More than a year after President Biden’s cybersecurity executive order, federal agencies are scrambling to put in place the guidance that followed, focusing especially on the challenges and potential benefits of event logging.
In a recent MeriTV “IT In Depth” episode, Robert Costello, Chief Information Officer at the Cybersecurity and Infrastructure Security Agency (CISA), and Bill Wright, Splunk’s Director of Public Sector Affairs, said new event logging requirements pose a series of complicated tests for Federal IT managers. The mandates stem from the August 2021 Office of Management and Budget (OMB) memo M-21-31, which outlines a four-tier system for logging events and describes logs on Federal information systems as “invaluable” in fighting cyber threats.
“One of the challenges we have is, you can log everything but is anyone looking at it?” Costello says in the episode. “Are you doing any AI/ML on it? Do you have enough people to respond to alerts?”
Calling partnerships with logging system providers essential in writing the new rules, Costello adds: “It’s very easy for you to say log everything and then you quickly realize either you don’t need to, or it’s not providing the value that you expected…because it does no good to log everything and then get told by maybe an external provider or someone else that there’s a problem.”
The discussion illustrated the perils but also the promise of the accelerating effort to implement the May 2021 executive order and the subsequent OMB memo, which laid out some of the first concrete steps agencies should take on the path to zero trust security. Overall, Costello and Wright agree that much progress has been made, with agencies zeroing in on training their workforce and paying more attention to the broad imperative of cybersecurity.
“One of the biggest changes is maybe on the visibility front, and by that I mean we seem to have a lot more coalescence around the criticality of cybersecurity,” Costello says. “We’re seeing it really being pushed down to across the whole agency. Now, it’s not just the CIO’s job.”
Yet numerous challenges remain “if we’re going to improve our federal cybersecurity and get it to a place where it needs to be,” Wright says. Among the hurdles, he says, are “accelerating adoption of cloud technology” and “improving our investigative and remediation capabilities,” all while agencies are forced “to triage under some pretty tight budget constraints.”
While many agencies are prioritizing zero trust, Costello and Wright outlined actions they can take to accelerate progress, especially using identity-centric security. “You have to really start with identity. That’s kind of the core area,” says Costello, who encouraged IT managers to use the numerous resources available at CISA.
Both experts repeatedly emphasized the importance of partnerships between Federal officials and the private sector. “Partnership is really the key,” says Wright. “Success with zero trust is going to require aggregating those logs, understanding network traffic, knowing who is on your network, and doing all of that in real time.”
“There is no single solution,” Wright adds. “I think that needs to be underscored many times.”