Dozens of federal agencies have deployed endpoint detection and response technology across their devices to track malicious activity since President Joe Biden mandated the switch in an executive order last year, and that number is expected to double by the end of the fiscal year, according to the Cybersecurity and Infrastructure Security Agency.
At a House Homeland Security Committee hearing Tuesday, CISA executive director Eric Goldstein said the civilian federal government has made “tremendous progress” implementing a number of cybersecurity protections that were developed in response to the 2020 SolarWinds hack. One of those objectives was to implement EDR technologies on all known federal devices, a tall task given that, at the time, the federal government still could not identify all the devices connecting to agency networks.
Per the administration’s zero-trust strategy, agencies have until 2024 to put the protections in place, but Goldstein said he expects more than half the job to be done by October.
“At this point were are in the process of deploying these EDR tools across 26 federal civilian agencies and expect to be underway at 53 agencies at the end of this fiscal year, only a few short months away,” Goldstein said. “Which means not even a year-and-a-half after execution of the executive order, we will have EDR deployments in place underway at over half of the federal government, with more rolling out in the months to come.”
However, finishing the work won’t happen automatically. CISA and other agencies have been able to tap temporary or one-off pots of funding to stand up the technology so far, but getting the rest will require additional budget and Goldstein said he “will look forward to working with Congress on annualizing investments under the American Rescue Plan Act as part of the president’s 2023 fiscal budget so we can ensure that this work continues in the months to come.”
Is the government safer from a SolarWinds-style attack?
The hearing was designed to update Congress on how federal agencies had complied with the Biden administration’s executive order as well as their push to implement zero-trust architectures across agencies and departments.
Along the way, many members of the committee had a similar, overarching question: is the federal government safer from a SolarWinds-style attack today than it was in 2020? Are we better at finding and closing off the vulnerabilities that Russian hackers exploited to compromise at least nine federal agencies and more than 100 private companies?
The answer they got was a qualified yes. Chris DeRusha, the U.S. federal chief information security officer, said the purpose of the executive order was to “aggressively and ambitiously [shift] our cybersecurity strategy from an outdated mindset to one that is clear eyed about our adversary’s capabilities and intent.” He laid out how the Office of Management and Budget is measuring compliance for agencies.
“In the executive order we took on both root cause issues which take longer to fully address [such as] contract clauses, deeper barriers. We also made significant progress on some security measures that have immediate impact: multifactor authentication, encryption at rest and in transit,” he said. “We picked a few of these measures that had the most impact and put the highest amount of priority you can have around them, metricking them, having engagements not just with CIOs and CISOs but senior agency leadership, multiple meetings with deputy secretaries tracking and measuring progress … and starting down the path of zero trust at agencies.”
DeRusha said OMB had recently ordered agencies to comply with recent National Institute of Standards and Technology guidance for protecting critical software, with agencies taking a phased approach that will first focus on “stand-alone, on-premise software that performs critical security functions.”
On that front, in addition to the implementation of EDR at civilian agencies, officials provided updates on a number of other deadlines as well. CISA is bringing a new dashboard online for its Continuous Diagnostics and Mitigation and implementing new asset management capabilities as the cybersecurity program undergoes a “key evolution” to adapt to the realities of post-pandemic remote work, where many feds increasingly use their mobile phones to access federal systems from home.
After the SolarWinds attack, lawmakers fumed over the fact that EINSTEIN, a network intrusion system developed by CISA that has received hundreds of millions of dollars in funding, failed to identify signs of Russian hackers rooting through federal systems for months. That program too is evolving to focus more on three key areas: gaining better visibility into endpoint devices such as servers and workstations, gaining visibility into cloud environments and centralizing data logs, and moving towards utilizing commercial shared services for perimeter network defense.
Goldstein also claimed significant progress around the implementation of multifactor authentication and data encryption on their devices and systems. However, under questioning from Rep. Ritchie Torres, D-N.Y., he declined to provide the number of agencies that have completed the task. Torres noted that CISA Director Jen Easterly promised the committee that all covered civilian agencies would have multifactor authentication in place by March 2022. When asked if that promise has been kept, Goldstein indicated that many, but not all, had met the deadline.
“I would say every agency with the capacity to deploy MFA and encryption has done so in almost all cases,” said Goldstein.