evolving advanced threats that target federal networks and tailored against unique requirements of the federal civilian enterprise, such as staffing and resource constraints, supply chain considerations, open-standards and interoperability.

Earlier this month, the Office of Management and Budget (OMB) released a memorandum that provides implementation guidance to agencies as they accelerate the adoption of EDR tools and solutions, and work to improve visibility into and detection of cybersecurity vulnerabilities and threats to the government, as defined in EO 14028.

Through a collective effort, the federal government will achieve improved agency capabilities for early detection, response, and remediation of cybersecurity incidents on their networks, using advanced technologies and leading practices.

The OMB memo also said that it will also secure agency enterprise-level visibility across components/ bureaus/ sub-agencies to better detect and understand threat activity, and government-wide visibility through a centrally located EDR initiative, implemented by the CISA, to support host-level visibility, attribution, and response across federal information systems.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience