← Back to all briefings
Developer 5 min read Published Updated Credibility 85/100

SDLC governance briefing — OMB M-21-31 mandates event logging maturity

OMB Memorandum M-21-31 operationalises Executive Order 14028 by requiring federal agencies and suppliers to meet tiered event logging, retention, and centralized access capabilities with rapid incident response integration.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
3 publication timestamps supporting this briefing. Source data (JSON)

Executive summary. OMB Memorandum M-21-31, issued 27 August 2021, mandates that federal agencies and contractors supporting federal systems achieve tiered event logging capabilities, centralised access, and log retention periods aligned with Executive Order 14028’s cybersecurity objectives.[1] Agencies must meet Tier 3 logging maturity—covering enterprise, identity, network, endpoint, and cloud telemetry—by August 2024, while Tier 0–2 milestones provide interim targets.

Tiered logging requirements. M-21-31 defines four tiers: Tier 0 (minimal logging), Tier 1 (basic logging), Tier 2 (intermediate), and Tier 3 (advanced). To reach Tier 3, organisations must collect detailed audit events for authentication, authorisation, data access, network flows, DNS, endpoint detection, and cloud control plane activity, ensuring logs contain timestamps, source IP, destination, user identifiers, command parameters, and outcomes. Agencies must also implement log integrity protections and cryptographic signing where feasible.

Centralised access and retention. Agencies need a centralised log repository accessible to authorised security operations, incident response, and law-enforcement partners. M-21-31 requires retention of most logs for at least 12 months online and 18 months total (online plus offline), with longer retention for high-value assets. Logs must remain searchable and correlated to support rapid investigation.[1]

Implementation governance. Agencies must submit event logging implementation plans to OMB and DHS within 60 days, outlining current maturity, gaps, budget needs, and timelines. DHS’s Cybersecurity and Infrastructure Security Agency (CISA) provides technical assistance and will assess compliance through Continuous Diagnostics and Mitigation (CDM) programme capabilities.[2]

Concrete controls.

  • Log source catalogue. Inventory all log-producing systems (identity providers, network devices, endpoints, cloud services) and map them to Tier requirements; prioritise onboarding of missing sources to the central log platform.
  • Schema normalisation. Adopt common schemas such as CEF, ECS, or OCSF to standardise fields, enabling cross-correlation and automated analytics.
  • Integrity safeguards. Implement hash-based message authentication or WORM storage for high-value logs to prevent tampering; integrate with SIEM tamper-detection alerts.
  • Retention automation. Configure lifecycle policies that enforce 12-month online storage and archive to cold storage for an additional six months, with automated deletion at end-of-life to manage cost and compliance.
  • Incident response playbooks. Update playbooks to include log triage steps, search queries, and escalation criteria consistent with M-21-31 reporting timelines.

Implementation roadmap.

  1. Quarter 1: Assess current tier maturity, identify high-value assets, and document gaps in log coverage, retention, and access controls.
  2. Quarter 2: Procure or scale log management infrastructure (SIEM, data lake), onboard critical log sources (identity, privileged access, network perimeter), and establish data ingestion pipelines.
  3. Quarter 3: Implement analytics, detection content, and dashboards aligned with CISA playbooks; integrate with SOAR tools for automated response.
  4. Quarter 4: Conduct readiness exercises simulating cyber incidents, validate log availability, and finalise documentation for OMB and CISA oversight.
  5. Ongoing: Review telemetry coverage quarterly, adjust retention policies, and integrate new cloud services or endpoints as the environment evolves.

Cloud and SaaS considerations. Agencies leveraging commercial cloud services must ensure access to provider telemetry—CloudTrail, Azure AD logs, Google Workspace audit data—and export them to the central repository. Contracts should specify log availability, retention, and support for e-discovery during incidents.

Identity and zero trust. M-21-31 aligns with the federal zero trust strategy by requiring detailed identity logs (authentication attempts, MFA usage, privilege escalations). Combine logs with identity governance tools to detect anomalous behaviour. Use conditional access policies and session logging to enforce least privilege.[3]

High-value assets (HVAs). Agencies must prioritise Tier 3 logging for systems designated as HVAs, ensuring full visibility into administrative actions, data access, and configuration changes. Coordinate with CISA’s HVA program for assessments and remediation support.

Integration with threat intelligence. Feed threat intelligence indicators (IP addresses, hashes, domains) into the SIEM to enrich logs and accelerate detection. Align with CISA’s sharing platforms such as Automated Indicator Sharing (AIS) and the EINSTEIN program.

Metrics and reporting. Track metrics including percentage of log sources onboarded, time to ingest new telemetry, log search performance, incident detection mean time, and compliance status per tier. Provide quarterly updates to agency leadership and OMB.

Vendor and contractor obligations. Contractors supporting federal systems must deliver logs to agency repositories or maintain equivalent capabilities, depending on contract terms. Contracts should reference M-21-31 requirements, specify delivery formats, and include service-level agreements for log access during investigations.

Cost management. Logging at Tier 3 can be resource-intensive. Optimise storage through tiered data lakes, compression, and summarisation. Use data classification to apply higher retention only to critical logs. Budget planning should include infrastructure, licensing, and staffing for 24/7 monitoring.

Training and workforce. Upskill security operations teams on new log sources, analytics, and automation. Develop training modules on building detection queries, performing threat hunting, and using SOAR tools. Cross-train incident responders and digital forensics personnel to leverage the expanded telemetry.

Compliance alignment. Document how M-21-31 controls map to NIST SP 800-53 Rev. 5 audit and accountability controls (AU family) and incident response controls (IR family). Align logging practices with FedRAMP, FISMA, and agency-specific requirements to avoid duplicative efforts.

Future outlook. OMB may update logging requirements as zero trust initiatives mature and as CISA issues further directives. Agencies should build flexible architectures capable of scaling ingestion, analytics, and retention. Continuous monitoring and automation will be key to sustaining Tier 3 maturity.

Risks of non-compliance. Failure to meet logging tiers can delay incident investigations, hinder reporting to CISA, and expose agencies to OMB oversight actions or funding impacts. Implementing comprehensive logging reduces dwell time for adversaries and enhances resilience against nation-state threats.

Analytics and automation. Deploy behavioural analytics and machine learning models on consolidated logs to detect lateral movement, unusual privilege use, and data exfiltration attempts; document detection logic and tuning cycles to satisfy oversight reviews.

Privacy and data minimisation. Logging expansions must respect privacy statutes such as the Privacy Act and agency-specific rules. Implement data minimisation, pseudonymisation where possible, and access review boards to approve use of sensitive log attributes during investigations.

Collaboration. Formalise information-sharing agreements with law enforcement and sector risk management agencies so critical log data can be exchanged securely during multi-jurisdictional investigations.

Timeline plotting source publication cadence sized by credibility.
3 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Developer pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • OMB M-21-31
  • Event logging maturity
  • Federal cybersecurity
  • Security operations
  • Incident response
Back to curated briefings