Cost Effect of Log Retention Policy in Memorandum from the Office of Management and Budget (OMB) — M-21–31

OMB Memorandum M-21–31 is a crucial directive aimed at enhancing the cybersecurity posture of all executive departments and agencies within the federal government, and it has far-reaching effects — both positive and challenging — on these organizations.

Positive Effects:

1. Improved Security Posture: The requirement to implement active event logging and retention capabilities bolsters an organization’s ability to swiftly detect, investigate, and remediate security incidents. In the face of a cyberattack, having comprehensive security logs enables agencies to identify affected systems promptly and respond effectively.

2. Enhanced Forensic Investigations: Active logging and retention of security logs empower organizations to conduct more thorough forensic investigations during security incidents. This capability allows agencies to trace the source of breaches, identify compromised data, and ultimately strengthen their security measures.

3. Compliance Adherence: Many organizations are mandated to comply with industry or regulatory standards that necessitate the retention of security logs for specific timeframes. For example, the Payment Card Industry Data Security Standard (PCI DSS) mandates a minimum one-year log retention. Adhering to these requirements helps agencies avoid non-compliance penalties.

4. Effective Auditing: Active log retention assists in monitoring security systems and practices more efficiently. It enables organizations to detect unauthorized access, suspicious activities, and potential vulnerabilities through comprehensive audits, thus strengthening overall security.

Challenges and Costs:

1. Storage Costs: Storing large volumes of log data for extended periods can be expensive. It necessitates investments in storage infrastructure, which may strain an agency’s budget, especially in high-performance environments.

2. Processing Costs: Analyzing vast amounts of log data incurs processing costs, particularly when looking for security threats. This requires dedicated resources for data analysis and real-time monitoring, which can be resource-intensive.

3. Privacy Concerns: Security logs may contain sensitive personal or financial information. Agencies must establish strict policies and procedures to protect this data, as its exposure could lead to privacy breaches and legal repercussions.

Implementation Tips:

1. Identify Logging Requirements: Begin by identifying the types of logs you need to collect and retain and determine how long they should be retained.

2. Select the Right Solution: Choose a logging and retention solution that aligns with your specific needs and requirements. Consider factors such as scalability, data storage capabilities, and compliance features.

3. Careful Implementation: Configure your chosen logging and retention solution meticulously to ensure it collects and retains the appropriate logs for the necessary duration.

4. Regular Monitoring: Continuously monitor your logging and retention solution to verify its proper functioning and the correct retention of logs.

Improve Investigative and Remediation Capabilities. The Executive Order creates cybersecurity event log requirements for federal departments and agencies. Poor logging hampers an organization’s ability to detect intrusions, mitigate those in progress, and determine the extent of an incident after the fact. Robust and consistent logging practices will solve much of this problem

M-21–31 has been a topic of discussion lately as Federal Agencies aim to implement a cost-effect, log aggregation and retention strategy to meet the requirements of the memo. Specifically the active log storage requirement of 12 months and cold storage for 18 months.

With active storage defined as: Active storage — Refers to data that is stored in a manner that facilitates frequent use and ease of access.

Most logging solutions don’t offer a cost-effective way to store and query your complete log data over a long time window, forcing customers to make tradeoffs and lose critical visibility.

In conclusion, OMB Memorandum M-21–31 is a significant stride towards improving government cybersecurity and log retention practices. While it offers numerous benefits, agencies must remain cognizant of the associated costs and challenges, striving to strike a balance between security and resource allocation. By adhering to best practices and implementing robust solutions, government organizations can effectively enhance their cybersecurity posture and meet the memorandum’s requirements.