What Does the Deadline on Federal Event Log Management Mean for My Organization?

A new cybersecurity executive order deadline on event log management has many technology companies wondering if they have to take action. Our Federal Practice Lead, Tony Bai, explains what this update means and whether or not it will affect your organization.

Another day, another cyber executive order deadline quickly approaching. Recently, the Office of Management and Budget (OMB) released an official memorandum that provided timelines on the actions federal agencies must take to ensure the U.S. government can effectively detect, investigate, and remediate cyber threats.

The memo, “Improving the Federal Government’s Cyber Investigative and Remediation Capabilities,” focuses specifically on the requirements surrounding logging, log retention, and log management that were laid out in section eight of President Biden’s executive order on Improving the Nation’s Cybersecurity.

So, what does this mean for the federal compliance landscape? Here’s how it might affect your organization now and in the future.

Remind Me: What Was the Cyber Executive Order?

To refresh your memory, Biden’s executive order laid the foundation for a seven-part initiative designed to better protect government networks and enhance our nation’s overall level of cybersecurity. The seven core elements include:

  • Removing Barriers to Sharing Threat Information
  • Modernizing Federal Government Cybersecurity
  • Enhancing Software Supply Chain Security
  • Establishing a Cyber Safety Review Board
  • Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
  • Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
  • Improving the Federal Government’s Investigative and Remediation Capabilities

The executive order was released in May 2021; since then, the U.S. government has worked to release additional cybersecurity guidance, identify best practices, define key terms, establish new procedures, and more. Part of this order included establishing timeframes for agencies to share updated plans for the adoption of zero trust architecture, providing initial progress reports about the use of multifactor authentication and data encryption, and releasing reports about the types and sensitivity of unclassified data. Many of the deadlines for these preliminary activities have already passed.

The latest deadline released from the OMB dictates state agencies have 60 days from August 27, 2021 to conduct internal reviews of their audit log requirements against a new maturity model.  Additional deadlines are as follows:

  • Agencies have 60 days from August 27, 2021 to assess their current level of EL maturity against the model
  • Agencies have one year to reach Event Logging (EL) Tier 1
  • Agencies have 18 months to reach EL2
  • Agencies have two years to reach EL3

What is the Maturity Model for Event Log Management?

The memo outlines a maturity model designed to guide the implementation of logging requirements across four event logging (EL) tiers. Below is the summary table provided by the OMB:

Event Logging Tiers Rating Description
EL0 Not Effective Logging requirements of highest criticality are either not met or are only partially met
EL1 Basic Only logging requirements of highest criticality are met
EL2 Intermediate Logging requirements of highest and intermediate criticality are met

EL3

Advanced Logging requirements at all criticality levels are met

The memo notes that these four tiers “will help agencies prioritize their efforts and resources so that, over time, they will achieve full compliance with requirements for implementation, log categories, and centralized access. Agencies should also prioritize their compliance activities by focusing first on high-impact systems and high value assets.”

Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) will be deploying teams to advise government agencies during the assessment process, as well as creating tools in conjunction with the FBI to help agencies accurately determine their level of EL maturity. Pertinently, agencies will be required to provide relevant security event log info to the CISA and FBI upon request.

Once the initial 60-day review period has passed on October 26, 2021, it’s anticipated that more detailed transition guidance will be released to delineate how agencies can become compliant according to the timelines set forth in the memo. Some industry experts also predict that we will see more specific guidance for commercial companies on what type of information should be captured in their audit logs.

Though there are still some question marks in place regarding what comes next, federal agencies need to start preparing themselves for the impact the EL maturity model will have on their operations.

The Impact of the Maturity Model for EL Management on Business

So, is the federal EL management going to impact your organization? There’s a strong possibility that it will.

Similar to the cybersecurity executive order, most of the language of the recent memo speaks to federal agencies. However, certain elements also apply to federal contractors and companies downstream in the federal supply chain. A few key footnotes to call attention to include:

  • Footnote #6: Software developed by agencies or by contractors on behalf of agencies must log unique event identifiers for each event in accordance with these requirements.
  • Footnote #7: Software developed by agencies or by contractors on behalf of agencies must log timestamps for each event in accordance with these requirements. If the software does not produce data in this format, federal agencies will transform records to conform to these standards before the data is ingested into the Security Information and Event Management (SIEM) platform or stored in bulk storage.
  • Footnote #15: Federal agencies shall submit all phishing attempts to CISA by forwarding the phishing attempt as an attachment to [email protected] Federal agencies shall ensure that all contractors that operate infrastructure on their behalf implement this requirement.

In addition to direct federal contractors, this memo and the executive order at large are applicable to companies that create or supply software or hardware used by federal defense contractors. This is because such organizations are considered part of the defense supply chain and are in a unique position to introduce potential risk.

If you own or are employed by a technology company, now is the time to verify whether or not you are part of the federal supply chain. It is entirely possible that your product is used by federal agencies or contractors even if you don’t know it. To help clarify this situation, it is also expected that the National Institute of Standards and Technology (NIST) will release supply chain security standards to further map out these responsibilities.

Understanding the EL Management Memo

By providing guidance for the improvement and standardization of the way federal agencies and contractors log cyber events, the recent memo aims to strengthen the ability of CISA and other government entities to detect incidents, mitigate ongoing attacks, and identify the extent and cause of incidents after the fact.

If your organization is a federal contractor, or is involved in the federal supply chain, you should begin looking at what information you are capturing in your logs as well as developing a roadmap to eventually meet EL3 requirements.

Whether you have plans to pursue government business in the future, or if you’re unsure if your organization is part of the federal supply chain, A-LIGN can help. From FedRAMP and FISMA to NIST 800-171 and CMMC, our team of assessors has a vast amount of experience in the federal space and can help you determine which assessments may help ease your path to compliance.

 

Ready to refine your federal compliance program?
Contact an A-LIGN Expert Today