This memo is a follow-on to Executive Order 14028, Improving the Nation’s Cybersecurity, and specifically targets IT logging requirements needed to improve the government’s investigative and remediation capabilities (section 8). Are you wondering why this might be important?
Unless you have been ignoring the news for the last few years, you know about the attention-grabbing headlines around the SolarWinds incident (March-December 2020), the Microsoft Exchange incident (March 2021), the Colonial Pipeline incident (April 2021), and more. The EO is primarily a mandate to the federal government, critical infrastructure, and defense industrial base to strengthen the cybersecurity posture of their affiliated agencies and organizations. The EO lays out multiple strategic focus areas: identity and multi-factor authentication (MFA), zero trust architectures, and securely moving data and applications to the cloud. As departments, agencies, and industry begin to move in these specific areas, it is important to understand that basic, foundational IT elements should be present in order to build upon multi-layered defenses that are needed for a good cybersecurity posture.
Determine who and what needs access to the data/assets/application services to create access control policies;
Inspect and log all traffic before acting.
Focusing on this last point, OMB memo M-21-31 establishes a maturity model for event log management that defines four tiers and gives the timeline for when federal agencies should target reaching each of those tiers. Within 60 days, agencies must assess their initial maturity level and must then reach event logging 1 (EL1-Basic) within one year and reach EL3-Advanced within two years. That is an aggressive timeline when you consider that agencies must assess and determine how they will obtain these levels, as well as acquire and deploy the right products and solutions that will achieve these goals.