Cybersecurity standards

Federal Agencies Given Two Months to Assess Cybersecurity Logging Performance

Federal agencies have been given a two-month deadline to assess how well they log cybersecurity incident data against a new maturity model released on Friday. As part of the Office of Management and Budget directive, agencies must also identify gaps, develop plans to mitigate those problems and submit cost estimates to the OMB Resource Management Office and the Office of the Federal Chief Information Officer.

OMB Acting Director Shalanda Young wrote in a memo to agency heads that recent events, including the SolarWinds attack, underscore the importance of increased government visibility before, during and after a cybersecurity incident. Information from logs on federal information systems is invaluable in the detection, investigation and remediation of cyber threats.

In an executive order issued in May, President Joe Biden directed federal agencies to bolster cybersecurity preparedness. The EO called on agencies to improve their investigative and remediation capabilities, particularly on logging, log retention and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center of each agency, Federal News Network reported Friday.

The OMB then outlined four maturity levels starting with event logging 0 as least mature, to EL3 as having a mature program that other agencies should assess themselves against. These tiers are intended to help agencies prioritize their efforts and resources so they can eventually achieve full compliance with requirements for implementation, log categories and centralized access.

After a 60-day review, agencies then have 18 months to reach EL2 and 24 months to reach EL3, it was also reported. By improving the way agencies log cyber events, the Biden administration hopes to enhance the ability of the Cybersecurity and Infrastructure Security Agency and other concerned agencies to detect intrusions, mitigate those in progress and determine the extent of an incident after the fact.