Security / February 8, 2022

Enhance Logging to Meet M-21-31 Requirements

In May of 2021, the Biden administration issued an executive order (EO) titled “Improving the Nation’s Cybersecurity,” or EO 14028. This directive mandates that each federal agency meet forthcoming cybersecurity and risk management requirements. The goal of modernizing the federal government’s approach to security is a broad subject and requires a government-wide approach. With so many topics to be addressed, a focused series of mandates are expected to emerge. The U.S. Office of Management and Budget (OMB) has begun to provide guidance and release memos in accordance with the executive order. One of these directives is M-21-31, which covers minimum protections, event logging, and information sharing.

Released in August 2021, M-21-31 establishes a maturity model for log management. It creates requirements for agencies, along with timelines and responsibilities. The model creates logging tiers EL0, EL1, EL2, and EL3, with EL3 being the most advanced. Planning to meet each of these tiers should be underway, but many agencies will struggle to meet the EL1 deadline of August 2022. Let’s discuss ways of meeting these objectives and how to achieve the agency goals.

Out of the gate, EL1 sets minimum standards for log data and taxonomy. This is what you’re logging and what information this logging needs to contain. This data must also be protected, verified for integrity, and available for forwarding to concerned federal agencies. As agencies seek to achieve the next logging tier, there are additional requirements, but even EL1 presents challenges and changes that need to be made.

It is expected that meeting EL1 will require an agency to increase logging levels and data, perhaps exponentially. As networking complexities have increased, and with the adoption of cloud technologies, it is nearly impossible to comply using traditional logging. The added requirement for protecting DNS with enhanced logging and analytics is enough to warrant considering alternatives that improve the results from implementing changes.

Tapping portions of the network is the most effective means to copy traffic running across an enterprise, providing network visibility. Using the network as a source provides immediate value, enhancing host-based logging and accelerating an agencies’ ability to capture relevant data. While network visibility extends the ability to capture data, the increased data volume presents challenges. We should be looking for comprehensive North-South and East-West data capture, all while using methods like NetFlow and metadata summation to reduce the overhead.

Network metadata summarizes network data while providing context-rich information based on live network activity. Metadata summarization preserves and enriches these streams for threat detection, response, investigation, and threat hunting. It can tell us exactly what we need to know, with a fraction of the data volume. In cases where packet-level data is desired, consider that full packet capture of all network traffic is unrealistic because of cost and complexity. Selective capture and packet slicing reduce the volume, preserving the most critical parts of network communication while reducing storage needs. This overhead reduction also simplifies sharing with other agencies, an important detail.

DNS is another area for immediate wins using a fresh approach. Turning up logging on your DNS servers adds another ongoing administrative task and additional processing. The level of logging needed approaches debug level, potentially crashing servers during periods of high use. This approach also ignores detection of rogue servers or abuse of the protocol itself for things like tunneling. Network monitoring can capture DNS traffic and forward it to your analytics, as well as derive metadata for endless use cases, like rogue servers, entropy, legitimacy of domains, volume, and statistics. It’s a low-touch method to monitor and secure your DNS.

Reading through the EO and OMB mandates is foreboding. Taken literally, you must log everything from every part of your network, be it physical, virtual, or cloud, and expand visibility to facilitate ideals of Zero Trust. Augmenting your host-based logging and securing DNS are immediate steps toward meeting the EL1 requirements that also build a solid foundation for subsequent requirements and deadlines. We believe that network visibility is critical to this.

There’s a great deal of territory to cover in discussing this topic, but here’s a quick takeaway. We can make significant progress complying with the mandates by incorporating network data into the logging paradigm. With planning, the proper steps taken today will achieve present and future goals.

Watch this space as we expand the discussion about EO 14028’s intent and approach, along with other current and future mandates.

Featured Webinars

Hear from our experts on the latest trends and best practices to optimize your network visibility and analysis.


People are talking about this in the Gigamon Community’s Security group.

Share your thoughts today

Back to top