Log Architecture Maturity Assessment for M-21-31

Log Architecture Maturity Assessment for M-21-31

blogs / January 11, 2024

What is M-21-31?

M-21-31, Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents, is a memorandum published by the US Office of Management and Budget (OMB) in August of 2021, which was developed in accordance with and addresses the requirements in Section 8 of Executive Order 14028, Improving the Nation's Cybersecurity. It defines event logging requirements for federal agencies related to cybersecurity incidents, the log data that must be captured for various log categories, and details the requirements for detection, investigation, & remediation of cyber incidents. The memorandum also includes a 4-tiered Event Logging (EL) implementation Maturity Model for agencies to follow and gives a deadline for agencies to achieve each EL tier.

4 Event Logging (EL) Tiers

Event Logging Tiers

Rating 

Description

EL0

Not Effective

Logging requirements of highest criticality are either not met or are only partially met

EL1

Basic 

Only logging requirements of highest criticality are met

EL2

Intermediate

Logging requirements of highest and intermediate criticality are met

EL3

Advanced

Logging requirements at all criticality levels are met

Below are the official overviews of the Event Logging Tiers from M-21-31 (source: M-21-31 (whitehouse.gov))

Tier EL0, Rating – Not Effective (required compliance date: October 26th, 2021)

The agency or one or more of its components have not implemented the following requirement:

  • Ensuring that the Required Logs categorized as Criticality Level 0 are retained in acceptable formats for specified timeframes.

 

Tier EL1, Rating – Basic (required compliance date: August, 27th, 2022)

The agency and all its components meet the following requirements:

  • Basic Logging Categories
  • Minimum Logging Data:
    • Properly formatted and accurate timestamp (see below for Time Standard Requirements)
    • Status code for the event type
    • Device identifier (MAC address5 or other unique identifier)
    • Session / Transaction ID
    • Autonomous System Number
    • Source IP (IPv4)
    • Source IP (IPv6)
    • Destination IP (IPv4)
    • Destination IP (IPv6)
    • Status Code
    • Response Time
    • Additional headers (i.e., HTTP headers)
    • Username and/or user ID (where appropriate)
    • Command Executed (where appropriate)
    • All data shall be formatted as key-value-pairs for easy extraction (where appropriate)
    • Unique Event Identifier for event correlation; defined per event type (where possible)
  • Time Standard (YYYY-MM-DDThh:mm:ss.mmmZ (Zulu time, UTC+0) and YYYY-MM-DDThh:mm:ss.mmm+04:00 (UTC+4))
  • Event Forwarding
  • Protecting and Validating Log Information
  • Passive DNS
  • Cybersecurity Infrastructure Security Agency (CISA) and Federal Bureau of Investigations (FBI) Access Requirements
  • Logging Orchestration, Automation, and Response – Planning
  • User Behavior Monitoring – Planning
  • Basic Centralized Access

 

Tier EL2, Rating – Intermediate (required compliance date: February 27th, 2023)

The agency and all its components meet the following requirements:

  • Meeting EL1 maturity level
  • Intermediate Logging Categories
  • Publication of Standardized Log Structure
  • Inspection of Encrypted Data
  • Intermediate Centralized Access

 

Tier EL3, Rating – Advanced (required compliance date: August, 27th, 2023)

The agency and all its components meet the following requirements:

  • Meeting EL2 maturity level
  • Advanced Logging Categories
  • Logging Orchestration, Automation, and Response – Finalizing Implementation
  • User Behavior Monitoring – Finalizing Implementation
  • Application Container Security, Operations, and Management
  • Advanced Centralized Access

The log retention periods are 12 months for Active Storage (6 months for GCP), 18 months Cold Data Storage, and 72 Hours Packet Capture (PCAP).

 

How InfusionPoints Can Help

InfusionPoints can perform a Log Architecture Maturity Assessment (LAMA). This is an in-depth assessment designed to provide a comprehensive review of your organization’s current log architecture to ensure logging is complete, that log data is comprehensively analyzed, properly formatted, centralized, actively monitored, securely stored, and ready to scale. The LAMA will compare your organization's current log architecture against the logging model and maturity tiers outlined in M-21-31 and ensure AWS (Amazon Web Services) best practices are followed.

The LAMA can benefit organizations with cloud environments of all sizes and complexities. It provides a range of benefits, including cost optimization, performance improvements, and security enhancements. Additionally, it can provide a competitive advantage by helping organizations understand their users better. This understanding can be used to capitalize on insights and accelerate application changes to improve the user experience.

 

Native AWS Services InfusionPoints Leverages for Compliance

  • AWS CloudTrail
  • Amazon CloudWatch
  • AWS Config
  • Amazon S3 Access Logs
  • VPC Flow Logs (encrypted traffic)
  • VPC Traffic Mirroring (unencrypted traffic)
  • AWS WAF Logs
  • AWS Shield
  • Amazon GuardDuty
  • AWS Security Hub

 

References

Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents Memo 21-31

InfusionPoints XccelerATOr Logging Architecture | InfusionPoints

What US federal customers need to know about memorandum M-21-31 | AWS Public Sector Blog (amazon.com)

Using VPC Traffic Mirroring to monitor and secure your AWS infrastructure | Networking & Content Delivery (amazon.com)

FedRAMP Guidance for M-21-31 and M-22-09 | FedRAMP.gov

Authors Name
Ryan Adcock
IP logo

Let's Get Started!

Visit Our Contact Page to Meet Your New Cybersecurity & Compliance Partner!

Contact us