Getting the Memo: Breaking Down the OMB’s M-21-31

If you read my last blog post, you’re already ahead of the game. You know that in May of 2021, the Biden Administration announced Executive Order (EO) 14028: Improving the Nation’s Cybersecurity, which mandates each federal agency to adapt to today’s continuously changing threat environment. Well, folks, the saga continues.

On August 29, 2021, the Office of Management and Budget (OMB, if you’re nasty) released a memo in accordance with the EO. It establishes a maturity model for event log management, provides requirements for agency implementation, and details government-wide responsibilities for the initiative. I focus on the logging maturity model and agency implementation here (it’s the meat of the memo), but if you’re interested in the other pieces, I’d encourage you to read through the full memo here.

Maturity Model for Event Log Management and Implementation Requirements

There are always a ton of ways to achieve the same goal. Let’s say I want to clean my apartment. I typically make my bed first, tackle the laundry, clean the kitchen, then the living room, and save the bathrooms for dead last (mostly because I hate cleaning bathtubs). Give my husband the same task, and he’d likely go about it in an entirely different way and in an entirely different order.

Timelines are an issue too. I’d clean the apartment in a few hours because I want to get it done as fast as possible. It might take my husband a few days, with the cleaning moving further down the to-do list as priorities shift. The same thing often happens with agencies during government-wide implementations like this one; different agencies could end up addressing cybersecurity and log management gaps at different speeds. The maturity model is meant to help agencies effectively prioritize what they need to do, while the implementation requirements lay out when it needs to be done.

The maturity model is made up of four Event Logging tiers, called EL0, EL1, EL2, EL3.

To go back to our example, EL0 is the evaluation stage where you survey the damage, see how dirty your apartment is, and wonder who on Earth would possibly allow themselves to live in such filth. In the same vein, agencies need to evaluate their maturity against the model and identify implementation gaps within 60 calendar days of the memo.

EL1 lays out basic logging requirements for each agency. Are they set up for proper event forwarding, so admins can get info from source or forwarding computers and store them on central servers? Are their timestamps consistent across all events?

Have they started planning for the implementation of security, orchestration, automation, and response (SOAR) and user behavioral analytics (UBA) platforms? Are their logs centrally aggregated by an agency component-level Enterprise Log Manager for full visibility? Agencies get a calendar year to sort that out, and this is what the majority of agencies are working on today.

EL2 details requirements for inspecting encrypted data. The data needs to be effectively encrypted, and it’s got to be accessible and visible to the highest-level ops teams at the head of each agency.

Lastly, agencies have got to have methods in place to detect and monitor data stream disruption, as well as a way to triage them. Agencies have 18 months from the memo release date for this piece.

The last logging tier, EL3, is where they’ll need to tie their container security and monitoring tools together with a SIEM, and finalize their SOAR and UBA implementations – two years later.

All four logging tiers significantly increase retention periods for logs and dictate acceptable formats for storage. Not only that, but the specified timeframes and formats are different depending on the type of log.

Bottom Line

So to recap: M-21-31 puts forth a maturity model for logging. Agencies should evaluate their maturity against the model and identify implementation gaps within 60 days, get to Event Logging tier 1 maturity within a year, reach EL2 maturity within 18 months, and achieve EL3 maturity within two years of the memo’s release date (August 27, 2021).

Agencies also have to “provide, upon request and to the extent consistent with applicable law, relevant logs” to the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and “share log information, as needed and appropriate, with other federal agencies to address cybersecurity risks or incidents.”

Are you exhausted yet? It’s a lot to think about, and a huge undertaking for many of the agencies I’ve spoken with so far. If you don’t know the solutions available to you, it can be daunting. Wondering how your agency will comply with the EO and this memo? Cribl Stream can help.

Join us for an exclusive session on Wednesday, December 15, where we’ll walk through how Stream can help federal agencies:

• Meet requirements at each tier of logging maturity (EL1, EL2, and EL3)
• Adhere to zero-trust principles on access and architecture via role-based access controls, encryption of data in-flight, and more
• Store data in the right formats for the right time frames with ease
• Increase log retention while maximizing investments in current infrastructure and analysis tools

The fastest way to get started with Cribl Stream is to sign-up at Cribl.Cloud. You can process up to 1 TB of throughput per day at no cost. Sign-up and start using Stream within a few minutes.