Logging Requirements for Federal Agencies and the Importance of Logging for Cybersecurity

logging featured

A new report shines a light on some unfortunate news in the world of federal cybersecurity. According to the U.S. Government Accountability Office (GAO), only three of 23 federal agencies have reached their expected logging requirements as dictated by Executive Order 14028.

In this article, we’re talking about this executive order and what it calls for in security logging, why logging is critical in cybersecurity, and what you can do to ensure that you’re at least familiar with what it means to use logging as a method of preparedness properly.


Executive Order 14028: Improving the Nation’s Cybersecurity

In May 2021, the Office of the President issued Executive Order 14028, a significant step in bolstering the nation’s defenses against increasing cybersecurity threats. This order came in response to high-profile cyber incidents highlighting vulnerabilities in both public and private sector networks.

The preceding years witnessed a surge in sophisticated cyberattacks, including ransomware and espionage campaigns targeting critical infrastructure and government agencies. These incidents exposed the urgent need for a comprehensive and coordinated approach to strengthen cybersecurity across federal networks and the private sector.

The order outlines several key measures aimed at fortifying the U.S. cybersecurity infrastructure:

  • Enhancing Federal Cybersecurity: Mandating federal agencies to adopt best practices and modernize their cybersecurity infrastructure across the board without compromising their collective missions.
  • Improving Supply Chain Security: Introducing guidelines for software vendors supplying the federal government, emphasizing the security of software products. Supply chain security is already a concern in many contexts (see FedRAMP and CMMC requirements), and this EO expects this concern to expand across agencies. 
  • Promoting Zero-Trust Architectures: One primary call from this EO is the requirement to explore and implement zero-trust solutions to protect private data. 
  • Establishing a Cybersecurity Safety Review Board: Creating a board to review and assess significant cyber incidents and recommend improvements.
  • Standardizing Federal Security and Incident Response: Developing a standardized response playbook for federal agencies.
  • Improving Investigative and Remediation Capabilities: Focusing on the need for robust logging, information sharing, and analysis to respond to incidents effectively.

The order significantly impacts how federal agencies and their contractors manage cybersecurity. It requires agencies to adopt multi-factor authentication and encryption and to move towards a zero-trust architecture. For the private sector, especially those providing software to the government, the order sets higher standards for cybersecurity compliance.


Memorandum M-21-31 and Enhancing Log Management


Following Executive Order 14028, the Office of Management and Budget (OMB) released Memorandum M-21-31, explicitly addressing the enhancement of logging, log retention, and log management practices within federal agencies.

Memorandum M-21-31 is a directive for federal agencies to improve their logging practices, a crucial aspect of cybersecurity and incident response, and a requirement detailed in EO 14028. This memorandum complements the Executive Order by providing detailed guidelines on how agencies should manage and retain logs effectively.

The memorandum outlines several key requirements:

  • Enhanced Logging: Agencies must maintain comprehensive logs of their digital activities to aid in detecting, investigating, and remedying cyber threats.
  • Log Retention: It mandates a minimum retention period for logs to ensure that data is available for sufficient time to respond to cyber incidents.
  • Log Management: Agencies must implement effective log management practices, ensuring that logs are secure, accessible, and useful for analysis.

Memorandum M-21-31 introduces a structured approach to logging by establishing a tiered system. This system categorizes logging activities into different tiers with requirements and expectations. The tiered approach is designed to standardize logging practices across federal agencies, ensuring a baseline level of cybersecurity and incident response capability.


Overview of Logging Requirement Tiers

Tiers apply to an organization’s approach to logging requirements. Starting with maintaining logs considered of the “highest criticality,” a more robust logging infrastructure will expand from this base to cover more intermediate and peripheral security and logging demands. 

  • Tier 0 (Not Effective): At tier 0, an organization or some of its infrastructure must meet the minimum requirements to secure critical information. 
  • Tier 1 (Basic Logging): Agencies must maintain logs of essential security events, such as successful and unsuccessful login attempts, system errors, and basic network activities. Specifically, tier 1 signals that the organization meets the logging requirements for the highest criticality.
  • Tier 2 (Intermediate Logging): This tier involves more detailed logging, including records of changes to system configurations, access to sensitive data, and more comprehensive network activity logs. Tier 2 covers logging requirements of the highest and intermediate criticality.
  • Tier 3 (Advanced Logging): In this tier, agencies must implement extensive logging of all system and network activities. This includes detailed user activity logs, full packet capture, and advanced analytics capabilities. Tier 3 is designed for agencies with high-risk profiles, and as such, they demonstrate adherence to all logging requirements. 



This memorandum sets out specific implementation requirements:

  • Within 60 days of the date of the memorandum, the organizations must assess their maturity against the maturity model (Tiers 0-3) and identify resourcing and implementation gaps associated with completing each requirement.
  • Agencies will provide their plans and estimates to their OMB Resource Management Office (RMO) and Office of the Federal Chief Information Officer (OFCIO) desk officer.
  • Within a specific timeframe, advance to and achieve Tier 3 maturity:
    • Within one year: Reach tier 1 maturity.
    • Within 18 months: Reach tier 2 maturity.
    • Within two years: Reach tier 3 maturity.
  • Provide relevant logs to the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) upon request and to the extent consistent with applicable law. 


Why Are These New Logging Requirements So Important?

For several reasons, logging, retention, and management play crucial roles in cybersecurity. They are fundamental components of an organization’s security infrastructure, providing the means to track, analyze, and respond to potential security incidents.

Logging and log management is crucial for several reasons:

  • Incident Detection and Analysis: Logs are often the first place where signs of a security breach or suspicious activity can be detected. By analyzing these records, security teams can identify patterns or anomalies indicative of a cyberattack.
  • Forensic Investigation: In a security incident, logs are invaluable for forensic analysis. They help reconstruct the sequence of events leading up to the incident, understand the scope of the breach, and identify the methods used by attackers.
  • Compliance and Auditing: Many regulatory frameworks require logging for compliance purposes. Logs prove that an organization monitors its systems and can be critical during audits to demonstrate adherence to security policies and legal requirements.
  • Real-time Monitoring and Alerts: Log management systems often include real-time monitoring and alerting capabilities, enabling immediate detection of potential security incidents.
  • Scalability and Performance: Proper log management ensures the logging process does not adversely affect system performance. It also allows scalability to handle increasing volumes of log data as an organization grows.


Make Sure Your Logging Is Up to Speed with Continuum GRC

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

  • FedRAMP
  • StateRAMP
  • NIST 800-53
  • FARS NIST 800-171
  • CMMC
  • SOC 1, SOC 2
  • PCI DSS 4.0
  • IRS 1075
  • ISO 27000 Series
  • ISO 9000 Series

And more. We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

Continuum GRC