OMB M-21-31 mandates event logging maturity

Executive summary. OMB Memorandum M-21-31, issued 27 August 2021, requires federal agencies and contractors supporting federal systems achieve tiered event logging capabilities, centralized access, and log retention periods aligned with Executive Order 14028’s cybersecurity objectives. Agencies must meet Tier 3 logging maturity—covering enterprise, identity, network, endpoint, and cloud telemetry—by August 2024, while Tier 0–2 milestones provide interim targets.

Tiered logging requirements. M-21-31 defines four tiers: Tier 0 (minimal logging), Tier 1 (basic logging), Tier 2 (intermediate), and Tier 3 (advanced). To reach Tier 3, teams must collect detailed audit events for authentication, authorization, data access, network flows, DNS, endpoint detection, and cloud control plane activity, ensuring logs contain timestamps, source IP, destination, user identifiers, command parameters, and outcomes. Agencies must also implement log integrity protections and cryptographic signing where feasible.

centralized access and retention. Agencies need a centralized log repository accessible to authorized security operations, incident response, and law-enforcement partners. M-21-31 requires retention of most logs for at least 12 months online and 18 months total (online plus offline), with longer retention for high-value assets. Logs must remain searchable and correlated to support rapid investigation.

Implementation governance. Agencies must submit event logging setup plans to OMB and DHS within 60 days, outlining current maturity, gaps, budget needs, and timelines. DHS’s Cybersecurity and Infrastructure Security Agency (CISA) provides technical assistance and will assess compliance through Continuous Diagnostics and Mitigation (CDM) program capabilities.

Concrete controls.

• Log source catalog. Inventory all log-producing systems (identity providers, network devices, endpoints, cloud services) and map them to Tier requirements; prioritize onboarding of missing sources to the central log platform.
• Schema normalization. Adopt common schemas such as CEF, ECS, or OCSF to standardize fields, enabling cross-correlation and automated analytics.
• Integrity safeguards. Implement hash-based message authentication or WORM storage for high-value logs to prevent tampering; integrate with SIEM tamper-detection alerts.
• Retention automation. Configure lifecycle policies that enforce 12-month online storage and archive to cold storage for an additional six months, with automated deletion at end-of-life to manage cost and compliance.
• Incident response playbooks. Update playbooks to include log triage steps, search queries, and escalation criteria consistent with M-21-31 reporting timelines.

Implementation roadmap.

1. Quarter 1: Assess current tier maturity, identify high-value assets, and document gaps in log coverage, retention, and access controls.
2. Quarter 2: Procure or scale log management infrastructure (SIEM, data lake), onboard critical log sources (identity, privileged access, network perimeter), and establish data ingestion pipelines.
3. Quarter 3: Implement analytics, detection content, and dashboards aligned with CISA playbooks; integrate with SOAR tools for automated response.
4. Quarter 4: Conduct readiness exercises simulating cyber incidents, validate log availability, and finalize documentation for OMB and CISA oversight.
5. Ongoing: Review telemetry coverage quarterly, adjust retention policies, and integrate new cloud services or endpoints as the environment evolves.

Cloud and SaaS considerations. Agencies using commercial cloud services must ensure access to provider telemetry—CloudTrail, Azure AD logs, Google Workspace audit data—and export them to the central repository. Contracts should specify log availability, retention, and support for e-discovery during incidents.

Identity and zero trust. M-21-31 follows the federal zero trust strategy by requiring detailed identity logs (authentication attempts, MFA usage, privilege escalations). Combine logs with identity governance tools to detect anomalous behavior. Use conditional access policies and session logging to enforce least privilege.

High-value assets (HVAs). Agencies must prioritize Tier 3 logging for systems designated as HVAs, ensuring full visibility into administrative actions, data access, and configuration changes. Coordinate with CISA’s HVA program for assessments and remediation support.

Integration with threat intelligence. Feed threat intelligence indicators (IP addresses, hashes, domains) into the SIEM to enrich logs and accelerate detection. Align with CISA’s sharing platforms such as Automated Indicator Sharing (AIS) and the EINSTEIN program.

Metrics and reporting. Track metrics including percentage of log sources onboarded, time to ingest new telemetry, log search performance, incident detection mean time, and compliance status per tier. Provide quarterly updates to agency leadership and OMB.

Vendor and contractor obligations. Contractors supporting federal systems must deliver logs to agency repositories or maintain equivalent capabilities, depending on contract terms. Contracts should reference M-21-31 requirements, specify delivery formats, and include service-level agreements for log access during investigations.

Cost management. Logging at Tier 3 can be resource-intensive. optimize storage through tiered data lakes, compression, and summarisation. Use data classification to apply higher retention only to critical logs. Budget planning should include infrastructure, licensing, and staffing for 24/7 monitoring.

Training and workforce. Upskill security operations teams on new log sources, analytics, and automation. Develop training modules on building detection queries, performing threat hunting, and using SOAR tools. Cross-train incident responders and digital forensics personnel to use the expanded telemetry.

Compliance alignment. Document how M-21-31 controls map to NIST SP 800-53 Rev. 5 audit and accountability controls (AU family) and incident response controls (IR family). Align logging practices with FedRAMP, FISMA, and agency-specific requirements to avoid duplicative efforts.

Future outlook. OMB may update logging requirements as zero trust initiatives mature and as CISA issues further directives. Agencies should build flexible architectures capable of scaling ingestion, analytics, and retention. Continuous monitoring and automation will be key to sustaining Tier 3 maturity.

Risks of non-compliance. Failure to meet logging tiers can delay incident investigations, hinder reporting to CISA, and expose agencies to OMB oversight actions or funding impacts. Implementing full logging reduces dwell time for adversaries and improves resilience against nation-state threats.

Analytics and automation. Deploy behavioral analytics and machine learning models on consolidated logs to detect lateral movement, unusual privilege use, and data exfiltration attempts; document detection logic and tuning cycles to satisfy oversight reviews.

Privacy and data minimization. Logging expansions must respect privacy statutes such as the Privacy Act and agency-specific rules. Implement data minimization, pseudonymization where possible, and access review boards to approve use of sensitive log attributes during investigations.

Collaboration. formalize information-sharing agreements with law enforcement and sector risk management agencies so critical log data can be exchanged securely during multi-jurisdictional investigations.

Recommended practices

Development teams should adopt practices that ensure code quality and maintainability during and after this transition:

• Code review focus areas: Update code review checklists to include checks for deprecated patterns, new API usage, and migration-specific concerns. Establish review guidelines for changes that span multiple components.
• Documentation updates: Ensure README files, API documentation, and architectural decision records reflect the changes. Document rationale for setup choices to aid future maintenance.
• Version control practices: Use feature branches and semantic versioning to manage the transition. Tag releases clearly and maintain changelogs that highlight breaking changes and migration steps.
• Dependency management: Lock dependency versions during migration to ensure reproducible builds. Update package managers and lockfiles systematically to avoid version conflicts.
• Technical debt tracking: Document any temporary workarounds or deferred improvements introduced during migration. Create backlog items for post-migration cleanup and improvement.

Consistent application of development practices reduces risk and accelerates delivery of reliable software.

Path to implementation

If you are affected, develop setup roadmaps that account for resource constraints, dependencies, and risk priorities. Phased approaches typically provide better outcomes than attempting full changes simultaneously. Early wins build momentum and show value to teams.

Progress monitoring should track setup activities against planned timelines and identify potential issues requiring intervention. Regular reporting keeps teams informed and maintains organizational focus on setup priorities.

Engaging stakeholders

Effective stakeholder engagement ensures alignment on objectives, expectations, and setup approaches. Communication should be tailored to different audiences, providing appropriate levels of detail for technical and executive teams.

Change management processes should address organizational readiness and potential resistance to new requirements or practices. Training and support resources help ensure successful adoption of required changes.

Ongoing improvement

Continuous improvement processes should incorporate lessons learned and feedback from setup experiences. Regular reviews help identify improvement opportunities and ensure approaches remain aligned with evolving requirements.

Documentation of setup activities and outcomes provides evidence of due diligence and supports ongoing maintenance. Knowledge capture ensures institutional learning is preserved for future reference.

See also

Selected articles on related subjects.

Developer · Credibility 73/100 · August 25, 2021

Python 3.10 Release: Structural Pattern Matching and Performance Improvements

Python 3.10 introduces structural pattern matching via match-case statements, union type operators, and significant interpreter performance improvements. The release represents Python's most significant syntax evolution…

Developer · Credibility 85/100 · August 16, 2021

Go 1.17 and runtime performance

Go 1.17 shipped with slice-to-array pointer conversions, simpler module pruning, and major ARM64 compiler improvements. Windows now requires Windows 10 or Server 2016—legacy Windows support is gone.

Developer · Credibility 91/100 · August 11, 2021

Developer Productivity — GitHub Codespaces General Availability

GitHub Codespaces reached general availability for Team and Enterprise Cloud on 11 August 2021, delivering policy-driven, devcontainer-based cloud development environments that central platform teams can standardize for…

Developer · Credibility 73/100 · September 13, 2021

TypeScript 4.4 Release: Enhanced Control Flow Analysis and Index Signatures

TypeScript 4.4 introduces refined control flow analysis for aliased conditions, symbol and template literal types in index signatures, and performance improvements. The release strengthens TypeScript's type safety…

Developer · Credibility 90/100 · September 14, 2021

Java 17 long-term support release

Java 17 LTS dropped on September 14, 2021—the first long-term support release since Java 11. Sealed classes, pattern matching improvements, and better crypto defaults. Support runs through 2029.

Continue in the Developer pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Secure Software Supply Chain Tooling Guide

  Engineer developer platforms that deliver verifiable provenance, SBOM distribution, vendor assurance, and runtime integrity aligned with SLSA v1.0, NIST SP 800-204D, and CISA SBOM…

• AI-Assisted Development Governance Guide

  Govern GitHub Copilot, Azure AI, and internal generative assistants with controls aligned to NIST AI RMF 1.0, EU AI Act enforcement timelines, OMB M-24-10, and enterprise privacy…

• Developer Enablement & Platform Operations Guide

  Plan AI-assisted development, secure SDLC controls, and runtime upgrades using our research on GitHub Copilot, GitHub Advanced Security, and major language lifecycles.

Coverage intelligence

Published

August 27, 2021

Coverage pillar

Developer

Source credibility

85/100 — high confidence

Topics

OMB M-21-31 · Event logging maturity · Federal cybersecurity · Security operations · Incident response

Sources cited

3 sources (hitehouse.gov, cisa.gov)

Reading time

7 min

Cited sources

1. OMB Memorandum M-21-31 — Office of Management and Budget
2. CISA Guidance on OMB M-21-31 — Cybersecurity and Infrastructure Security Agency
3. OMB Memorandum M-22-09: Federal Zero Trust Strategy — Office of Management and Budget