FedRAMP Guidance for M-21-31 and M-22-09
July 14 | 2023
In accordance with Section 8 of Executive Order (EO) 14028 “Improving the Nation’s Cybersecurity”, the U.S. Office of Management and Budget (OMB) released Memorandum 21-31 “Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents” (M-21-31). The EO directs agencies to improve their cybersecurity practices through the identification of existing or development of new standards, tools, best practices, and other guidelines. Section 8 focuses primarily on the system logs for both services implemented on servers within the authorization boundary and services deployed on Cloud Service Offerings (CSOs).
Section 8 of the EO also directs federal agencies to offer more specific instructions for all service providers. M-21-31 fulfills that requirement, and offers additional guidance to agencies around logging, log retention, and log management. Within this guidance, there are four maturity tiers identified, as well as timelines for agencies to mature to certain tiers by certain dates.
FedRAMP Applicability
FedRAMP, in consultation with OMB, assessed that M-21-31 does not apply directly to CSP offerings (unless that CSP is a government system); however, FedRAMP authorized CSOs must comply with M-21-31 by supporting agency implementations within the cloud offering. These requirements are reflected in the FedRAMP Rev. 5 baselines (specifically AC-4 (4), AU-11, and SI-4 (10)).
Additional Guidance
Further guidance for agencies is included in the bullets below extracted from Section 3 of OMB Memorandum 22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”, which is related to and references M-19-26 and M-21-31.
OMB M-19-26 and OMB M-21-31 – Alternatives to network inspection
- Current OMB policies neither require nor prohibit inline decryption of enterprise network traffic. Agencies are expected to balance the depth of visibility they need with the risks presented by broadly trusted network inspection devices.
- Network traffic that is not decrypted can and should still be analyzed using visible or logged metadata, machine learning techniques, and other heuristics for detecting anomalous activity. This is consistent with the Trusted Internet Connection (TIC) initiative, as updated in OMB Memorandum M-19-26, which gives agencies the flexibility to maintain appropriate visibility without needing to perform inline traffic decryption.
- OMB Memorandum M-21-31, “Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents”, describes required fields that agencies must log consistently throughout their enterprise, including packet capture logs. M-21-31 does not require full traffic inspection, but specifies fields that should be captured when such inspection is in place. M-21-31 describes this conditional requirement:
- If agencies perform full traffic inspection through active proxies, they should log additional available fields as described in Appendix C and can work with CISA to implement these capabilities. If agencies do not perform full traffic inspection, they should log the metadata available to them.
Please email info@fedramp.gov if you have any questions.