Last year, the Biden administration ordered federal agencies large and small to begin conforming with a series of zero trust cybersecurity mandates, including the deployment of endpoint detection and response (EDR) technologies that can monitor federal devices for any signs of compromise by malicious hackers and facilitate threat hunting and incident response.
“To achieve Government-wide EDR coverage, agencies must ensure that their EDR tools meet CISA’s technical requirements and are deployed and operated across their enterprise,” the Office of Management and Budget wrote in its zero-trust strategy.
The administration has given agencies until 2024 to put the new protections in in place, but federal watchdogs are already starting to measure against that benchmark. The Inspector General for the Tennessee Valley Authority, a federally owned electric utility that serves Tennessee and parts of Georgia, Alabama, Mississippi, Kentucky, North Carolina and Virginia, noted in a recent audit that while the entity has been “generally effective” deploying endpoint detection software for its desktop and laptop devices, it lacks the technical requirements to ensure that protection is being extended across all its network connections.
“This could allow unprotected desktops and laptops to connect to the network increasing the risk of propagating malware on TVA networks,” wrote David Wheeler, assistant inspector general.
The report implies that these gaps may be obscuring an unknown number of devices at TVA that are connecting to vulnerable networks. It intentionally leaves out many details around the weaknesses, but highlights two specific problems that led to the breakdown: the lack of an explicit policy to require endpoint protections across all network connections; and gaps in the agency’s policies, procedures and internal controls.
Oddly, at one point TVA did have a specific policy for deploying endpoint security protections across its enterprise, but a recent update removed those requirements and the agency now has no specific policy around the issue despite the recent executive order and zero-trust mandates. Its internal controls have also not been updated to account for the EDR software they have deployed.
TVA officials, including Vice President and Chief Information Officer Jeremy Fowler, were briefed on the specifics in May. Auditors recommended that TVA address the gaps in network connections and update internal policies and controls to account for endpoint protection strategies, both which Fowler agreed with in an attached reply.