Threat Management, Cloud Security, Zero trust, SIEM

Post SolarWinds, the federal government wants to level up its logging capabilities

WASHINGTON, DC – AUGUST 27: The American flag and National League of Families POW/MIA Flag on top of the White House stand at half staff to honor the U.S. service members killed in terror attacks in Kabul Afghanistan, on August 27, 2021 in Washington, DC. The White House’s administrative arm released a memo on how agencies should be log...

A recent White House executive order on cybersecurity looks to make big hacks like the SolarWinds campaign harder to pull off by imposing new requirements on the kind of data that federal agencies must log and store.

Now, the Office of Management and Budget, which sets administrative policy for the rest of the civilian government, has outlined a policy framework for what agencies should include. The document, released Friday afternoon, details specifics around how to set up requirements for logging, log retention, and log management correctly to “ensure centralized access and visibility for the highest-level security operations center of each agency.”

In a memo signed by Acting Director Shalanda Young, OMB sets up a tiered maturity model that agencies should measure their logging practices against.

“Recent events, including the SolarWinds incident, underscore the importance of increased government visibility before, during, and after a cybersecurity incident,” Young wrote in the memo. “Information from logs on federal information systems (for both on-premises systems and connections hosted by third parties, such as cloud services providers) is invaluable in the detection, investigation, and remediation of cyber threats.”

Achieving a basic logging posture (Tier 1) includes properly formatted timestamps, status codes, device identifiers, source and destination data for IPv4 and IPv6 response time, unique identifiers and other telemetry like passive DNS monitoring. That data must be encrypted and verified by the agency, and they should begin planning at this stage for how they might leverage automated tools like security orchestration and automated response in the future.

Tier 2 includes documenting a log schema to give the Cybersecurity and Infrastructure Security Agency, perform full traffic inspection of metadata, incorporate zero trust principles around access and make that data available for use in “the highest-level security operations at the head of each agency.”

The most advanced posture, Tier 3, involves implementing automated hunt and response capabilities like SOAR, start tracking behavioral analytics and integrate container security and monitoring tools into their security event information management systems.

Agencies have two months to measure their current practices against the model, a year to meet Tier 1 requirements and two years before they’re required to operate at Tier 3, the highest level. They also need to be able to share those logs with the CISA and other relevant agencies to bolster the kind of investigation and incident response activities that followed the SolarWinds incident and other broad hacks affecting the government.

Under the new policy, CISA and the FBI will also advise agencies and test the logging capabilities of other agencies, while the National Institute for Standards and Technology will incorporate the memo into their existing technical requirements for logging that agencies and contractors must follow.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.