SDLC governance briefing — OMB M-21-31 mandates event logging maturity
OMB Memorandum M-21-31, released on 27 August 2021, defined event logging tiers federal suppliers must achieve, requiring software teams to capture traceable telemetry and incident response workflows.
What happened: OMB M-21-31 established logging, log retention, and centralized access requirements for federal agencies and vendors.
- Telemetry controls: Developers must ensure applications emit detailed audit logs aligned to Tier 3 requirements for critical systems.
- Retention and integrity: Logging pipelines must preserve records for at least 12 months with tamper-evident storage.
- Incident integration: Logs should flow into security operations tooling to support 72-hour incident reporting timelines.
Next steps: Map application logging to OMB tiers, enhance structured logging libraries, and document retention policies for compliance reviews.