OMB Memo M-21-31 — Federal Cyber Incident Response & Log Retention
OMB Memorandum M-21-31 ("Improving the Federal Government's Investigative and Remediation Capabilities Related to Cybersecurity Incidents," August 27, 2021) addressed one of the most consequential gaps exposed by the SolarWinds hack: when CISA and FBI tried to investigate the breach, many federal agencies could not tell investigators what had happened on their networks because they lacked adequate logging — the audit trail of system events that makes forensic investigation possible. The attackers had been present in federal networks for months; without complete logs, agencies could not determine what data was accessed, what systems were compromised, or how the attackers moved laterally once inside.
M-21-31 implements Executive Order 14028 (May 12, 2021), which required OMB and CISA to develop requirements for federal agencies to improve log collection and retention. The memo establishes a tiered maturity model for event logging, specifies minimum retention periods at each tier, requires agencies to give CISA and FBI access to logs in the course of incident investigations, and sets a target timeline for all federal agencies to reach the highest logging tier. It is the operational playbook for federal cyber forensics — ensuring that the next major breach can actually be investigated.
Legal Authority
- 44 U.S.C. § 3554 — FISMA; requires each agency to implement security incident detection, response, and reporting capabilities; incident investigation and log retention are FISMA security controls
- 44 U.S.C. § 3553 — Requires CISA to assist agencies with incident response; authorizes CISA to access agency information to protect federal systems; M-21-31 operationalizes agencies' obligation to provide CISA with log access during investigations
- Executive Order 14028 (May 12, 2021) — "Improving the Nation's Cybersecurity"; directed OMB and CISA to develop requirements for federal agencies to improve event logging collection and retention; M-21-31 implements this EO directive
- OMB Memorandum M-21-31 (August 27, 2021) — Establishes the Event Logging (EL) maturity model (EL0-EL3), minimum log retention periods at each tier, agencies' obligations to provide log data to CISA and FBI during investigations, and the timeline for agencies to achieve EL3
Key Mechanics
M-21-31 establishes a four-level Event Logging (EL) maturity model for federal agencies. EL0 (lowest): insufficient logging — agencies cannot reconstruct events during an incident. EL1: basic logging with 30-day retention. EL2: intermediate logging with 90-day retention and enhanced log management capabilities. EL3 (target): advanced logging with 12-month hot retention (immediately searchable) and 18-month cold retention (archived, retrievable within 24 hours); logs must be centrally collected in a Security Information and Event Management (SIEM) system; agencies must be able to provide investigators with complete audit trails across their environments. All agencies were required to reach at least EL2 within 18 months of the memo (February 2023) and EL3 by the end of FY2024. Critical logging requirements at EL3 include: network flow data, DNS query logs, endpoint process execution logs, authentication events (including privileged access), and web proxy logs. Agencies must grant CISA and FBI access to relevant logs within 72 hours of a request related to a cyber investigation. Log data must be tamper-resistant (separate from the systems being logged) and protected from deletion by adversaries who might compromise monitored systems.
Overview
| Parameter | Value |
|---|---|
| Document | OMB Memorandum M-21-31 |
| Date issued | August 27, 2021 |
| Issuing official | Shalanda Young, Acting Director of OMB |
| Implementing EO | Executive Order 14028 (May 12, 2021) |
| Applies to | All executive branch agencies |
| Target tier | EL3 (highest maturity) for all agencies |
| Achievement deadline | Two years from issuance (August 2023) |
| Key partner agency | CISA (Cybersecurity and Infrastructure Security Agency) |
The Event Logging Maturity Model
The centerpiece of M-21-31 is a four-tier event logging maturity model — EL0 through EL3 — that grades agencies on the completeness and accessibility of their security logs. The model parallels CISA's Continuous Diagnostics and Mitigation (CDM) maturity framework and was designed to be achievable in stages rather than requiring a single transformation.
EL0 — Not Actionable: The agency collects some logs, but they are not usable for incident investigation. Logs may be siloed by system, not retained long enough, or not accessible to security teams in a timely way. This was the de facto state of many agencies before M-21-31.
EL1 — Basic Event Logging: The agency has standardized log collection across major systems. Logs are retained for a minimum of 30 days in "hot" (immediately accessible) storage. Agencies at EL1 can respond to basic incident questions but lack the comprehensive log coverage needed for sophisticated investigations.
EL2 — Intermediate Event Logging: The agency has deployed centralized log collection (SIEM — Security Information and Event Management) covering most network and endpoint activity. Logs are retained for a minimum of 90 days in hot storage with 1 year in "cold" (archived, retrievable) storage. EL2 agencies can support most incident investigations but may have coverage gaps in cloud environments or legacy systems.
EL3 — Advanced Event Logging (Target Tier): The agency achieves comprehensive log coverage across all systems — on-premises, cloud, and hybrid — with a centralized SIEM enabling real-time analysis and automated alerting. Log retention is at least 12 months in hot storage and 18 months in cold storage. All logs are accessible to CISA and FBI within defined timelines when requested during an investigation. EL3 is the target all agencies must reach within two years of M-21-31's issuance (by August 2023).
What Logs Must Be Collected
M-21-31 specifies the categories of events that must be logged as agencies work toward EL3:
Network logs: All DNS queries (what systems are looking up); network flow data showing connections between systems; web proxy logs capturing outbound HTTP/HTTPS requests; firewall allow/deny decisions; VPN connection events.
Endpoint logs: Authentication events (logons, logoffs, failed attempts, account lockouts); process creation and termination; file creation, modification, and deletion in sensitive directories; registry changes (Windows); privilege escalation events; lateral movement indicators (remote service creation, scheduled task creation).
Application and cloud logs: Authentication to cloud services; API calls to cloud infrastructure; changes to cloud configuration (security group modifications, storage bucket permissions); email gateway events (especially relevant for phishing-originated attacks).
Identity and access management logs: Changes to privileged accounts; role assignments; password resets; multi-factor authentication events.
The SolarWinds-specific lesson embedded in M-21-31 is the importance of software supply chain and update mechanism logs: organizations that logged what software was installed and when could trace the SolarWinds-delivered malware to its installation date and scope; those that didn't had to assume worst-case across their entire infrastructure.
CISA and FBI Access Requirements
M-21-31's access provisions are as important as the retention requirements. During a significant cyber incident investigation, agencies must:
- Provide CISA and FBI with access to relevant logs within 48 hours of a request
- For high-priority incidents (those affecting critical systems or involving nation-state actors), access must be provided within 12 hours
- Logs must be provided in a format usable by CISA's and FBI's forensic tools — agencies cannot claim compliance by providing logs in proprietary formats that investigators cannot parse
- Agencies must designate a point of contact responsible for coordinating log access during incidents and notify CISA of that contact within 30 days of M-21-31's issuance
The access requirements address a specific failure mode from SolarWinds: agencies that had logs but couldn't quickly provide them to central investigators, forcing each agency to conduct its own forensic analysis in isolation rather than enabling CISA to build a comprehensive picture of the campaign.
Key Requirements
- Self-assess current logging tier (EL0-EL3) and report to CISA within 60 days
- Develop a plan to reach EL3 within 1 year; submit plan to CISA and OMB
- Achieve EL3 — 12-month hot/18-month cold log retention, centralized SIEM, comprehensive coverage — within 2 years (August 2023)
- Collect required log categories: DNS queries, network flow, endpoint events, authentication, cloud API calls, IAM changes
- Provide CISA/FBI log access within 48 hours of request (12 hours for high-priority incidents)
- Designate a log access point of contact and report contact information to CISA within 30 days
- Ensure logs cannot be tampered with: implement write-once or protected log storage to prevent attackers from covering their tracks
How It Affects You
<!-- pria:personalize type="impact" -->If you work at a federal agency (CISO, SOC, IT operations): M-21-31's EL3 requirement is a significant infrastructure investment. A full SIEM deployment with 12-month hot storage for comprehensive log coverage at a large agency requires substantial compute, storage, and SIEM licensing. Assess your current logging tier honestly — agencies that self-reported EL2 and were later found to be EL0 in CISA assessments faced significant remediation pressure. Prioritize: (1) DNS logging if you don't have it — it's relatively cheap and catches most malware command-and-control traffic; (2) centralize logs from your highest-risk systems first (internet-facing, privileged access, cloud); (3) ensure your logs can actually be accessed by CISA and FBI in the required timeframe — many agencies discovered that their "complete" logs were in formats their own SOC couldn't parse for investigators. CISA's CDM program offers shared SIEM tools; if your agency hasn't enrolled, that's the fastest path to compliance.
If you are a federal IT contractor or cybersecurity vendor: M-21-31 created sustained federal demand for SIEM platforms (Splunk, Microsoft Sentinel, Elastic SIEM), log management infrastructure, and security engineering services. Federal SIEM deployments are large, complex, and multi-year — the RFP requirements will specify EL3 compliance, CISA CDM integration, and specific log source coverage. Differentiate on FedRAMP-authorized cloud deployments, CISA CDM compatibility, and ability to ingest from legacy systems that don't generate standard log formats. Log retention storage is also a growing market: 18 months of cold storage for a large agency is significant data volume, and cost-effective archival solutions with rapid retrieval for forensics are in demand.
If you are a researcher, journalist, or oversight professional: M-21-31 creates an accountability framework: agencies must self-assess their logging tier and report to CISA. CISA's annual FISMA report and individual agency FISMA reports include logging maturity metrics. GAO and agency IGs have conducted reviews of M-21-31 implementation; several found agencies significantly behind the EL3 target by the August 2023 deadline. The underlying policy question M-21-31 raises — whether the federal government has the forensic visibility to detect and investigate nation-state intrusions — remains an active oversight concern as of 2026.
<!-- /pria:personalize -->Implementation Status
Implementation against the August 2023 EL3 deadline was mixed. CISA's assessments found that a majority of agencies had improved from their pre-M-21-31 baseline but that many had not reached full EL3 by the target date — particularly for cloud environment logging and cold storage retention. DNS logging was the most widely achieved requirement (relatively low-cost, high-value). Full SIEM deployment with comprehensive endpoint coverage was the most commonly incomplete element.
CISA provided technical assistance and CDM shared services to agencies during the implementation period. Agencies with CISA CDM enrollment could use shared tools rather than procuring separate SIEM platforms.
Relationship to Broader Policy
- FISMA: M-21-31 implements FISMA's continuous monitoring requirements with specific log retention standards; annual FISMA reporting includes M-21-31 compliance metrics
- CISA: CISA is the primary technical partner for M-21-31 implementation, providing CDM tools, technical assistance, and forensic investigation support during incidents
- M-22-09 Zero Trust: Zero trust's encrypted traffic inspection requirement intersects with log collection — agencies implementing zero trust network access need to ensure their logging architecture can still capture necessary security events
- NIST Cybersecurity Framework: Log collection and retention map to the "Detect" and "Respond" functions of the NIST CSF; M-21-31 operationalizes those functions with specific federal requirements
Recent Developments
- May 2021 — EO 14028 directed OMB and CISA to develop logging requirements
- August 2021 — M-21-31 issued with EL0-EL3 maturity model and 2-year target timeline
- August 2023 — Target date for all agencies to achieve EL3; many agencies still in progress
- Ongoing — CISA continues to track logging maturity through CDM dashboards; agencies with significant gaps receive additional technical assistance and OMB attention
- 2025 — DOGE-driven workforce reductions at several agencies affected SOC staffing, raising questions about whether reduced security teams can maintain EL3 logging operations; IGs at affected agencies flagged this as a compliance risk