Challenge

M-21-31 Memorandum is a critical initiative to enhance the visibility of cybersecurity events generated by federal Information Technology (IT) and Internet of Things (IoT) assets, impacting all federal agencies and executive departments. When properly analyzed, this information can detect patterns and trends that significantly enhance Government visibility before, during, and after cybersecurity incidents. This heightened visibility empowers organizations to plan effectively and direct decisive action to bolster their security posture and optimize investigative and remediation capabilities. Capturing millions of daily events and storing them for efficient retrieval can be costly for any enterprise. Given that compliance with most Executive Orders is not optional and additional funding is scarce, this poses a formidable challenge that demands immediate attention.

Building on Executive Order 14028 and the updated National Cybersecurity Strategy memorandum M-21-31 addresses the specifics in section 8 of the Executive Order. It speaks directly to the logging, retention, and management requirements necessary for each agency’s Security Operations Centers (SOCs) to have the visibility required to meet the highest levels of capabilities. These are measured using a maturity model provided in the memorandum. To achieve the highest level of maturity (EL3), organizations must implement a logging strategy incorporating all sources, new compute, and storage to ensure “logging requirements at all criticality levels are met.”

Challenges organizations face:

• Organizations can quickly generate terabytes of logs per day
• Cloud Service Providers fees on compute, transit, and storage can balloon
• Complex SIEM implementations can create vendor lock-in
• Increasing OpEx and CapEx spending
• Capturing all the logging data is insufficient if it cannot be easily recalled and searched
• SIEM licensing fees grow as the organization’s missions and assets grow

Critical M-21-31 Compliance Questions:

1. How do federal organizations navigate the challenge of finding a compliant, cost-effective solution that has grown exponentially and is always changing?
2. How can you retain 12 months of active logs and full PCAP aggregated into petabytes of data and keep expenses under control?
3. How can federal organizations implement a cost-effective strategy that scales and accounts for the organizational mission dynamics, attack-type changes, and the frequency of investigations?

Solution

Koniag Government Services, LLC (KGS) has created and successfully deployed a solution that met the M-21-31 requirements, placing our customer in the top 2% of all federal Agencies and saving 1.6 million dollars annually.  KGS has developed a log collection and vendor-neutral SIEM architecture that cost-effectively addresses M-21-31 requirements. It resolves the ingest and storage challenges while focusing the SIEM on practical security operations use cases and just-in-time analysis for investigations. The following figure depicts a high-level architecture that decouples data ingested from proprietary vendor solutions.

KGS’ Extract, Transform, and Load (ETL) operations strategy solves the problems surrounding the need for multiple vendors, the ever-changing standards across those vendors, and making successful log correlations across multiple formats. An ETL function (or pipeline) takes raw information and applies formatting and other logic to ensure the data loaded into the data lake has been homogenized. The KGS M-21-31 solution leverages the scale and flexibility of the Amazon Web Services (AWS) cloud to handle real-time processing of logs, metrics, traces, and IT and security-relevant data efficiently and cost-effectively. This solution allows our customers to log 200,000 events per second from over 500 unique source types across 20,000 devices and over 70 cloud service providers. By leveraging cloud Infrastructure as a Service scaling and flexibility along with an object storage data lake.

Before M-21-31 was issued, our Government customer spent $1.5M a year in SIEM licensing and AWS costs to meet their security operations and investigative requirements. The agency projected an annual increase of $4.8M to meet the new requirements. The KGS team worked with the technology providers and agency to deliver a solution that met all the new requirements for $3.2M a year, saving our Government client $1.6M a year in SIEM licensing, computing, and storage costs. Additionally, our solution decoupled the SIEM from the data lake. This eliminated the vendor lock-in the agency was experiencing with their SIEM vendor, allowing them to change software providers if desired.

Before introducing the KGS M-21-31 solution, the mean time to restore archived SIEM data from cold storage, data greater than 90 days in age, would take over 45 days in addition to $145,000 in cloud egress and infrastructure costs. This limitation was based on slow storage techniques that saved the Agency money by leveraging slower-performance data storage. The KGS solution eliminated this restriction, cutting the restoration time for archived data to minutes.

Another issue the Agency was experiencing with the previous SIEM solution was using regex and scripts as part of the ETL process to homogenize the logging data. This was complex and required programming efforts to address changes whenever any of the 500+ source-type vendors changed log information, which happened more often than was anticipated. The result exposed visibility gaps in the security posture due to a backlog of vendor-driven ETL changes required to keep the system functioning. The KGS M-21-31 solution introduced a modern ETL process and eliminated this complexity, thus preventing a backlog from being created.

The introduction of a modern ETL process also allowed the Agency to, as noted in M-21-31, “provide, upon request and to the extent consistent with applicable law, relevant logs to the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI).” This is possible because the Agency can keep one year of logs in a rapidly accessible format while ensuring the information required to support security operations is in the SIEM for immediate analysis. Other benefits the KGS M-21-31 solution provides our customer are:

• Provided capability to retrieve data from any source at any time, including SIEM tools such as Arcsight, Syslog, and Splunk
• Created a cloud-based object storage data lake with an easy life cycle policy for long-term storage across any cloud provider, and centralized the data with the necessary correlations 
• Centralized the agency SIEM, while creating the flexibility to leave legacy logging systems in place until cutover is ready
• Established ability to replay data from Cloud Object Storage to SIEM to support investigations, sending only relevant data while reducing costs
• Implemented an object storage data lake with one year of logging, which is drastically cheaper than provisioning local or server-attached storage on-premise or through IAAS
• Future-proofed the design by storing data in the data lake in a homogenized format 

Conclusion

Identifying behavior patterns by monitoring dashboards and alerts from thousands of systems, network devices, applications, host intrusion systems, threat intelligence sources, and phishing alerts is a complex problem SIEM providers are eager to help agencies solve. M-21-31 represents a significant increase in logging volume, which translates to higher SIEM licensing costs and increased infrastructure expenses. New techniques are required to manage costs and increase the functionality of the SIEM so the visibility required by M-21-31 can be realized. M-21-31 allows agencies to realize goals outlined in Executive Order 14028 by harvesting all required logs and shared amongst federal agencies.

Monitoring threats for all the devices and behavior on a network at scale is challenging. Investigating incidents in a reasonable amount of time is critical, and the agency can not continue to take weeks to review petabytes of information when the technology exists to reduce it to minutes, reduce overhead costs, and prevent vendor lock-in. KGS’ solution shows how it is possible to meet M-21-31 requirements cost-effectively, deal with the dynamic nature of enterprise IT environments, and have the performance required to accomplish the mission and protect an organization.

Acquisition Strategy

KGS and its 28 subsidiaries are ideally suited as the prime contractor to receive a Small Business Administration (SBA) 8(a) directed award following Federal Acquisition Regulation (FAR) 19.804 and 13 Code of Federal Regulations (CFR) 124.503. As an Alaska Native Corporation (ANC) owned business, KGS provides the Federal Agencies with comprehensive capabilities and capacity that includes access to a deep portfolio of technical abilities, personnel, and experience from 2,600+ staff supporting 550+ contracts/tasks spanning technology, consulting, and operations support for defense, national security, health, and civilian agencies.

KGS provides a wide array of technology-focused services, including:

Software engineering and development	Artificial Intelligence (AI)/Machine Learning (ML)
DevSecOps	Enterprise infrastructure operations
System and database administration	System engineering
Data management	Cybersecurity
Cloud modernization	Intelligence analysis
Risk management	Business transformation
Program management	Cybersecurity operations

We deliver these services to multiple Government agencies, enabling national security, intelligence, and law enforcement missions. Our processes and service delivery approach uses industry best practices from Capability Maturity Model Integration (CMMI), International Organization for Standardization (ISO) 9001:2015, ISO/IEC 20000-1:2018 Information Technology, Information Technology Infrastructure Library (ITIL), and the Scaled Agile Framework (SAFe) methodologies that have been integrated into our tools and templates. KGS is appraised at CMMI Maturity Level 3 at the corporate level, reinforcing our robust processes, disciplined execution, and commitment to quality delivery support.

KGS subsidiaries possess Top-Secret Facility Clearances. Over 400 staff possess a Top-Secret clearance and over 200 have Sensitive Compartmented Information (SCI) access. Additionally, we are experienced in Special Access Programs (SAPs), Communications Security (COMSEC), and Sensitive Compartmented Information Facility (SCIF) requirements.

In the realm of cybersecurity and compliance, the authorization process stands as a critical checkpoint, determining the readiness of systems to operate securely within government agencies and organizations. As technology advancements continue to reshape the digital landscape, the traditional methods of using Excel spreadsheets for assessments and authorizations are proving to be inefficient and error prone.

Excel, a widely used tool for data management and analysis, has long been employed for documenting security controls, tracking compliance status, and managing authorization documentation. However, the inherent limitations of Excel, such as version control issues, lack of audit trails, and manual data entry errors, present significant challenges in maintaining the integrity and accuracy of authorization processes. Koniag Government Services (KGS) offers insights into how organizations can transition towards more efficient, automated, and secure solutions to enhance their authorization workflows and compliance activities.

• Version Control Issues: Excel spreadsheets lack robust version control mechanisms, leading to challenges in tracking changes and ensuring the accuracy of data over time.
• Lack of Audit Trails: Excel does not provide comprehensive audit trails, making it difficult to monitor who made changes to the document and when those changes occurred.
• Manual Data Entry Errors: The reliance on manual data entry in Excel increases the likelihood of errors, inconsistencies, and inaccuracies in assessments and authorizations.
• Limited Collaboration Capabilities: Excel’s limitations in real-time collaboration hinder effective teamwork and communication among stakeholders involved in the assessment and authorization process.
• Security Risks: Storing sensitive information in Excel spreadsheets can pose security risks, especially if proper encryption and access controls are not implemented, potentially leading to data breaches and compliance violations.

Solution

Team Koniag has successfully deployed a solution that aligns with NIST SP 800-218 by offering Standardized Security Controls, Comprehensive Task Spectrum, Customizable Policy Development, Data-Driven Remediation Planning, and Continuous Monitoring.

KGS Authorization and Assessment (A&A) tool uses a guided discovery process that starts with a concise, visually engaging, and intuitive discovery questionnaire tailored for each client to gauge their unique cybersecurity needs.  The KGS A&A solution leverages Data-Driven remediation planning by developing a list of remediation tasks, assessing their relevance and impact, and prioritizes them ensuring an efficient and effective cybersecurity solution.

Prior to adopting this solution, our client relied on manual assessment processes using Excel spreadsheets, which were prone to human error, thereby extending the time required to finalize assessments. The implementation of a modern automated system enabled us to fulfill our customers’ needs efficiently, simplifying their cyber risk assessment and management tasks. This streamlined approach saved time by offering guided risk audits that delivered risk scores with just a few simple clicks, enhancing the overall assessment experience for our clients. Other benefits of our solution are:

1. Demonstrates Ongoing Value. Tracks and evaluates your security posture over time. Monitor progress and demonstrate the tangible value of your services, showcasing improvements in cybersecurity stance over time.
2. Clear, User-Friendly Task Descriptions. Tasks are presented straightforwardly, making them easy to understand and actionable across diverse cybersecurity areas.
3. Collaboration and Transparency: Our solution aligns with the principles of reciprocity in accredited processes and DevSecOps infrastructure by providing a comprehensive platform that facilitates streamlined ATO processes and enhances security posture.

Conclusion

In conclusion, enhancing assessments and authorizations in cybersecurity is paramount to strengthening organizational security, ensuring compliance, and mitigating risks in today’s complex threat landscape. By transitioning from manual, spreadsheet-based processes to modern solutions like automation tools, customized policy frameworks, continuous monitoring capabilities, and compliance with industry standards, organizations can streamline their A&A processes and achieve more robust security postures.

The adoption of advanced technologies and best practices not only improves efficiency and A&A accuracy but also enables organizations to adapt to evolving threats and regulatory requirements. As organizations continue to prioritize cybersecurity as a critical component of their operations, investing in enhanced A&A processes is essential to maintaining trust, protecting sensitive data, and demonstrating commitment to security excellence.

By embracing innovation, collaboration, and a proactive approach to assessments and authorizations, organizations can navigate the complexities of cybersecurity risk management with confidence and resilience. The journey towards enhancing A&A processes is an ongoing endeavor, requiring continuous improvement, adaptation, and vigilance to stay ahead of emerging threats and compliance challenges. Through strategic investments in modern solutions and a commitment to best practices, organizations can elevate their security posture, fortify their defenses, and safeguard their assets in an increasingly digital world.

Acquisition Strategy

KGS and its 28 subsidiaries are ideally suited as the prime contractor to receive a Small Business Administration (SBA) 8(a) directed award following Federal Acquisition Regulation (FAR) 19.804 and 13 Code of Federal Regulations (CFR) 124.503. As an Alaska Native Corporation (ANC) owned business, KGS provides the Federal Agencies with comprehensive capabilities and capacity that includes access to a deep portfolio of technical abilities, personnel, and experience from 2,600+ staff supporting 550+ contracts/tasks spanning technology, consulting, and operations support for defense, national security, health, and civilian agencies.

KGS provides a wide array of technology-focused services, including:

Software engineering and development	Artificial Intelligence (AI)/Machine Learning (ML)
DevSecOps	Enterprise infrastructure operations
System and database administration	System engineering
Data management	Cybersecurity
Cloud modernization	Intelligence analysis
Risk management	Business transformation
Program management	Cybersecurity operations

We deliver these services to multiple Government agencies, enabling national security, intelligence, and law enforcement missions. Our processes and service delivery approach uses industry best practices from Capability Maturity Model Integration (CMMI), International Organization for Standardization (ISO) 9001:2015, ISO/IEC 20000-1:2018 Information Technology, Information Technology Infrastructure Library (ITIL), and the Scaled Agile Framework (SAFe) methodologies that have been integrated into our tools and templates. KGS is appraised at CMMI Maturity Level 3 at the corporate level, reinforcing our robust processes, disciplined execution, and commitment to quality delivery support.

KGS subsidiaries possess Top-Secret Facility Clearances. Over 400 staff possess a Top-Secret clearance and over 200 have Sensitive Compartmented Information (SCI) access. Additionally, we are experienced in Special Access Programs (SAPs), Communications Security (COMSEC), and Sensitive Compartmented Information Facility (SCIF) requirements.