EO 14028 uncertainty offers opportunities in event logging, zero trust (Part 1 of 2)

By Ryan Nelson, Market Intelligence Manager

The Executive Order on Improving the Nation’s Cybersecurity, along with timelines and compliance guidance from the Office of Management and Budget (OMB), is causing some confusion among agencies as to what actually constitutes compliance. Agencies have requested significant funding for zero trust architecture (ZTA) and event logging (EL) requirements in the Executive Order, often around $25 million per agency to achieve both goals.

Vendors that can help agencies comply with the order and meet OMB’s timelines will be of extreme interest to these organizations.


Signed on May 12, 2021, EO 14028 contains specific directives to achieve improve agency visibility on network activity and cybersecurity. The Office of Management and Budget (OMB) then released clarifying guidance in memos to define what agencies must accomplish. These include:

  • OMB 21-31: Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents
  • OMB 22-09: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles

EO 14028 requires agencies to determine their strategy for achieving a zero trust architecture within 60 days of release, while OMB 22-09 requires specific security goals be achieved by the end of FY24.

In support of this order, Congress in FY22 funded cybersecurity spending above the Presidential budget request numbers. The FY23 budget increases cybersecurity spending by 11%, up to $11B for non-DoD cybersecurity. The expectation is that funding for ZTA and EL2 will be approved, although it is unclear as to when that approval will come.

Event logging requirements

In the August 2021 OMB 21-31 memo, OMB establishes a maturity model for logging and managing cyber events. Under the timeline for the model, agencies are to achieve Event Logging Tier 1 maturity within a year of the memo’s release date, with Tier 2 (EL2) maturity no more than six months later (February 2023). EL3 maturity is expected to be achieved later in 2023

The so-called “Intermediate” EL2 rating includes several parameters, including:

  • Meeting EL1 maturity level
  • Intermediate logging categories
  • Publication of standardized log structure
  • Inspection of encrypted data
  • Intermediate centralized access

Which agencies own responsibility?

OMB 21-31 also makes the Cybersecurity and Infrastructure Security Agency (CISA) responsible for certain actions. The agency is to deploy teams to advise agencies in their assessment of logging capabilities. Additionally CISA is to coordinate with the FBI to develop and publish tools to help agencies assess their respective levels of event logging maturity.

The Department of Commerce is also responsible for certain actions. Among those is an expectation that the agency will work with CISA and the FBI on continued maintenance for National Institute of Standards and Technology Special Publication 800-92 (SP 900-92 – A Guide to Computer Security Log Management). They are also responsible for incorporating requirements for logging, log retention, and log management in the next revision of SP 800-92 (and other relevant publications).

Bottom line

Here’s the bottom-line opportunity: Even though event logging requirements are discussed in the memorandum, some agencies are still unclear about exactly what achieves compliance with the standards. Additional OMB clarification is still expected. Vendors should continue to monitor developments in this area closely, to properly position their technology and expertise as more clear guidance becomes available.

In the second part of this series, we’ll examine the requirements for zero trust authentication under the EO.

Interested in keeping up on the latest IT trends in public sector? Subscribe to immixGroup’s Government Sales Insider blog now!

Need help with your FY23 growth strategy? See how our Market Intelligence team can help you define your targets.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: