The Office of Management and Budget directed federal agencies to increase their sharing of information system logs needed to accelerate cybersecurity incident response, in a memo issued Friday.
The memo contains a maturity model for event log management intended to guide agencies implementation of its requirements across four event logging (EL) tiers: not effective, basic, intermediate, and advanced.
Following the SolarWinds hack that compromised agencies, President Biden issued a cybersecurity executive order — Section 8 of which lays out logging and log retention. The EO also outlined the management requirements that OMB‘s memo addresses.
“Recent events, including the SolarWinds incident, underscore the importance of increased government visibility before, during and after a cybersecurity incident,” reads the memo. “Information from logs on federal information systems — for both on-premises systems and connections hosted by third parties, such as cloud services providers — is invaluable in the detection, investigation and remediation of cyber threats.”
OMB expects agencies to prioritize their high-impact systems and high-value assets first as they implement EL requirements.
The first maturity model tier, EL0 or not effective, allows for agencies to meet or partially meet requirements of the highest criticality — namely retaining criticality level 0 logs in acceptable format for timeframes specified in the memo.
By EL1, or the basic tier, agencies must fully meet requirements of the highest criticality: the basic logging categories; minimum logging data; time standard; event forwarding; protecting and validating log information; passive Domain Name System; Cybersecurity and Infrastructure Security Agency and FBI access requirements; logging orchestration, automation and response planning; user behavior monitoring planning; and basic centralized access.
EL2 adds intermediate criticality requirements: meeting the EL1 maturity level; intermediate logging categories; publication of standardized log structure; inspection of encrypted data; and intermediate centralized access.
Lastly EL3 requires meeting the EL2 maturity level; advanced logging categories; finalizing implementation of logging orchestration, automation and response; finalizing implementation of user behavior monitoring; application container security, operations and management; and advanced centralized access.
Agencies have 60 days from the memo’s issuance to assess their logging maturity against the model and plan to address resource and implementation gaps. Those plans must be sent to the OMB Resource Management Office and Office of the Chief Information Officer desk officer.
In a year agencies must achieve EL1 maturity, in 18 months EL2, and in two years EL3.
Agencies must also provide relevant logs to CISA and the FBI upon request, as well as share them as needed with other agencies in addressing cyber risks or incidents.
“This sharing of information is critical to defend federal information systems,” reads the memo.
The memo directs CISA to deploy teams to advise agencies in their assessment of their logging capabilities and release tools with the FBI to help assess logging maturity.
Meanwhile the Department of Commerce must have the National Institute of Standards and Technology maintain Special Publication 800-92, its “Guide to Computer Security Log Management” and incorporate the memo’s requirements into its next revision and other relevant publications.