WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA), Office of Management and Budget (OMB), Office of the National Cyber Director (ONCD) and Microsoft announce today further progress in ensuring that Federal Civilian Executive Branch (FCEB) agencies have access to necessary logging capabilities. Over the past six months, Microsoft has worked closely with CISA, OMB, and ONCD to roll out expanded logs to a pilot group of agencies. Beginning this month, expanded logging will be available to all agencies using Microsoft Purview Audit regardless of license tier.
As described in CISA’s Secure by Design guidance, all technology providers should provide “high-quality audit logs to customers at no extra charge or additional configuration.” Today’s announcement is a further step in this direction. Microsoft will automatically enable the logs in customer accounts and increase the default log retention period from 90 days to 180 days. Also, this data will provide new telemetry to help more federal agencies meet logging requirements mandated by OMB Memorandum M-21-31.
To help agencies more effectively use available logs to detect and remediate cyber threats, CISA has developed a new Expanded Cloud Log Implementation Playbook in close coordination with Microsoft, which provides further detail on each newly available log and how these logs can be used to support threat hunting and incident-response operations.
“Last summer, we were glad to see Microsoft’s commitment to make necessary logging available to federal agencies and the broader cybersecurity community. I am pleased that we have made real progress toward this goal,” said CISA Executive Assistant Director for Cybersecurity Eric Goldstein. “We look forward to continued progress with our partners to ensure that every organization has access to necessary security logs– a core tenet of our Secure by Design guidance in support of the National Cybersecurity Strategy. Every organization has the right to safe and secure technology, and we continue to make progress toward this goal.”
“As the federal government continues our transition to cloud environments, we must ensure we are following secure-by-design and secure-by-default principles,” said Chris DeRusha, Federal Chief Information Security Officer and Deputy National Cyber Director. “The upgraded logging features now available to Microsoft’s government community cloud customers will provide greater visibility, and enable our network defenders to enhance their threat detection capabilities.”
“We recognize the vital importance that advanced logging plays in enabling federal agencies to detect, respond to, and prevent even the most sophisticated cyberattacks from well-resourced, state-sponsored actors. For this reason, we have been collaborating across the federal government to provide access to advanced audit logs,” said Candice Ling, Senior Vice President, Microsoft Federal. “Microsoft will continue to play a critical role in partnering with the federal government to reinforce our commitment to secure by design and further enhance the security baseline of our nation.”
In July 2023, a federal agency observed suspicious, unexpected activity in unclassified Microsoft 365 audit logs and reported it to Microsoft and CISA. The agency detected the activity using one of the logs Microsoft is expanding access to with this announcement. The importance of having critical cybersecurity logs that provided timely information was clearly demonstrated by this incident. CISA continues our work to ensure every organization has access to key security data by default so they can better defend their networks from malicious cyber actors.
For more details on this announcement, read Microsoft’s blog and visit CISA’s Secure by Design webpage for more information.
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.