The White House has directed federal agencies to improve their logging capabilities in order to accelerate cybersecurity incident response, according to a memo from the Office of Management and Budget.
The memo, issued by acting OMB Director Shalanda Young, includes a maturity model for event log management intended to guide federal agencies' implementation of its requirements across four event logging (EL) tiers: not effective, basic, intermediate, and advanced.
"These tiers will help agencies prioritize their efforts and resources so that, over time, they will achieve full compliance with requirements for implementation, log categories, and centralized access. Agencies should also prioritize their compliance activities by focusing first on high-impact systems and high-value assets,” according to OMB.
By working through these various tiers, federal departments will align more with the types of log management capabilities present in the private sector, according to Mike Hamilton, the former vice-chair for the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council.
The memo follows a May 12 executive order by President Joe Biden issued following the SolarWinds hack that compromised nine federal agencies, a ubiquitous government contractor, and about 100 U.S. companies.
“Recent events, including the SolarWinds incident, underscore the importance of increased government visibility before, during, and after a cybersecurity incident. Information from logs on federal information systems — for both on-premises systems and connections hosted by third parties, such as cloud services providers — is invaluable in the detection, investigation, and remediation of cyber threats,” reads the memo.
The departments now have 60 days to assess their capabilities against the maturity model and plan to address resource and implementation gaps. Those plans must be sent to the OMB Resource Management Office and Office of the Chief Information Officer desk officer. OMB expects federal agencies to prioritize their high-impact systems and high-value assets first as they implement EL requirements.
Agencies were also told to share logs with third parties like the FBI and Cybersecurity and Infrastructure Security Agency. “This sharing of information is critical to defend federal information systems,” reads the memo. The memo directs CISA to deploy teams to advise agencies in their assessment of their logging capabilities and release tools with the FBI to help assess logging maturity.
Meanwhile, the Department of Commerce must have the National Institute of Standards and Technology maintain Special Publication 800-92, its “Guide to Computer Security Log Management” and incorporate the memo’s requirements into its next revision and other relevant publications.