The White House Office of Management and Budget (OMB) issued a memorandum for agencies to improve investigative and remediation capabilities related to cybersecurity incidents, as directed by Executive Order (EO) 14028, Improving the Nation’s Cybersecurity.
According to OMB Acting Director Shalanda Young, the memo addresses the requirements in section eight of the EO for “logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center of each agency.”
Further, the memo establishes requirements to increase information sharing, accelerate incident response efforts, and enable more effective defense of Federal information and executive branch departments and agencies.
The memo establishes a maturity model that will guide the implementation of requirements across four Event Logging tiers.
“These tiers will help agencies prioritize their efforts and resources so that, over time, they will achieve full compliance with requirements for implementation, log categories, and centralized access,” the memo states. “Agencies should also prioritize their compliance activities by focusing first on high-impact systems and high-value assets.”
Young writes that recent cyberattacks, including the SolarWinds attack, underscore the importance of visibility for the Federal government before, during, and after a cybersecurity incident.
“Information from logs on Federal information systems (for both on-premises systems and connections hosted by third parties, such as cloud services providers) is invaluable in the detection, investigation, and remediation of cyber threats,” the memo states.