OMB has issued guidance (memo M-21-31) on an executive order calling on agencies to improve their capabilities to investigate and remediate cybersecurity incidents, including a requirement for agencies to increase the sharing of information about such incidents among each other.
“Recent events, including the SolarWinds incident, underscore the importance of increased government visibility before, during, and after a cybersecurity incident. Information from logs on Federal information systems1 (for both on-premises systems and connections hosted by third parties, such as cloud services providers (CSPs)) is invaluable in the detection, investigation, and remediation of cyber threats,” it says.
The memo sets standards for logging, log retention, and log management, “with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency.”
It establishes a four-level maturity model for event logging that it said will “help agencies prioritize their efforts and resources so that, over time, they will achieve full compliance with requirements for implementation, log categories, and centralized access. Agencies should also prioritize their compliance activities by focusing first on high-impact systems and high value assets.”
It sets a series of deadlines including that agencies assess their maturity against the model within 60 days; reach level 1 of maturity within one year, level 2 within 18 months and level 3 within two years; “provide, upon request and to the extent consistent with applicable law, relevant logs” to the Cybersecurity and Infrastructure Security Agency and FBI; and “share log information, as needed and appropriate, with other federal agencies to address cybersecurity risks or incidents.”