The Cyber EO came out a year ago. How are federal agencies aligning with it and the latest guidance?
We are approaching one year since the Executive Order on Improving the Nation’s Cybersecurity was released. There has been great progress made by the public and private sectors alike over the last 12 months. This collaborative public-private partnership has been integral (something we discussed in our first Cyber EO blog) in the advancement of policies and joint cyber defense efforts that have undoubtedly resulted in our nation’s improved cybersecurity posture and resiliency.
Since the May 2021 release of EO 14028, there has been a flurry of subsequent memos, publications, and operational directives that provide specific guidance and actionable tasks for federal agencies to take to achieve the goals and strategic objectives set forth in the EO. The myriad of published documents has proven challenging to keep up with (luckily, Merlin has a Resource Center that tracked relevant deadlines and EO-related documents). And while well-intended, these various guidance documents have not fully achieved their desired results in a timely or efficient manner.
Over the course of the next few weeks, Merlin Labs’ subject matter experts will publish blog posts related to specific guidance documents to provide insights and recommendations on how agencies can better align their security strategies, initiatives, and cybersecurity tools to improve their overall cybersecurity posture. First up on our list is OMB Memo M-21-31: Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents.
This follow-on memo to the EO describes the minimum requirements for logging, log retention, and log management to improve visibility and incident response. Most agencies have centralized logging solutions (i.e., SIEM, log managers, Syslog servers) but not all have achieved the minimum basic enterprise logging requirements (EL1) described in M-21-31. Agencies have one year from the release of the memo (August 2021) to reach EL1 maturity.
To achieve EL1, it starts with ensuring that agencies have a functional, centralized system responsible for storing and analyzing all the logs in the environment. Agencies must ensure the confidentiality and integrity of log data (i.e., timestamps, IPs). Furthermore, logs must be protected by cryptographic methods to protect them from tampering and unauthorized access. There are also minimum logging data requirements from various systems, applications, users, and devices in the environment. While all logs are important – especially in a Zero Trust security model – there are some systems and logs that are more critical than others. In the case of OMB’s guidance on logging, the requirements described under “Privileged Identity & Credential Management” are worth noting.
READ OUR NEW REPORT: The 2022 State of Federal Zero Trust Maturity Across Civilian and DoD Agencies
Privileged access management (PAM) protects against threats posed by privileged credential theft or misuse. It’s necessary to enforce controls on privileged access, especially for agencies’ high-value assets (HVA). In this past year and ever since the SolarWinds breach, we have seen agencies pay closer attention to protecting privileged credentials in their environment. Some agencies have legacy systems or manual processes (workflows) in place to enforce controls for privileged credential use. This has proved inadequate and as a result, clients have come to Merlin inquiring about modern solutions and techniques to protect their most critical assets.
With the latest M-21-31 logging requirements, it is even more apparent that legacy PAM solutions are no longer sufficient to meet the minimum requirements for logging privileged access. Agencies must adapt to today’s current threat landscape, where they must “assume breach” and expect that adversaries are already in their network. This mindset is in alignment with the Zero Trust security principle of “never trust, always verify.” Furthermore, incident response (IR) teams need better ways to investigate and remediate cybersecurity incidents, and analyze indicators that alert for anomalous behavior.
In M-21-31’s Appendix C: Logging Requirements, the log category for “Privileged Identity and Credential Management” describes various data elements that must be logged. In addition to the data typically logged by PAM solutions such as provisioning/de-provisioning, usage of credentials, managing/tracking changes in attributes and credentials, etc., there is also a requirement to log data related to “Monitor, Alert and Respond to Anomalous Behaviors/Activities.” This requirement implies that agencies must have advanced analytics capabilities in their PAM solutions to detect the sophisticated attacks and evasion techniques of adversaries. And in alignment with Zero Trust security principles, the guidance requires “Isolate, Monitor, and Control Privileged Actions” logs from PAM.
It’s easy to dismiss M-21-31 as simply a guidance document for how agencies must evolve their logging capabilities. A closer inspection, however, reveals relevant information that is closely related to other cybersecurity initiatives that agencies are dealing with today such as Zero Trust and PAM. Over the next few weeks, my colleagues and I will uncover some of these relationships to help inform cybersecurity strategies and programs with the hope that it leads to better use of cybersecurity resources—another major intent of EO 14028.