Skip to main content

OMB M-21-31 Logging Compliance

Overview

OMB Memorandum M-21-31, Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents, was issued on August 27, 2021, under Executive Order 14028 to increase visibility before, during, and after cybersecurity incidents. It defines a maturity model for event logging with three tiers: EL1 (Basic), EL2 (Intermediate), and EL3 (Advanced). Each is tied to criticality levels and retention requirements.

Cloud.gov helps agencies inherit EL1 compliance out-of-the-box and simplifies progression to EL2 and EL3 with integrated retention, aggregation, and forwarding features.

What Is M-21-31?

  • Purpose: Increase the federal government’s ability to investigate and remediate cybersecurity incidents by standardizing logging practices.

  • Maturity Model: Three tiers (EL1–EL3) requiring capture of log categories by criticality, centralized access, and advanced analytics and automation.

  • Key Requirements:

    • Capture specified logs (timestamps, event types, IP addresses, user identities).
    • Retain data in acceptable formats for defined timeframes (Appendix C of M-21-31).
    • Aggregate logs centrally and monitor for disruptions.

How Cloud.gov Supports M-21-31 Compliance

Built-in Log Retention

  • Active Storage: 12 months in Cloud.gov's OpenSearch Service.
  • Archive Storage: 18 months in AWS S3.
  • Time Synchronization: Uses NIST time servers

Centralized Log Aggregation

  • Default forwarding of all customer logs to a centralized OpenSearch cluster, encrypted in transit and storage.
  • Customer Responsibility: If you need to forward logs to your agency's SIEM, use cf create-user-provided-service and cf bind-service to configure syslog-TLS log drains.

Required Log Fields

Cloud.gov automatically captures the following M-21-31 elements:

  • Timestamp (UTC)
  • Source and destination IPs
  • User identity
  • Action performed
  • Response codes
  • Service name.

Application-Level Logging

Customer Responsibility: Ensure your applications emit structured JSON logs with required fields.

FAQs

Q: Does Cloud.gov fully meet M-21-31 out-of-the-box? A: Cloud.gov provides EL1 support. Agencies must configure log forwarding and application logging to achieve EL2/EL3 maturity.

Q: Can log retention exceed 30 months? A: Yes. Configure custom S3 lifecycle rules or external archiving via log drains to meet longer retention policies.

Q: How do we share logs with CISA or FBI during incidents? A: Cloud.gov supports secure log export to authorized law enforcement and CISA requests.

GSA.gov

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit USA.gov