Zero trust, Asset Management, Security Program Controls/Technologies

Feds begin measuring EDR at Tennessee Valley Authority, but gaps cited in audit

A dam on the Tennessee River is seen.
Wilson Dam between Lauderdale County and Colbert County on the Tennessee River, Alabama, one of nine major dams managed by the Tennessee Valley Authority. Federal auditors have discovered gaps in the TVA's deployment of endpoint detection and response software for different network connections. (Archive Photos/Getty Images)

Last year, the Biden administration ordered federal agencies large and small to begin conforming with a series of zero trust cybersecurity mandates, including the deployment of endpoint detection and response (EDR) technologies that can monitor federal devices for any signs of compromise by malicious hackers and facilitate threat hunting and incident response.

“To achieve Government-wide EDR coverage, agencies must ensure that their EDR tools meet CISA’s technical requirements and are deployed and operated across their enterprise,” the Office of Management and Budget wrote in its zero-trust strategy.

The administration has given agencies until 2024 to put the new protections in in place, but federal watchdogs are already starting to measure against that benchmark. The Inspector General for the Tennessee Valley Authority, a federally owned electric utility that serves Tennessee and parts of Georgia, Alabama, Mississippi, Kentucky, North Carolina and Virginia, noted in a recent audit that while the entity has been “generally effective” deploying endpoint detection software for its desktop and laptop devices, it lacks the technical requirements to ensure that protection is being extended across all its network connections.

“This could allow unprotected desktops and laptops to connect to the network increasing the risk of propagating malware on TVA networks,” wrote David Wheeler, assistant inspector general.

The report implies that these gaps may be obscuring an unknown number of devices at TVA that are connecting to vulnerable networks. It intentionally leaves out many details around the weaknesses, but highlights two specific problems that led to the breakdown: the lack of an explicit policy to require endpoint protections across all network connections; and gaps in the agency’s policies, procedures and internal controls.

Oddly, at one point TVA did have a specific policy for deploying endpoint security protections across its enterprise, but a recent update removed those requirements and the agency now has no specific policy around the issue despite the recent executive order and zero-trust mandates. Its internal controls have also not been updated to account for the EDR software they have deployed.

TVA officials, including Vice President and Chief Information Officer Jeremy Fowler, were briefed on the specifics in May. Auditors recommended that TVA address the gaps in network connections and update internal policies and controls to account for endpoint protection strategies, both which Fowler agreed with in an attached reply.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.