OMB Provides Tiered Instructions on Logging Requirements in Executive Order

Federal agencies must immediately begin sharing any relevant logs with the Cybersecurity and Infrastructure Security Agency and the FBI upon request and with other agencies, as appropriate, according to the Office of Management and Budget. 

“Recent events, including the SolarWinds incident, underscore the importance of increased government visibility before, during, and after a cybersecurity incident,” reads a Friday memo from OMB. “Information from logs on Federal information systems (for both on-premises systems and connections hosted by third parties, such as cloud services providers) is invaluable in the detection, investigation, and remediation of cyber threats.”

The memo follows a May 12 executive order President Joe Biden issued after a breach at IT management company SolarWinds, a ubiquitous government contractor, and other factors led to the compromise of nine federal agencies, and about 100 U.S. companies, according to officials. 

In an earlier, Aug. 10 memo, also stemming from the order, OMB told agencies to prioritize on-premises applications in their implementation of security measures to protect critical software, including in areas like container environments. Logging activities in the categories of  system configuration and performance; email filtering, spam, and phishing; mainframes; and container events were assigned the highest criticality level in the new memo.

The executive order devotes an entire section to just security logging, which became a hot button issue after the SolarWinds attack when some in the cybersecurity policy space noted a lack of uniformity in the logging services offered by Microsoft. Full logging capabilities were only available with certain licenses. 

Microsoft has since offered to provide a one-year free trial of its “Advanced Audit” logging tools to customers of its government cloud. OMB is giving agencies one year to meet the basic, first tier in moving toward mature logging systems. Among other instructions, the guidance details minimum time periods for agencies’ log data storage.

Implementers have 60 days from the date of the memo’s publication to assess their current logging capabilities against the maturity levels described in the memo and submit plans to the federal chief information officer and OMB’s resource management office identifying challenges they anticipate.    

Beyond the basic logging requirements, OMB spells out ways to meet intermediate and advanced tiers that must include activities such as data encryption inspection and the use of behavioral analytics, respectively. Agencies have 18 months to reach intermediate maturity and two years to reach advanced maturity, according to the OMB memo.