M-21-31 logging compliance: Overcoming the 3 top challenges

How US federal agencies can better meet advanced event logging requirements

log-management-720x420_(2).jpeg

Recently, the US Government Accountability Office (GAO) released a study tracking US federal agencies’ progress on meeting the requirements set out in OMB M-21-31. Released in 2021, the Office of Management and Budget (OMB)’s M-21-31 memorandum provided guidance and requirements for federal agencies in order to improve centralized visibility into logging data before, during, and after cybersecurity incidents. The memo outlined a logging maturity model with four tiers (E0-3) to guide agencies in their compliance process.

In the new study, GAO found that agencies “have made progress in preparing for and responding to cyber threats.” At the same time, however, the study noted that 20 of the 23 agencies did not meet M-21-31’s tier 3 advanced event logging (“advanced EL3”) August deadline for tracking, storing, and managing event logs.

The study highlighted three challenges agencies are facing as they work to meet M-21-31 event logging requirements: 

  1. Lack of staff

  2. Event logging technical challenges

  3. Limitations in cyber event information sharing

In this post, we’ll walk through these challenges and share how we’ve seen federal customers address them using Elasticsearch®.

Using Elasticsearch to solve M-21-31 challenges

Several federal agencies have been using the Elasticsearch platform to meet M-21-31 requirements over the past year — taking a unified approach that includes both logging and threat response. Based on these agencies’ experiences using Elasticsearch for M-21-31, we recommend the following ways to respond to the challenges GAO noted in the study.

1. Lack of staff

Federal agencies are leveraging the accessibility and flexibility of Elasticsearch to automate time-consuming tasks and democratize data insights. Instead of hiring more employees or re-skilling existing teams, agencies are benefiting from Elastic®’s democratized approach to insights and the accessible capabilities built into the Elasticsearch platform. A few of the functionalities helping agencies address the skills gap: 

  • Consolidated view into data: Align teams and roles around common data sets, providing a unified view of infrastructure performance and enriched by threat intelligence. This consolidated access is making it easier and faster to consume and act on data and insights, no matter where it’s located.

  • Drag-and-drop visualizations: Analyze logging and cybersecurity data through Elasticsearch’s intuitive, visual drag-and-drop dashboards. These dashboards surface insights generated from Elastic’s machine learning (ML) and AI capabilities, allowing everyone access to this information in real time — as opposed to having to wait on a data scientist with specialized knowledge or access.

  • Automation capabilities: Leverage the power of Elastic’s open approach to implement security detection rules honed and shared by Elastic threat researchers and community members. Agencies are also saving time by using centralized analytics and alerting to uncover anomalies and threats. Further augment your team’s abilities with the Elastic AI Assistant, which integrates generative AI to simplify tasks and help users find context and information for understanding anomalies and threats faster and speeding problem resolution.

2. Event logging technical challenges

One of the roadblocks in logging compliance is not having access to all logging data. Without streamlined visibility into all data types and sources, the ability to accurately pinpoint threats and patterns is significantly limited. Many organizations are challenged with the high costs involved in managing and storing large quantities of disparate logging data. Elastic’s approach simplifies data ingest and analysis, while our resource-based pricing gives teams the flexibility to pay for what they need.

  • Streamlined data ingest: Ingesting different types of data from different sources typically requires multiple tools and processes (and high costs). Using Elastic Agent to ingest all your logs, metrics, and traces can eliminate dependency on external plugins and integrations that may require you to give up control of sensitive data.

  • Unified schema: To organize and make sense of all types of ingested data, Elastic uses an open-source, community-driven schema known as the Elastic Common Schema, or ECS. This common data structure unifies all modes of analysis available in Elastic, including search, drill-down and pivoting, data visualization, machine learning-based anomaly detection, detection rules, and alerting.

3. Limitations in cyber event information sharing

M-21-31 called for agencies to share logging data with one another, “as needed and appropriate, to accelerate incident response efforts.” Traditionally, sharing data outside an agency introduced significant risk for already-sensitive data, as well as potential costs and time required to copy data or move it to a central source. 

Using Elasticsearch, however, agencies can securely share data across agencies, teams, and projects. In fact, federal agencies are probably already familiar with the cyber intelligence data provided by CISA; Elasticsearch powers CISA’s CDM Dashboard, giving CISA centralized visibility into 100+ agencies’ cybersecurity data when needed. CISA, and other federal agencies, have been relying on Elasticsearch for its:

  • Distributed approach: With Elastic’s cross-cluster search and cross-cluster replication capabilities, agencies can securely share their data outside their agency without moving it. In addition to reducing the risk, time, and costs involved with moving data, this approach enables each agency to retain control of their data in its original secure location.

  • Data privacy controls: Working hand in hand with cross-cluster search and replication, Elastic’s role and attribute-based access control (RBAC/ABAC) security lets you decide who at your agency can access what data — down to the document level. These security permissions are applied locally, where the data resides. This allows you to create secure dynamic data access policies for certain classification levels and functional areas.

Get started: Accelerate M-21-31 compliance

Learn more about how Elastic can provide integrated, cost-effective support for M-21-31 compliance, from log storage, management, and cybersecurity capabilities within our unified AI-powered platform:

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.