Is your federal agency confused and wondering how you are going to meet the 72-hour Packet Capture (PCAP) requirements outlined in Office of Management and Budget (OMB) memo M-21-31? If so, then you are not alone. I get several calls a month from various agencies looking for market research on how other government agencies are going about meeting the guidelines and requirements outlined in the memo. There still seems to be a lot of confusion on what the actual requirements are. Reading through and understanding the memo is a daunting task to say the least and it’s easy to jump to the idea that every packet from every corner of your enterprise must be inspected and saved for 72 hours. I don’t believe this to be true but let’s review the facts.
Here is a little background brief on the memo. The Biden administration issued an Executive Order (EO) 14028 titled “Improving the Nation’s Cybersecurity” in May of 2021 after the now famous SolarWinds breach. The breach started when hackers broke into the SolarWinds systems and added malicious code into the company’s software. The code created a back door to its customer’s information technology systems, which hackers then used to install additional malware that helped them spy on companies and agencies. The EO requires federal agencies to improve their Cybersecurity investigative and remediation capabilities to help deal with these ongoing and everchanging cyber threats.
Shortly after EO-14028 was published, OMB began to send additional guidance and clarification of the EO through memos such as OMB M-21-31. OMB M-21-31 was published August 27th, 2021 and establishes a maturity model and outline of the requirements to log, retain, and manage logs, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC). Table 1 below summarizes the OMB M-21-31 maturity model. These tiers help agencies prioritize their efforts and resources so that, over time, they will achieve full compliance with requirements for implementation, log categories, and centralized access. The requirements for each of the higher tiers is inclusive of the requirements from the lower tier. In other words, all requirements from each tier must be met before moving on to the next tier. There are specific timeframe requirements specified for each of the maturity tiers and full compliance should be realized within 24 months of the OMB M-21-31 publication date.
|Event Logging Tiers
|Logging requirements of highest criticality are either not met or are only partially met.
|Only logging requirements of highest criticality are met.
|Logging requirements of highest and intermediate criticality are met.
|Logging requirements at all criticality levels are met.
Table 2 below shows the specific log categories from Appendix C of OMB M-21-31 where PCAP is specially mentioned as an acceptable log format for each of the logging tiers above.
|Criticality/Event Logging Tiers
|Network Device Infrastructure (General Logging)
|IDS / IPS / NTA / NDR / SIEM Logs • API Activity Logs • Authentication Logs • Firewall Logs • Web Proxy/WAF Logs • Service Metrics • Network Flow Logs • Remote Access/VPN Logs • System/OS Logs • DLP Logs • DNS Query/Response Logs
|Cloud Environments (General Logging)
|IDS / IPS / NTA / NDR / SIEM Logs • API Activity Logs • Authentication Logs • Firewall Logs • Web Proxy/WAF Logs • Service Metrics • Billing Data • Flow Logs • Remote Access/VPN Logs • System/OS Logs • DLP Logs • DNS Query/Response Logs
|Web Applications • URL • Headers • HTTP Methods -Request with Body of Data14 • HTTP Response with Body of Data
|Packet Capture of Plaintext HTTP Request and response with Data.
|Full Packet Capture Data • Decrypted Plaintext • Cleartext
Once you dig deeper into the requirements, it quickly becomes apparent that when PCAP is used to fulfill the log requirements for a specific log category the full packets must be retained for a minimum of 72 hours. This sounds daunting; however, keep in mind that PCAP was only identified as being a valid file format for 4 of the numerous log categories and in each of those instances they refer to unencrypted traffic. This is shown in Table 2 above. Why is this important? It’s important because it’s assumed that in a modern IT environment only ~20% of all the network traffic is unencrypted. This makes the 72-hour PCAP requirement much more manageable, but why did they not mention encrypted traffic?
Well, they did, it’s just not immediately clear. Under the EL2 Stage description there are requirements for the inspection of encrypted data. Table 3 below shows the exact description of this requirement.
|Inspection of Encrypted Data
|Federal agencies shall retain and store in cleartext form the data or Encrypted Data metadata from Appendix C that is collected in their environment. If agencies perform full traffic inspection through active proxies, they should log additional available fields as described in Appendix C and can work with CISA to implement these capabilities. If agencies do not perform full traffic inspection, they should log the metadata available to them. In general, agencies are expected to follow zero-trust principles concerning least privilege and reduced attack surface, and relevant guidance from OMB and CISA relating to zero-trust architecture.
This requirement clearly indicates that if agencies do not perform full traffic inspection, they should log the metadata available to them. I read this requirement to mean that if full unencrypted traffic inspection cannot be performed then all the metadata derived from the encrypted traffic inspection should be logged through other means; therefore, there is a requirement to analyze/inspect the encrypted traffic just not store the actual packets for 72 hours.
This understanding of the requirements leads me to believe that OMB did not intend for every packet within the enterprise to be stored for 72 hours as some agencies believe. It’s just not feasible. However, it’s clear that OMB does expect every agency to have a robust PCAP solution that is capable of cyber threat detection on both encrypted and unencrypted traffic, while storing the unencrypted packets for a minimum of 72 hours.