In case you missed the Office of Management and Budget (OMB) (memo M-21-31), Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents, let me provide you the information that you need to know if you are in the federal government.
This memo is a follow-on to Executive Order 14028, Improving the Nation’s Cybersecurity, and specifically targets IT logging requirements needed to improve the government’s investigative and remediation capabilities (section 8). Are you wondering why this might be important?
Unless you have been ignoring the news for the last few years, you know about the attention-grabbing headlines around the SolarWinds incident (March-December 2020), the Microsoft Exchange incident (March 2021), the Colonial Pipeline incident (April 2021), and more. The EO is primarily a mandate to the federal government, critical infrastructure, and defense industrial base to strengthen the cybersecurity posture of their affiliated agencies and organizations. The EO lays out multiple strategic focus areas: identity and multi-factor authentication (MFA), zero trust architectures, and securely moving data and applications to the cloud. As departments, agencies, and industry begin to move in these specific areas, it is important to understand that basic, foundational IT elements should be present in order to build upon multi-layered defenses that are needed for a good cybersecurity posture.
For example, the National Security Agency (NSA) published Embracing a Zero Trust Security Model, that articulates when designing a zero trust solution an organization must:
- Define mission outcomes;
- Architect from the inside out;
- Determine who and what needs access to the data/assets/application services to create access control policies;
- Inspect and log all traffic before acting.
Focusing on this last point, OMB memo M-21-31 establishes a maturity model for event log management that defines four tiers and gives the timeline for when federal agencies should target reaching each of those tiers. Within 60 days, agencies must assess their initial maturity level and must then reach event logging 1 (EL1-Basic) within one year and reach EL3-Advanced within two years. That is an aggressive timeline when you consider that agencies must assess and determine how they will obtain these levels, as well as acquire and deploy the right products and solutions that will achieve these goals.
Corelight’s open and comprehensive logging capabilities as well as its SIEM integration and recently announced Smart PCAP feature, provides federal agencies that are implementing Corelight with a way to satisfy their network data logging requirements and quickly reach EL3 maturity, and we have recently published a white paper - How Corelight’s uniform network visibility helps agencies comply with OMB M-21-31 - where we describe this in greater detail. If your agency is looking to advance through the event logging maturity model, you can also contact us for more information.
By Jean Schaffer, Federal CTO, Corelight
