Governance & Risk Management , Government , Incident & Breach Response
Federal Departments Ordered to Improve Logging Capabilities
OMB Memo Describes Steps Agencies Must Take to Report Cyber IncidentsThe White House is ordering U.S. agencies to improve their logging capabilities to better track when attackers target their networks and data, according to a memo from the Office of Management and Budget.
See Also: Gartner Market Guide for DFIR Retainer Services
The memo, issued Friday by acting OMB Director Shalanda Young, instructs federal executive branch agencies to begin outlining steps they plan to take to improve their incident logging capabilities, including log retention and log management, to help the government gain greater visibility into their networks.
The departments now have 60 days to assess their capabilities compared to the maturity models outlined by the OMB and report where improvements can be made. From there, agencies have two years to make continual progress.
Under the new order, departments must now share incident logs with the U.S. Cybersecurity and Infrastructure Security Agency and the FBI "upon request and to the extent consistent with applicable law," according to OMB.
In the memo, Young notes that federal agencies need to better retain and track incident logs to provide better visibility to agencies such as CISA and the FBI following a breach or attack. Improving log management within departments is also a key tenet of President Joe Biden's executive order on cybersecurity issued in May (see: Biden Signs Sweeping Executive Order on Cybersecurity).
"Recent events, including the SolarWinds incident, underscore the importance of increased government visibility before, during and after a cybersecurity incident," Young notes. "Information from logs on federal information systems (for both on-premises systems and connections hosted by third parties, such as cloud services providers) is invaluable in the detection, investigation and remediation of cyber threats."
The supply chain attack against SolarWinds led to follow-on attacks on about 100 companies as well as nine federal agencies (see: SolarWinds Attackers Accessed US Attorneys' Office Emails).
Maturity Model
The OMB memo describes four levels of logging capabilities: not effective, basic, intermediate and advanced. All departments are expected to reach the "advanced" level within two years.
"These tiers will help agencies prioritize their efforts and resources so that, over time, they will achieve full compliance with requirements for implementation, log categories and centralized access," according to OMB. "Agencies should also prioritize their compliance activities by focusing first on high-impact systems and high-value assets."
To be recognized for achieving the "basic" tier, also known as event logging 1, requires that departments properly format and accurately time-stamp events; offer detailed status codes for specific cyber events; provide device identifiers, such as MAC addresses; provide source and destination data for both IPv4 and IPv6 communication protocols; and develop ways to passively monitor DNS traffic, according to the memo.
To be recognized for achieving for the "intermediate tier" requires achieving all the basic requirements, as well as the ability to: offer documents to CISA that describe a department's full log incident structure, perform full traffic inspection and incorporate "zero trust" principals and architectures, the memo notes.
To be recognized for achieving the "advanced" tier requires all of the previous requirements, plus implementing SOAR capabilities into log management plans and developing the ability to track behavioral analytics, according to OMB.
The memo calls for CISA and the National Institute of Standards and Technology to assist executive branch agencies in maintaining and retaining incident logs by helping to develop polices and management tools.
Enhancing Reporting
By working through these various tiers, federal departments will align more with the types of log management capabilities found in the private sector, says Mike Hamilton, the former vice chair for the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council.
"The federal government is realizing what many in the private sector did long ago: Prevention will fail. The ability to detect the signal - from the network, endpoints, log events, etc. - after the failure of preventive controls is the best way to minimize the impact of the compromise," says Hamilton, now CISO of security firm Critical Insight. "A secondary benefit that will certainly be brought to bear is the retention of log data for forensic purposes."
And while achieving these goals is difficult, Hamilton notes that standardized log and event monitoring "will make acts of espionage and crime much easier to limit in scope and severity."
Agency Problems
In recent weeks, reports from inspectors general and Congress have criticized federal agencies over their handling of various cyber events.
Earlier this month, an audit of the response to a 2020 breach at the U.S. Census Bureau found the department failed to follow standard cybersecurity practices, including properly maintaining logs of incidents to assist in an investigation (see: US Census Bureau Criticized for Handling of Breach).
An earlier congressional report found seven federal agencies - the departments of State, Housing and Urban Development, Transportation, Agriculture, Health and Human Services and Education and the Social Security Administration - lacked basic cybersecurity protections and policies despite warnings about increases in attacks.
Last week, the White House held a meeting with leaders of several tech, insurance, education and financial organizations about the need for improving supply chain and critical infrastructure security in the public and private sectors (see: White House Unveils Supply Chain, New Security Initiatives).