FEMA’s Approach to Event Logging For OMB Memo M-21-31

The Federal Emergency Management Agency (FEMA) is fulfilling its goal of increasing information-sharing around cyber incidents thanks to a recent Office of Management and Budget (OMB) M-21-31 memorandum that directs agencies to fulfill a cybersecurity executive order round efficient event logging to identify, investigate and prevent attacks.

The White House Executive Order on Improving the Nation’s Cybersecurity designed to help organizations establish a clear path to identify threats before an attack, respond quickly during an attack and recover efficiently after an attack.

The OMB memo outlines a new maturity model for event log management and instructs agencies to begin logging requirements that utilize current cybersecurity budgets, and share data with CISA and the FBI.

According to FEMA CISO Gregory Edwards, the agency is actively taking steps to reach full logging maturity before the two-year deadline.

“We share information that is appropriate, we don’t want everyone to see everything that we’re collecting so we need to distill that information,” Edwards said during a MeriTalk virtual event.

“The sharing of information that we will receive from others in the federal government will help us see a broader picture and then be more proactive to those threats already out there,” he added.

The memo will also push agencies to be more proactive in identifying threats.

“It’s very valuable to have that detection, investigation and remediation capabilities. You don’t know when things are going to happen. It’s important to be able to reach out and look into your log files and figure out what’s going on in your environment,” Edwards said.  “This logging, log retention and log management with a focus on ensuring centralized access and visibility and that centralized point is key to us because we were protecting FEMA’s environment.”

FEMA leaders strongly believe tying their implementation plan into their zero-trust implementation strategy, which includes identity, devices, network, applications and data, will help them meet the M-21-31 mandate.

“Due to recent security incidents, we saw that need and had already done some initial work. Fundamentally we believe that the requirements to accelerate instant response are aligned with the five pillars in the zero-trust strategy, and so we leveraged zero trust in that overall broad initiative to help us move forward,” Edwards said.

Because the mandate does not include extra funding, FEMA will implement this plan by using its current cybersecurity budget.

FEMA was already upgrading cyber processes and had received funding to help close some cybersecurity gaps. Edwards said FEMA is prioritizing zero trust architecture to make the most of existing cybersecurity funding.

FEMA has faced obstacles with event logging and management, such as edge security management and information collection.

Another hurdle is the timely receipt of cyber incident information from vendors or commercial partners.

“There’s a lot going on within the data and it’s not timely,” Edwards said. “A program has a commercial partner providing service for them and I don’t have real-time notifications of incidents. I have to wait within 24 hours to find out what happened within their log files, and that is absolutely not where we need to be.”

Despite the challenges, Edwards believes industry and federal partners should be working together to build a better cyber resilience for everyone.

“To friends in industry, please understand our mission and help us align capabilities to our mission set — and if you don’t let us know, you don’t, and then we can help you understand and we can have a real conversation,” Edwards said. “Federal team, as we all talk about budgets and our ability to meet those mandates, I suggest using the identify, detect, protect, respond and recover model and then peanut-butter-spread it across and achieve in each area and you should have success at the end of the day.”