In an effort to address growing concerns about the maturity of cybersecurity practices within the Federal Government, in May of 2021 the White House released Executive Order 14028 (EO), Improving the Nation’s Cybersecurity, outlining a set of measures designed to improve the security of Federal networks, assets, and supply chains, to better identify and respond to cybersecurity incidents, and to set easily measurable compliance and effectiveness standards for Agency risk management programs.
Responding to the EO, the Office of Management and Budget (OMB) has developed Memorandum M-21-31 to address the requirements and guide the implementation of logging, log retention, log management, and centralized access and visibility provisions of EO Section 8.
In addition to internal enterprise log management objectives, both EO 14028 and M-21-31 seek to promote accelerated external sharing of threat and incident response information across the Federal government to enable more effective defense of Federal information and executive branch enterprise environments.
As organizations work to interpret the new requirements and assess their enterprise security monitoring and reporting capabilities, enterprises must be able to rely on relevant, accurate, credible, and timely data about the maturity of their security telemetry and log management infrastructure. Organizations still employing traditional compliance models that rely on manual control validation and periodic reporting will find themselves increasingly challenged by the new logging mandates.
Qmulos stands ready to support OMB M-21-31 and assist organizations in meeting and demonstrating adherence to the newly established Federal mandates.
Long-term focus on threat visibility and log management maturity
Advanced cyber threats continue to evolve and proliferate across private and public enterprise environments. Beyond simply assessing the current defensive posture and response capabilities, EO 14028 and M-21-31 establish a maturity roadmap and a set of clear objectives for improving threat visibility and incident response effectiveness as components of a long-term vision for securing U.S. national information assets and infrastructure.The security best practices outlined in M-21-31 align closely with guidelines set forth in the National Institute of Standards and Technology (NIST) Special Publication 800-92, which is now undergoing revision to adopt newly established objectives of the EO 14028 mandate.
The mandates are likely to continue undergoing revisions and additional development, producing a continuously emerging set of compliance objectives to be met on an ongoing basis.
Aggressive timeline demands novel approach, broad automation
EO 14028 and OMB M-21-31 set forth an aggressive timeline for organizations to achieve and demonstrate compliance with newly established provisions, setting March 2022 as the target for Federal agencies. The mandates are expected to evolve over time, producing additional provisions and reporting obligations that will increase the compliance burden on any organizations that fail to implement data-driven compliance automation as the foundation of a mature compliance and risk management program.Q-Compliance, Qmulos’ flagship solution, enables automated enterprise-wide compliance with the NIST Risk Management Framework’s (RMF) six-step maturity model, NIST 800-53, NIST CSF, CMMC, SOX, PCI DSS, NERC CIP, and the recently released NIST Ransomware Framework (NISTIR 8374).
Q-Audit, Qmulos’s Splunk-powered real-time audit software, enables enterprises to meet the most stringent audit requirements, and is able to support many of the OMB-21-31 requirements out-of-the-box.
The Qmulos platform is easily leveraged to accommodate the new compliance objectives, delivering defensible compliance on the timetable established by the EO.
Q-Compliance and Q-Audit by Qmulos offer broad out-of-the-box coverage of M-21-31 logging objectives, with user-friendly visualizations of control maturity metrics and source data validation.
Appendix A – Visual Sneak Peak into how The Qmulos Product Suite Assists with M-21-31
Qmulos delivers revolutionary Converged Continuous Compliance
Unlike legacy Governance, Risk, and Compliance (GRC) applications, the Qmulos Product Suite leverages Splunk, the preeminent big data analytics platform. Through this partnership, our solutions disrupt the legacy IT compliance and risk management models, demonstrating to CISOs that leveraging big data for compliance is the best way to dramatically improve real operational security. Instead of running separate and siloed operational security and compliance functions, organizations can finally combine their respective budgets and resources and align them toward one common goal: better enterprise security.Qmulos leverages big data analytics as the core foundation of our product suite. Accordingly, our platform is equipped to easily handle emerging compliance obligations, providing on-demand access to near-real-time, fine-grain data about the state of enterprise controls, delivering intelligent insights in support of risk management and compliance decisions across the enterprise.
The Qmulos Product Suite delivers its unique automated capabilities by leveraging:
- Our reliance on Splunk as the central repository of all relevant security and compliance data ensures ready access for current and future analytic and reporting use cases;
- Parsing and contextualizing data in a manner that makes it easy to digest from a compliance, risk, and security perspective; and,
- Hundreds of pre-built analytics that automate the passing/failing of controls, ATOs, and other tasks that ultimately drive operational security.
Appendix B – Qmulos coverage of M-21-31 logging maturity reporting objectives
M-21-31 Event Logging Objectives
Qmulos Q-Compliance Mapped to NIST SP800-53rev5
Qmulos Q-Audit Mapped to ICS 500-27
|Identity & Credential Management||AC-02, IA-02|
|Privileged Identity & Credential Management||AC-02, IA-02||Admin Access, Privilege Escalation|
|Network Device Infrastructure (Access, Authorization, and Accounting)||Built-in Q-Audit dashboards|
|Operating Systems – Windows Infrastructure and Operating Systems||Built-in Q-Audit dashboards|
|Operating Systems – BSD (Linux)||Built-in Q-Audit dashboards|
|System Configuration and Performance||Continuous Monitoring|
|Authentication and Authorization||AC, IA||Admin Access, Privilege Escalation, User & Group Management|
|Email Filtering, Spam, and Phishing||SI-08(02)|
|Anti-Virus and Behavior-Based Malware Protection||SI-03|
|Network Device Infrastructure
(for Devices with Multiple Interfaces: Interface MAC – If Correlated to the De- NAT IP Address)
|AC-04, CM-07, SC-07
|Vulnerability Assessments||RA-05, CM-08, SE-02, CM-07|
|Virtualization System||Built-in Q-Audit dashboards|
|Container – OS||Built-in Q-Audit dashboards|