U.S. Government Approved Protection Profile - PP-Module for Endpoint Detection and Response Version 1.0
Short Name: mod_edr_v1.0
Technology Type: Enterprise Security Management
CC Version: 3.1
Preceded By: not applicable
Conformance Claim: NoneProtection Profile
PP-Configuration for APP-EDR-HA_v1.0.pdf
An EDR is enterprise management software that collects endpoint host data to detect potentially unauthorized activity on endpoints and to enable threat hunting and other incident response actions to remediate malicious behaviors. These requirements cover basic security characteristics and behaviors for EDR products; the platform on which the EDR runs may be a physical or virtual Operating System (OS), and on-premises or in a cloud environment.
EDR products rely on additional software running on the endpoint, called the Host Agent, to communicate commands or policy changes and to receive endpoint host data. Security requirements for the Host Agent are addressed in the separate Host Agent (HA) PP-Module. Evaluation of an EDR system will require evaluations of different system components consisting of EDR and Host Agent. Each evaluation must satisfy the requirements in both the EDR and HA in addition to its Base-PP Application Software. Evaluation of an EDR system will require evaluation of different system components consisting of one EDR and at least one Host Agent. Therefore, the evaluation must claim conformance to a PP-Configuration that includes the PP-Module for Endpoint Detection and Response (EDR) and the PP-Module for Host Agent (HA).
This U.S. Government Approved Protection Profile is not assigned to any Validated Products
Active Related Technical Decisions
Please forward any Protection Profile specific comments to the applicable Technical Rapid Response Team (TRRT).
Please forward any general questions to our Q&A tool.