What Does the Deadline on Federal Event Log Management Mean for My Organization?







A new cybersecurity executive order deadline on event log management has many technology companies wondering if they have to take action. Our Federal Practice Lead, Tony Bai, explains what this update means and whether or not it will affect your organization.


Another day, another cyber executive order deadline quickly approaching. Recently, the Office of Management and Budget (OMB) released an official memorandum that provided timelines on the actions federal agencies must take to ensure the U.S. government can effectively detect, investigate, and remediate cyber threats.

The memo, “Improving the Federal Government’s Cyber Investigative and Remediation Capabilities,” focuses specifically on the requirements surrounding logging, log retention, and log management that were laid out in section eight of President Biden’s executive order on Improving the Nation’s Cybersecurity.


So, what does this mean for the federal compliance landscape? Here’s how it might affect your organization now and in the future.
Remind Me: What Was the Cyber Executive Order?

To refresh your memory, Biden’s executive order laid the foundation for a seven-part initiative designed to better protect government networks and enhance our nation’s overall level of cybersecurity. The seven core elements include:

  • Removing Barriers to Sharing Threat Information
  • Modernizing Federal Government Cybersecurity
  • Enhancing Software Supply Chain Security
  • Establishing a Cyber Safety Review Board
  • Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
  • Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
  • Improving the Federal Government’s Investigative and Remediation Capabilities

The executive order was released in May 2021; since then, the U.S. government has worked to release additional cybersecurity guidance, identify best practices, define key terms, establish new procedures, and more. Part of this order included establishing timeframes for agencies to share updated plans for the adoption of zero trust architecture, providing initial progress reports about the use of multifactor authentication and data encryption, and releasing reports about the types and sensitivity of unclassified data. Many of the deadlines for these preliminary activities have already passed.

The latest deadline released from the OMB dictates state agencies have 60 days from August 27, 2021 to conduct internal reviews of their audit log requirements against a new maturity model. Additional deadlines are as follows:
Agencies have 60 days from August 27, 2021 to assess their current level of EL maturity against the model
Agencies have one year to reach Event Logging (EL) Tier 1
Agencies have 18 months to reach EL2
Agencies have two years to reach EL3

The memo notes that these four tiers “will help agencies prioritize their efforts and resources so that, over time, they will achieve full compliance with requirements for implementation, log categories, and centralized access. Agencies should also prioritize their compliance activities by focusing first on high-impact systems and high value assets.”

Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) will be deploying teams to advise government agencies during the assessment process, as well as creating tools in conjunction with the FBI to help agencies accurately determine their level of EL maturity. Pertinently, agencies will be required to provide relevant security event log info to the CISA and FBI upon request.

Once the initial 60-day review period has passed on October 26, 2021, it’s anticipated that more detailed transition guidance will be released to delineate how agencies can become compliant according to the timelines set forth in the memo. Some industry experts also predict that we will see more specific guidance for commercial companies on what type of information should be captured in their audit logs.

Though there are still some question marks in place regarding what comes next, federal agencies need to start preparing themselves for the impact the EL maturity model will have on their operations.
The Impact of the Maturity Model for EL Management on Business

So, is the federal EL management going to impact your organization? There’s a strong possibility that it will.

Similar to the cybersecurity executive order, most of the language of the recent memo speaks to federal agencies. However, certain elements also apply to federal contractors and companies downstream in the federal supply chain. A few key footnotes to call attention to include:
Footnote #6: Software developed by agencies or by contractors on behalf of agencies must log unique event identifiers for each event in accordance with these requirements.
Footnote #7: Software developed by agencies or by contractors on behalf of agencies must log timestamps for each event in accordance with these requirements. If the software does not produce data in this format, federal agencies will transform records to conform to these standards before the data is ingested into the Security Information and Event Management (SIEM) platform or stored in bulk storage.
Footnote #15: Federal agencies shall submit all phishing attempts to CISA by forwarding the phishing attempt as an attachment to federal.phishing.report@us-cert.gov. Federal agencies shall ensure that all contractors that operate infrastructure on their behalf implement this requirement.

In addition to direct federal contractors, this memo and the executive order at large are applicable to companies that create or supply software or hardware used by federal defense contractors. This is because such organizations are considered part of the defense supply chain and are in a unique position to introduce potential risk.

If you own or are employed by a technology company, now is the time to verify whether or not you are part of the federal supply chain. It is entirely possible that your product is used by federal agencies or contractors even if you don’t know it. To help clarify this situation, it is also expected that the National Institute of Standards and Technology (NIST) will release supply chain security standards to further map out these responsibilities.

Read Complete article at – What Does the Deadline on Federal Event Log Management Mean for My Organization?

Comments

Post a Comment

Popular posts from this blog

SOC 1, SOC 2, and SOC 3 Reports: Type 1, Type 2 or Readiness Assessment?

Image
  SOC reports are gaining in popularity across industries and across the globe. More and more customers are asking for demonstrated SOC compliance, and independent cybersecurity control validation and attestation are becoming necessary to compete for high-priority contracts. Beyond customer demand, SOC reports ensure that controls are properly implemented and used within your organization, greatly reducing potential security threats. For organizations seeking a SOC 1 , SOC 2 , or SOC 3 report, there are two attestation options available: Type 1 and Type 2. Additionally, a readiness assessment can be performed to prepare your organization for the attestation. With so many options, what type is best for your organization to prove compliance? Our experienced assessors break down the options so the path to compliance is clear between SOC 1, SOC 2 and SOC 3. We then dive into the various types of SOC reports: Type 1, Type 2 and a readiness assessment. SOC 1 Report A SOC 1 report foll...
Read more

What is NIST 800-171?

Image
  Your organization can’t afford to lose valuable government contracts. Protect your business by bolstering your organization’s ability to comply with NIST800-171. Government contracts are highly lucrative, but also tough to secure and manage. That’s because the Federal Government deals with a lot of classified and controlled information on a day-to-day basis. Any contractors or subcontractors who wish to work with the Federal government must, therefore, have security procedures in place to protect that sensitive information. National Institute of Standards and Technology (NIST) 800-171 is a mandate that states that federal contractors and subcontractors that handle, transmit, or store controlled unclassified information (CUI) must comply with certain standards to protect that data. Compliance with NIST 800-171 is required under Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012. What is Controlled Unclassified Information (CUI)? CUI is information crea...
Read more

Federal Compliance 2022: CMMC 2.0, StateRAMP, FedRAMP & Beyond

Image
  With the recent unveiling of CMMC 2.0, the expanded presence of StateRAMP, and new FedRAMP advisory guidelines for external servers, it’s safe to say that 2022 has a lot in store for Federal compliance changes. Tony Bai, A-LIGN’s Federal Practice Lead, and Emily Cummins, Anitian’s Director of Cloud Security, had a chance to sit down and discuss the latest news in federal compliance and what it could mean for your organization. Let’s dive in and get their thoughts on the latest CMMC 2.0 introduction, the new FedRAMP authorization boundary guidance, StateRAMP and more! CMMC 2.0Like everyone else in the world of federal compliance, A-LIGN and Anitian have been closely tracking the Cybersecurity Maturity Model Certification (CMMC) since the U.S. Department of Defense (DoD) shared its initial draft of the model in early 2020. With the release of CMMC 2.0 , three major changes were recently announced: fewer security tiers, removing some third-party assessment requirements, and allo...
Read more