Implementing the OMB 21-31 Memorandum

U.S. government building

The Russia–Ukraine conflict has significantly intensified the cyberthreat landscape. As state-sponsored threat actors collaborate with financially-motivated cybercriminals to launch targeted cyberattacks against critical infrastructures, the cyberthreat landscape has become a free-for-all arena. As a result, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued an official advisory regarding active reconnaissance activities implemented by Russian state-sponsored threat actors against critical industries, including the defense industrial base (DIB) and the energy industry.

Thus far, the common denominator for active reconnaissance activities involves threat actors scanning sensitive networks for systems vulnerabilities that can be easily exploited. As a result, organizations were advised to enhance the resilience of their cyberthreat identification, investigation, and remediation processes.

To further strengthen the investigative and remediation processes and provide the federal government with increased visibility before, during, and after a cybersecurity incident, President Biden signed Executive Order 14028, which focused on institutionalizing systems logging requirements for U.S. government agencies and companies handling sensitive federal government data. As a result, the Office of Management and Budget released Memorandum 21-31 to meet the requirements outlined in Executive Order 14028.

The purpose of the OMB 21-31 memorandum

Following the Solarwinds security incident, the U.S. sought to formally articulate the importance of maintaining a proactive posture in cybersecurity operations, especially when dealing with data and systems with national security implications. One of the issues associated with the Solarwinds incident was poor log management. Therefore, one of the purposes of the OMB 21-31 memorandum is to establish a maturity model for log management.

This memorandum provides detailed requirements for how government agencies and cleared defense contractors should implement specific systems logging operations to formulate a preventive approach to cybersecurity. In addition, the memorandum introduces a maturity model to guide the implementation of requirements across four event logging (EL) tiers.

According to OMB 21-31, organizations must assess their maturity levels against the maturity model highlighted in the OMB 21-31 memorandum. By performing the maturity evaluation, an organization will identify resourcing and implementation gaps associated with completing the implementation requirements for each EL tier.

Below is a summary of the four EL tiers:

Event Logging Tiers Rating Description
EL0 Not Effective Logging requirements of highest criticality are either not met or are only partially met.
EL1 Basic Only logging requirements of highest criticality are met.
EL2 Intermediate Logging requirements of highest and intermediate criticality are met.
EL3 Advanced Logging requirements at all criticality levels.

These EL tiers will help agencies direct their resources toward critical activities to achieve full compliance without unnecessary delay in implementation. An organization should prioritize its compliance activities by focusing first on high-impact systems and high-value assets (HVAs).

Understanding the requirements for each tiered level

Tier EL0 – Not Effective

At this level, an organization has not met the following requirement:

  1. Ensuring that the required Logs categorized as Criticality Level 0 are retained in acceptable formats for specified timeframes.

Tier EL1 – Basic

Tier EL1 contains most requirements for the subsequent EL2 and EL3 Tiers. The goal is to meet the implementation and centralized access requirements. Each event log must contain an accurate timestamp, status code, device identifier, transaction ID, source, destination IP, additional headers, etc.

Whereas consistent timestamp formats help in accurate and efficient event correlation and log analysis, event forwarding is crucial for significant security operations center (SOC) analysts to obtain events from remote devices — for instance, security information and event management (SIEM) analytics. Therefore, tier EL1 also includes requirements for user behavior analytics to enable traps to detect disruptions in the data stream.

At this level, an organization has met all of the following criteria:

  1. Basic logging categories.
  2. Minimum logging data.
  3. Event forwarding.
  4. Protection and validation of log information.
  5. Presence of passive DNS.
  6. Adherence to CISA and the FBI’s log access requirements.
  7. Logging orchestration, automation, and response (for the planning phase).
  8. User behavior monitoring (for the planning phase).
  9. Basic centralized access.

Tier EL2 – Intermediate

Whereas the primary purpose of EL1 is to set a standard for most critical data sources and assets, the intermediate level Tier EL2 sets a higher standard to match the increased sophistication of cyber threats. A thorough inspection of encrypted data is necessary for detecting attacks hidden in trusted encrypted protocols. For this purpose, agencies must retain and store the collected information or metadata in clear text form and according to the directives.

In addition, agencies must follow the zero trust principle regarding least privilege access, reducing attack surface, and guidance on zero trust architecture. Therefore, at this tier level, an organization has met all of the following requirements:

  1. Adherence to EL1 maturity level.
  2. Intermediate logging categories.
  3. Publication of standardized log structure.
  4. Inspection of encrypted data.
  5. Intermediate centralized access.

Tier EL3 – Advanced

Although the deadline for completing all Tier EL3 requirements is 2023, early planning and preparation are essential. Meeting the needs of Tier EL3 will help agencies establish a much more robust approach to detection and response to the advanced threats of today’s world.

Leveraging the logging requirements, agencies must monitor all user and non-user accounts with the help of user behavior analytics. This measure helps organizations recognize compromised user credentials, devices or systems, unauthorized asset access, lateral movement of threat actors, and more. The OMB 21-31 Memorandum integrates application container security, operations, and management to modernize federal security infrastructure.

Compliance with Tier EL3 represents that required logs across all criticality levels are accessible to the highest-level security operations at the head of each agency. At this tier level, an organization has met all of the following requirements:

  1. Completion of EL2 maturity level.
  2. Advanced logging categories.
  3. Logging orchestration, automation, and response (for final phase implementation).
  4. User behavior monitoring (for final phase implementation).
  5. Application container security, operations, and management.
  6. Advanced centralized access.

Benefits of partnering with LogRhythm for OMB 21-31 implementation

Federal agencies do not have the time to experiment with services: they must implement technologies that deliver high-quality, out-of-the-box support that meets all the outlined requirements. LogRhythm is an organization’s solution for achieving EL1 to EL3 compliance. The LogRhythm SIEM Platform can aid federal agencies in meeting these requirements via log management, user and entity behavior analytics (UEBA), security orchestration, automation, and response (SOAR). These are all rolled into a single out-of-the-box, end-to-end security operations platform that allows LogRhythm to fulfill all OMB 21-31 requirements.

LogRhythm’s customizable content, such as playbooks for various use cases and threat scenarios, enables agencies to meet the deadlines laid out in the memorandum. With LogRhythm’s MDI Fabric — containing over 1,000 out-of-the-box correlation rules — necessary metadata is pulled from raw logs while maintaining the original, raw structure. Time normalization is performed upon log ingestion. Additionally, data is protected with a digital chain of custody, and playbooks are coupled with LogRhythm’s security operational maturity model to help federal agencies through the SOAR and UEBA processes.

How is LogRhythm assisting organizations in meeting OMB 21-31 requirements?

Before implementing the log management requirements in OMB 21-31, an organization should analyze its infrastructure to ensure alignment with the logging requirements. When evaluating your infrastructure for compatibility with OMB 21-31 logging requirements, LogRhythm provides cost-effective services in several programming languages, customizable automation, and prolonged guidance when navigating the tools.

Below are some ways LogRhythm’s capabilities help organizations meet the OMB 21-31 implementation deadline.

  • Basic centralized access: LogRhythm serves as an aggregator for all logs and events by quickly ingesting more than 550,000 MPE Rules to identify and extract meaningful information. Silent Log Source Detection is offered on an individual log source level to alert when data is no longer being sent, thus removing traps to detect data disruptions.
  • Logging orchestration, automation, and response: LogRhythm provides several out-of-the-box agencies that must implement automation and response (SOAR) capabilities and a security operations maturity model that assists in mapping out each step of the planning and implementation process within OMB 21-31.
  • Inspection of encrypted data: LogRhythm can ingest over 950 log source types to quickly and easily search and correlate any data point in the metadata. Raw logs, metadata, and total traffic are stored for easy data access.
  • All-in-one MDI offering: LogRhythm’s MDI solution classifies, parses, extracts, and contextually structures every log message. This automated process extracts all required logging data and provides deep intelligence into all out-of-the-box log sources.
  • Datalog validation: among other controls, LogRhythm leverages a cryptographic hash and compresses logs in a non-proprietary format to protect log integrity, providing tamper-proof validation should raw log data need to be restored. All data collected by the data processor is archived with the digital chain of custody. A raw log with limited metadata is written to the archive storage tier, and a raw log with all metadata is written to the indexed data tier.
  • Datalog storage capabilities: unlike its competitors, LogRhythm offers different timelines for data log storage. By scaling different system parts, LogRhythm can support different amounts of active storage and archive depending on a customer’s need.
  • Application container security, operations, and management: LogRhythm centralizes access to the raw logs and metadata of container logs and events that have been directly sent. LogRhythm’s Analyst Workflow and AI Engine allow analysts to establish normal baselines from the centralized data quickly.
  • User behavior monitoring: LogRhythm’s Security Operation Maturity Model streamlines the finalization and implementation of User Behavior Monitoring per OMB 21-31 guidelines. Each step is carefully planned, managed, and implemented with a clear history of how each use case has been placed live into the production environment. It leverages machine learning and artificial intelligence techniques to detect anomalous user actions and help combat advanced threats.
  • Log event forwarding: LogRhythm accomplishes real-time collection by leveraging agent-based and agentless log collection architecture. LogRhythm’s agents provide local, agent-based, or remote, agentless machine data collection (log messages, security events, and flow data).
    • Per OMB 21-31 reporting requirements, LogRhythm’s event log forwarding capability ensures that raw logs and metadata are collected in real-time and forwarded to designated Log Forwarding and Scheduled Reporting Agencies upon request, consistent with applicable law. This event log forwarding capability complies with the host organization and any U.S. government agency.

LogRhythm vs. other SIEM solutions

A brief comparison of LogRhythm and its competitors is provided below. However, implementing any cybersecurity-related regulation or mandate can be tedious, expensive, and complex. Often, many organizations fail to comply with essential regulations because they cannot find a trusted cybersecurity partner capable of deploying specific requirements without breaking the bank.

Below are a few reasons why LogRhythm is well-positioned — unlike competitors — to collaborate with your organization in seamlessly deploying OMB 21-31 requirements at each tier level.

  • Flexible deployment options

LogRhythm provides flexible deployment options to serve your organization’s goals and environment best. It offers a SIEM experience that is adaptable and as simple as a SaaS solution. In addition, you can deploy the LogRhythm SIEM solution on-premises through a managed security service provider.

  • AnalytiX

LogRhythm AnalytiX renders log management features to centralize log data and apply a consistent schema across every data type. As a result, you can quickly search your organization’s data to answer critical questions, troubleshoot operation issues, and identify security events. It also offers simple visualizations and dashboards.

  • Pricing

LogRhythm provides flexible pricing and licensing models. The unlimited pricing option ensures that a specific price is locked in for up to 36 months, thus preventing overspending on the organizational budget. On the other hand, other competitors’ prices are based on an organization’s headcount. Therefore, the headcount and price point needed for competitors to help an organization implement OMB 21-31 requirements are usually three to four times higher than LogRhythm’s threshold.


Organizations following the traditional compliance models and relying upon manual control validation or periodic reporting find the new logging mandates imposed by the M-21-31 memorandum challenging. Correct, relevant, and timely data about the maturity of security telemetry and log management infrastructure is necessary for organizations to evaluate their enterprise security monitoring and reporting capabilities. The Presidential Executive Order aims to improve the security of Federal assets, supply chain, and networks and set up compliance and effectiveness standards for risk management programs. M-21-31 addresses the requirements and guides the implementation process, enabling organizations to identify and respond to cyberthreats effectively.

The OMB 21-31 memorandum is more than an organization’s current defensive posture and response capabilities. It establishes a maturity roadmap and sets objectives to improve threat visibility and incident response effectiveness, aligning it with the long-term goal of securing the national information assets and infrastructure of the United States. As the mandates evolve, organizations failing to implement data-driven automation will face an increasing burden of compliance programs.

However, with LogRhythm, organizations can meet and comply with the newly established federal directives with minimal effort. The single all-in-one, end-to-end security operations platform, compromising of the LogRhythm SIEM Platform, UEBA, and SOAR, enables federal agencies to fulfill their specified deadlines. In addition, with flexible deployment options, customized pricing, and comprehensive log management features, LogRhythm is well-positioned to collaborate with organizations and deploy the specific requirements of the OMB 21-31 memorandum at each tier level.

LogRhythm simplifies the tedious, expensive, and complex process of implementing any cybersecurity-related regulation. It acts as a central aggregator for logs and inspects encrypted data for abnormalities. It also uses artificial intelligence and machine learning to detect anomalies and combat advanced threats. As a result, organizations can leverage the multi-faceted benefits of associating with LogRhythm to comply with the OMB 21-31 memorandum and thoroughly secure their assets and cyber ecosystem.