If the Biden administration’s cybersecurity effort was a movie, it would be “The Fast & the Furious” series.
Chapter one of the epic was the May executive order where we understood the premise of fast cars, and the cat-and-mouse game of cops and robbers. By the summer, we saw episodes two and three drop through memos around incident response and critical software. Seeing the reaction of the “fans” — or in this case the federal community — the White House doubled down with more action and more drama by releasing the draft zero trust strategy last month.
Just last week, the Office of Management and Budget came through with their latest series’ installment — consider this the “Fast Five” where the street racing crew must buy their freedom from a drug lord and a federal agent gone bad.
Insight by Leidos: In this exclusive executive briefing, executives will discuss their approach to whole-person health care.
But in the Biden administration’s version, agencies must find their freedom from cyber attackers through the improved use of end point detection and response tools. The new end point detection and response memo details a series of deadlines for agencies and the Cybersecurity and Infrastructure Security Agency (CISA) over the next 90-to-120 days.
Ok, I may be stretching it a bit here, but the fourth memo since August along with the final remote user use case under the Trusted Internet Connections (TIC) 3.0 initiative, probably makes agency chief information officers and chief information security officers feel like they are riding in Dominic Toretto’s (Vin Diesel) 1970 Dodge Charger, which is rumored to have a 900 horsepower engine. The administration hit the pedal and they are holding on, trying not to throw up.
“EDR will improve the federal government’s ability to detect and respond to increasingly sophisticated threat activity on federal networks,” stated the Oct. 8 memo from acting OMB Director Shalanda Young. “EDR combines real-time continuous monitoring and collection of endpoint data (for example, networked computing devices such as workstations, mobile phones, servers) with rules based automated response and analysis capabilities. Compared to traditional security solutions, EDR provides the increased visibility necessary to respond to advanced forms of cybersecurity threats, such as polymorphic malware, advanced persistent threats (APTs), and phishing. Moreover, EDR is an essential component for transitioning to zero trust architecture, because every device that connects to a network is a potential attack vector for cyber threats.”
Like each of the previous memos or strategies, the EDR policy lets OMB check off another item on its cybersecurity executive order to-do list.
OMB and agencies have 23 different mandates from the May order.
Steven McAndrews, the director of federal cybersecurity in OMB, said last week at an event sponsored by ACT-IAC and the U.S. Cyber Challenge that the EDR memo, like nearly everything come from the executive order is an attempt to drive the right conversations across the government.
“Guidance need teeth and must have strict deadlines so collaboration across the government is key,” McAndrews said on Oct. 6. “The President’s Management Council and through the budget side of OMB is how we are driving change and ensuring accountability. We are working with our budget colleagues to really articulate this cyber work is incredibly important. The SolarWinds incident kicked this into hyper drive with the budget side about how important cyber and IT modernization is.”
Each of these memos and strategies aren’t just about cybersecurity, just like each “Fast & Furious” movie isn’t just about fast cars and action scenes. OMB is emphasizing the long-term goal of IT modernization through these cyber efforts from EDR to zero trust to TIC 3.0.
Chris DeRusha, the federal chief information security officer, said at the same event that through these memos and other efforts, including updating the Federal Information Security Management Act (FISMA), OMB is driving a new way of looking at security as part of a modernization strategy.
“It’s a new way of looking at it for an organization. You have to do a lot of business process communication and planning inside an organization to be able to do these new security measures well,” DeRusha said. “I think it’s that maturation that you will see, us doing things to try to push on getting there as fast as we can to adopting the latest security measures. We will move away from very important stuff like adopting the NIST security controls, nothing has changed there, but where we will focus our main attention on and ask about is going to more about tested security measures.”
DeRusha said both the FISMA reform bill from Congress and OMB’s upcoming annual FISMA guidance will focus on tested security measures, whether in application security, pen testing or vulnerability disclosure platforms.
“We want to engage security researchers. We want the help with responsible security disclosures,” he said. “These are tricky to launch. I’ve built and launched these before and it’s a lot.”
OMB’s latest memo gives agencies 120 days to assess their current end point detection and response capabilities, identify gaps and then work with CISA to “enable proactive threat hunting activities and a coordinated response to advanced threats, and to facilitate, as appropriate, network access to CISA personnel and contractors supporting implementation of the EDR initiative.”
Meanwhile, CISA and the CIO Council have 90 days to develop an EDR technical reference model and develop recommendations to OMB to accelerate the use of these tools governmentwide. Additionally, CISA and the council have 120 days to develop a playbook to implement these tools.
Agencies also received more specifics from CISA about ensuring remote workers are securely connecting back to the agency network or to the cloud to access applications and data. The interim TIC 3.0 remote user use case came about in April 2020 right as the pandemic began. Over the last year, CISA received more than 70 comments on how to improve the guidance.
“[T]he finalized Remote User Use Case provides significantly more depth and detail. The new TIC use case considers additional security patterns that agencies may face with remote users and includes four new security capabilities: User awareness and training, domain name monitoring, application container and remote desktop access,” wrote Eric Goldstein, CISA’s executive assistant director for cybersecurity, in a Oct. 7 blog post. “The final TIC 3.0 Remote User Use Case is aligned to complement CISA’s ongoing efforts to modernize federal networks and support security initiatives driven by the president’s cyber executive order. Ensuring protected and resilient remote user connections to agency-sanctioned cloud services and internal agency services is paramount for CISA and we expect the security guidance will help agencies improve application performance and reduce costs through reduction of private links.”
Additionally, CISA released the TIC 3.0 capabilities catalog and, along with the CIO Council, the pilot process handbook for agencies to test out the remote use case and other use cases.
Each of these episodes continue to detail the action and adventure story around federal cybersecurity. And like the “Fast & Furious” saga, the tale will continue to get bigger, better and more expensive.