Skip to main content
U.S. flag

An official website of the United States government

M-21-31 compliance

This document outlines how our platform enables cloud.gov customers to comply with logging requirements specified by Executive Order M-21-31. If you have any questions about this document, please contact support@cloud.gov.

EL1 Compliance

Basic Logging Categories

  • Cloud.gov currently retains logs in “active” storage (using ELK) for 6 months (to facilitate frequent use and ease of access), and 18 months in cold storage (using s3).
  • Cloud.gov will meet requirements by updating “active” storage to 12 months.

Minimum Logging Data

Cloud.gov ensures that platform component and application logs contain the minimum required data where possible. Customers are responsible for logging any custom HTTP headers at the application level.

Time Standard

  • Timestamps are currently applied to all logs.
  • Cloud.gov met FedRAMP requirements to use NIST time servers, and will adopt Amazon Time Sync pending FedRAMP approval to use time based on Stratum 1 GPS-based sources.

Event Forwarding

  • All logs are currently forwarded by default to a centralized ELK Stack (Elasticsearch, Logstash, and Kibana), as well as S3, and all data is encrypted in transit.
  • Any customer can use a “log drain” to forward their logs to their agency services.

Protecting and Validating Log Information

  • Event logging is in place for all active system components, and internal alerts are in place for any logging disruptions.
  • Cloud Foundry permissions are in place to keep ELK log viewing to authorized roles.
  • Access to cold storage in S3 is limited to “platform operators” only, based on AWS IAM permissions
  • Log files are protected from unauthorized modifications based on current authentication mechanisms.
  • Logs are streamed continuously both to ELK for live viewing and S3 for cold storage.
  • Cloud.gov will implement Elasticsearch index lifecycle policies to make data indices read-only once they rollover.

Passive DNS

Slated for implementation in 2023 pending availability of OS support and other infrastructure.

Cybersecurity Infrastructure Security Agency (CISA) and Federal Bureau of Investigations (FBI) Access Requirements

Cloud.gov use of S3 for customer logs and AWS CloudWatch for platform logs provides a standard set of tools for log sharing with CISA and law enforcement agencies.

Basic Centralized Access

  • Cloud.gov customers can set up a “Log Drain” which lets customers stream logs to their agency log centralization service.
  • Cloud.gov is leveraging GSA log centralization services and will provide guidance for GSA customers as that matures.

EL2 Compliance

To be outlined at a later date.

EL3 Compliance

To be outlined at a later date.