Imagine that you work in IT and security for a federal entity. How do you manage your event data across different systems and networks? When something goes wrong, how do you detect, investigate and remediate these security incidents?
That’s what the Office of Management and Budget (OMB) addresses in M-21-31: a memorandum that provides guidance for federal agencies to increase their visibility and response capabilities before, during and after a cybersecurity incident.
Here is everything you need to know about M-21-31.
Setting the stage for M-21-31
In 2020, a group of hackers attacked the IT monitoring system of software company SolarWinds via the supply chain attacking technique. (Instead of hacking a target network directly, supply chain attacks target a third party in order to access the target organization's systems.) This breach had significant and widespread fallout, affecting over 18,000 SolarWinds customers, including public and private organizations and government agencies.
How threat actors harnessed the supply chain to attack SolarWinds
To prevent these types of incidents from occurring again, in 2021 President Joe Biden signed Executive Order 14028 to improve software supply chain security in the U.S.
Let’s first understand EO 14028, and then we’ll dive into the specifics of M-21-31.
Executive Order (EO) 14028
President Biden signed Executive Order 14028, known as "Improving the Nation's Cybersecurity," on May 12, 2021. The goal of EO 14028 is to improve cybersecurity for federal civilian agencies and the private sector. It establishes a clear framework on how to improve cybersecurity in the U.S. and specifies the required technologies to use.
This EO has 11 sections, each focusing on different aspects of cybersecurity. Here’s a very brief, high-level look at the actions that EO 14028 recommends:
- Remove barriers from sharing threat information between the public and private sectors.
- Secure software development processes to prevent supply chain attacks.
- Create standard operating procedures (SOPs) to respond to security incidents and ensure all federal agencies meet a certain threshold of response efforts.
Months later, in August 2021, the OMB released the M-21-31 memorandum in support of Section 8 of the Executive Order — and the rest of this article will focus on this topic.
(A few months later, in January 2022, just months after M-21-31 published, the OMB issued another memo in support of EO 14028: M-22-09 (PDF version available). The intent of M-22-09 is to move the U.S. government into a zero-trust security model. Zero trust architecture (ZTA) assumes threats exist inside and outside traditional network boundaries. It eliminates implicit trust in any one element, node, or service. And it requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.)
M 21 31: maturity model for event log management
Known as M-21-31 or even M-21, this memo details the requirements for government agencies to implement appropriate systems and to improve their investigative and remediation capabilities for cybersecurity incidents.
M-21-31 includes a maturity model for agencies to understand the requirements across four event logging (EL) tiers. An event is any piece of data that provides insight about a state change somewhere in an infrastructure, such as a user login. Many of these events are normal and benign, but some will signify a problem within the infrastructure.
IT events can originate from any source: databases, users, the OS and more.
These tiers depend on the criticality level of the logs that agencies must retain. The tiers are defined below:
Logging requirements of highest criticality are either not met or are only partially met.
Only logging requirements of the highest criticality are met.
Logging requirements of highest and intermediate criticality are met.
Logging requirements at all criticality levels are met.
Here are the requirements for each EL tier:
EL1 Basic Requirements
- Required logs should be categorized as criticality level 0.
- Each event log must include these data, if applicable:
- Timestamp (accurate and properly formatted)
- Event type (status code)
- Device ID (MAC address or other unique identifier)
- Session / Transaction ID
- Autonomous System Number
- Source IP (IPv4 and IPv6)
- Destination IP (IPv4 and IPv6)
- Status Code
- Response Time
- Additional headers (e.g., HTTP headers)
- Username and/or userID (where appropriate)
- Command executed (where appropriate)
- Data formatted as key-value-pairs (where possible)
- Unique event identifier (where possible)
- Must have consistent timestamp formats across all event logs for accurate and efficient event correlation and log analysis.
- Cryptography methods must protect logging facilities and log information.
EL2 Intermediate Requirements
- Inspect the encrypted data.
- Meet all requirements for EL1.
- Retain required Logs categorized as criticality levels 1 and 2 in acceptable formats for specified timeframes.
- Required Logs categorized as Criticality Levels 0 and 1 are accessible and visible for the highest-level security operations at the head of each agency.
EL3 Advanced Requirements
- Meet all requirements for EL2.
- Finalize and implement automated hunt and incident response playbooks.
- Implement user behavioral analytics to allow early detection of malicious behavior.
- Integrate container security and monitoring tools with security information and event management (SIEM) tools.
But if you struggle to meet the lowest maturity level, focus on these sections to overcome your problems:
- Logging capability
- Log collection
- Storage decisions depending on system impact and by event type
How to implement M-21-31
When M 21 31 was issued in August 2021, it required that agencies must meet these steps within 60 days. Today, every agency is on a journey to mature towards EL3 Advanced Requirements. Each federal agency, including CIOs, CISOs and ISSOs are responsible for complying with these mandates.
(Splunk is fully capable of helping federal agencies achieve M 21-31 maturity – get in touch to learn exactly how we can help you.)
Step 1: Evaluate your maturity against the model
The first step is to compare your organization’s maturity against the model in the memorandum. This way, you can identify implementation gaps within your organization and determine where you need to focus your efforts.
Step 2: Identify implementation gaps
Once you have evaluated your maturity against the model, identify implementation gaps. These gaps represent areas where your organization is not meeting the requirements outlined in M-21-31.
To identify the implementation gaps, consider the following:
- The types of logs you are collecting
- The quality of those logs
- The frequency with which you collect them
- The level of automation you have in place
- The level of integration between your logging and other security tools
Step 3: Address & solve implementation gaps
Next, fill the implementation gaps you have identified. And to address these gaps, make it your goal to meet the requirements of the next EL tier to reach a higher security level.
Then, submit the plans and estimates to your OMB Resource Management Office (RMO) and the Office of the Federal Chief Information Officer (OFCIO) desk officer.
You should achieve the maturity levels by the given timelines from the memorandum commission date:
- EL1 maturity level within one year
- EL2 maturity within eighteen months
- EL3 maturity within two years
Consider sharing relevant logs with the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and other federal agencies to protect federal information systems and address security risks.
Requirements & benefits of M-21-31
So, yes, M-21-31 is a mandate that requires actions of applicable federal agencies. Besides that requirement, however, M-21-31 provides many value-add benefits on its own. Here are some of the biggest requirements — that will also benefit your department and those you work with.
Standardizing the event logging requirements
M-21-31 defines a standard set of event logging requirements that all federal agencies must follow. This enables agencies to collect the same types of data consistently — making it easier to analyze and share information across agencies (one of the main goals of EO 14028). It will also ensure the collected data is sufficient to support:
- Incident detection
- Incident remediation efforts
Improving the incident response capabilities
Standardizing event logging requirements will improve your organization’s incident response capabilities. This way, you can identify and respond to security incidents with a consistent set of data being collected.
The maturity model also lets you identify areas where you need to improve the incident response capabilities and provide a roadmap.
Understanding scope & impact of cybersecurity incidents
By collecting more data about security events, you can better understand the scope and impact of incidents. And you can identify trends and patterns that may indicate a larger attack. Doing so will help respond quickly to security incidents.
Collaborating across different agencies
This memorandum makes it easier for agencies to share information about security incidents, work together, and respond to threats. This collaboration can prevent attacks from spreading across multiple agencies and improve the overall security posture.
Strengthen your agency’s security posture with M2131
M-21-31 memorandum can improve your agency’s capabilities to prevent cybersecurity incidents. By following these guidelines, you will strengthen your agency’s security posture and help protect your work from cyber threats.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.