OMB M-21-31 Logging and Incident Response Directive — August 27, 2021
OMB M-21-31 mandated tiered federal event logging, centralized visibility, and time-bound incident response milestones that still anchor Zeph Tech’s guidance for regulated suppliers.
OMB Memorandum M-21-31, Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents, is a cornerstone directive for modernizing U.S. federal logging and incident response. Issued on 27 August 2021, the memorandum requires agencies to adopt a tiered logging maturity model (Tiers 0–3), retain prioritized log categories for defined periods, centralize visibility for high value assets (HVAs), and report measurable progress to the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA). The directive was reinforced by CISA implementation guidance, including Binding Operational Directive (BOD) 22-01 and subsequent technical advisories that map specific log sources, collection cadences, and minimum detection content to the memorandum’s tiers. Zeph Tech aligns its federal playbooks to these authoritative requirements to ensure suppliers and integrators deliver solutions that withstand audits and support rapid incident remediation.
Summary of Tiered Logging Requirements
M-21-31 establishes four logging tiers that define progressively stronger visibility and retention expectations. Tier 0 represents ad hoc or incomplete logging. Tier 1 requires collection of security-relevant logs for HVAs and mission-critical systems but may lack centralization. Tier 2 mandates centralized visibility, baseline correlation, and retention of prioritized log categories—such as authentication events, DNS queries, email telemetry, EDR alerts, and network flow records—for at least 12 months active plus 18 months cold storage. Tier 3 expects full enterprise coverage, standardized schemas, automation for collection and correlation, and near-real-time access to logs for both the agency and authorized incident responders. The memorandum directs agencies to reach Tier 3 for HVAs within 24 months of issuance and to demonstrate continuous improvement for enterprise assets. CISA’s implementation guidance clarifies that agencies should collect host-based logs (e.g., Windows Event ID 4624/4625 for logon attempts, Sysmon process creation, Linux auditd entries), cloud audit logs (e.g., AWS CloudTrail, Azure Activity Logs), and network telemetry (e.g., NetFlow, Zeek HTTP/SSL logs) to satisfy Tier 2 and Tier 3 visibility.
The memorandum’s emphasis on specific log categories is tied to investigative priorities: identity and access management, endpoint execution, lateral movement, data access, and exfiltration. OMB highlights the need for data normalization and time synchronization using NTP to enable cross-system correlation. Agencies are instructed to prioritize HVAs by mission criticality and sensitivity, deploy sensors or agents that can capture the required events, and ensure logging pipelines maintain integrity through encryption in transit, integrity validation, and robust access controls. CISA’s subsequent advisories recommend that agencies adopt standardized schemas (e.g., Elastic Common Schema, OpenTelemetry semantic conventions) to reduce parsing overhead and enable faster detection engineering.
Implementation Timelines, Reporting, and Oversight
M-21-31 sets explicit timelines for achieving logging maturity and mandates structured reporting to ensure accountability. Within 60 days of issuance, agencies were required to inventory log sources, identify HVAs, and submit a capability assessment to OMB and CISA. Quarterly thereafter, agencies must report progress toward Tier 3 for HVAs and Tier 2 for remaining enterprise assets, including metrics on log coverage, centralization, retention, and incident response readiness. The memorandum specifies that incident response teams should be able to access required logs within 72 hours of a security incident and retain relevant data for retrospective analysis. Agencies must maintain active storage for at least 12 months for prioritized log categories to support rapid investigations, followed by 18 months of cold storage accessible within 72 hours upon request.
CISA operationalizes these expectations through playbooks and directives. BOD 22-01, issued in November 2021, compels agencies to remediate known exploited vulnerabilities and to leverage logging data to verify patching and detect exploitation attempts. CISA’s Event Logging Guidance for Federal Agencies provides detailed mappings between MITRE ATT&CK techniques and the log sources required to detect them, reinforcing the necessity of comprehensive telemetry for credential abuse, persistence, and privilege escalation. The guidance also prescribes log forwarding to centralized security operations centers (SOCs) and Security Information and Event Management (SIEM) platforms with defined service-level objectives (SLOs): collection latency under five minutes for critical events, correlation rule execution within 15 minutes, and alert triage workflows that include automated enrichment from vulnerability management and asset inventory systems. Agencies are expected to attest to these SLOs during quarterly reporting.
The OMB memorandum and CISA guidance introduce oversight mechanisms that influence procurement and integration decisions. New systems must include logging architectures that can forward required events in standardized formats, and contract language should incorporate Service Level Agreements (SLAs) for logging coverage, retention, and incident response support. Agencies must also document data handling procedures that align with privacy statutes and records management policies, ensuring that personally identifiable information (PII) in logs is minimized, masked where feasible, and protected with role-based access controls. Zeph Tech uses these oversight requirements to advise suppliers on designing compliant log pipelines, including the use of cloud-native logging services with FedRAMP authorization, hardened log collectors, and immutable storage tiers with object locking.
Implications for Zeph Tech Clients and Federal Suppliers
Zeph Tech incorporates M-21-31 and related CISA guidance into advisory, integration, and managed detection and response (MDR) offerings for federal suppliers. For agencies pursuing Authority to Operate (ATO) under FedRAMP or agency-specific baselines, Zeph Tech architects logging solutions that map directly to the memorandum’s prioritized categories: identity, endpoint, network, email, cloud control plane, and data access logs. We recommend layered collection (host agent plus network sensor), schema normalization, and time synchronization to ensure Tier 3 readiness for HVAs. Our playbooks emphasize automating log source onboarding using infrastructure-as-code templates, enforcing TLS 1.2+ for log transport, and validating integrity through cryptographic hashing and tamper-evident storage (e.g., S3 Object Lock, WORM-capable appliances).
From a detection and response standpoint, Zeph Tech aligns correlation content and detection-as-code repositories with the memorandum’s prioritized threats. This includes rules for credential theft (pass-the-hash, Kerberoasting), ransomware precursor behaviors (suspicious use of vssadmin, shadow copy deletion, unauthorized use of remote tools), and exploitation of internet-facing systems (web shell creation, anomalous PowerShell remoting, persistence through scheduled tasks or systemd services). By ensuring that required log categories are collected and retained, our analysts can perform rapid scoping, build detailed timelines, and support forensic reconstruction within the 72-hour access window mandated by M-21-31. We also embed reporting automations that generate quarterly capability updates formatted to OMB templates, reducing administrative burden for agency stakeholders.
Zeph Tech’s federal supplier engagements also address supply chain and third-party risk. M-21-31 requires agencies to extend logging expectations to service providers handling federal data. We help vendors document how their SaaS, PaaS, or on-prem solutions expose auditable events (e.g., administrative actions, data export events, access control changes), support standardized export formats, and retain logs for the mandated durations. Where gaps exist, we recommend specific telemetry improvements—such as adding CloudTrail data events for S3 object-level access, enabling Office 365 Unified Audit Logging, or activating AWS GuardDuty and Azure Defender signals—and design cross-tenant SIEM ingestion patterns that respect data segmentation while providing centralized oversight.
Implementation guidance from CISA underscores the importance of automation and resilience. Zeph Tech advises agencies to leverage infrastructure-as-code to deploy log pipelines, use message queuing and retry mechanisms to prevent loss during network disruption, and implement health monitoring that alerts on ingestion failures, parsing errors, or schema drift. We also recommend aligning log retention policies with National Archives and Records Administration (NARA) requirements and integrating privacy impact assessments when logs contain PII or mission-sensitive data. For MDR clients, Zeph Tech offers managed retention validation, quarterly evidence packages demonstrating SLO adherence, and tabletop exercises that test 72-hour access requirements and cross-team coordination.
The directive’s continued relevance is reinforced by subsequent federal cybersecurity initiatives. The 2022 National Cybersecurity Strategy and the Federal Zero Trust Strategy rely on comprehensive telemetry to validate identity-centric controls, least privilege enforcement, and continuous diagnostics and mitigation (CDM) outcomes. CISA’s Cybersecurity Performance Goals (CPGs) similarly emphasize centralized logging, asset discovery, and rapid response. By grounding solutions in M-21-31 and its authoritative follow-on guidance, Zeph Tech ensures that federal suppliers can demonstrate compliance, enable high-fidelity threat detection, and accelerate recovery when incidents occur.
Continue in the Cybersecurity pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Cybersecurity Operations Playbook — Zeph Tech
Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.