Introduction

Audit and accountability (AU) controls at CMS ensure compliance, data security, and individual accountability.

These AU controls monitor, investigate, and document system activity, supporting event analysis, anomaly detection, and prevention of future incidents.

Framework and Compliance

CMS’s audit and accountability practices follow federal guidelines, including:

• National Archives and Records Administration (NARA) General Records Schedule (GRS)
• National Institute of Standards and Technology (NIST) SP 800-53
• OMB M-21-31 (PDF link): Improving Investigative and Remediation Capabilities Related to Cybersecurity Incidents
• CMS Records and Information Management Program Records Retention Schedule
• CMS Information Systems Security and Privacy Policy (IS2P2)

The CMS Cybersecurity Integration Center (CCIC), in coordination with various teams, oversees the implementation of these standards to ensure secure, compliant operations.

Integrating OMB M-21-31 requirements enables CMS to align with federal standards for investigative and remediation capabilities related to cybersecurity incidents.

Overview of OMB M-21-31 Standards

OMB Memorandum M-21-31 establishes federal standards for logging, retention, and access controls for information systems to improve cybersecurity incident investigation and response. CMS incorporates these guidelines across its systems, ensuring adequate log retention, controlled access, and secure interagency collaboration.

Following are key M-21-31 requirements and information about their implementation at CMS.

Expanded Event Logging

Critical Event Logging: CMS information systems must log essential events, including access/authentication actions, administrative changes, and security configuration adjustments. These logs facilitate detection and reconstruction of unauthorized or suspicious activities.

Minimum Retention Period: CMS retains logs online for 12 months, and archives them for an additional 18 months. This ensures access to audit trails for both real-time and historical investigations, as required by M-21-31.

Centralized Log Collection and SIEM Integration

Centralized Logging with SIEM: The Security Information and Event Management (SIEM) platform aggregates logs from all CMS systems for real-time monitoring and correlation. This centralized approach supports CMS's proactive threat detection and aligns with M-21-31’s requirements for situational awareness.

Automated SOAR Capabilities: CMS’s Security Orchestration, Automation, and Response (SOAR) system enables swift incident response, executing automated playbooks for data gathering, alerting, and reporting.

Detailed Audit Record Content and Non-Repudiation

Comprehensive Audit Data: CMS audit records contain essential details, including user identity, IP addresses, event outcomes, and timestamps. These logs meet M-21-31’s standards, ensuring non-repudiation for critical actions and supporting event reconstruction.

Time Synchronization: Systems must synchronize audit records within one minute of UTC to ensure time-ordered analysis across logs.

Log Access Controls and Data Protection

Privileged Access and Dual Authorization: Audit log access is restricted to a subset of privileged users. Dual authorization is required for sensitive actions (such as data deletion). Log access permissions are regularly reviewed and updated.

Cryptographic Data Protection: CMS employs encryption to protect audit data from unauthorized access or tampering, preserving log integrity per M-21-31 requirements.

Real-Time Alerts for Logging Failures

Immediate Notifications: CMS systems issue real-time alerts for critical audit failures, such as storage reaching 80% capacity, logging errors, or failed encryption. Notifications are sent to key stakeholders, ensuring timely corrective action.

Failure Response Protocols: For critical logging failures, CMS must archive old logs, halt non-essential processes, or stop new entries temporarily, as specified by M-21-31.

Interagency Collaboration for Incident Response

Cross-Agency Log Sharing: CMS maintains cross-organizational logs and collaborates with federal entities, including CISA and FBI, as required by M-21-31. This setup ensures coordinated responses and interagency visibility into significant cybersecurity incidents.

CMS Audit and Accountability Key Components

Event Logging and Management

CMS logs significant events, including system access, network activity, firewall interactions, and cloud service activity. The Security Information and Event Management (SIEM) system centralizes logs, enabling comprehensive monitoring for incident investigation and system health.

Audit Record Content

Audit logs capture detailed data, such as timestamps, user identifiers, IP addresses, and event outcomes. CMS ensures that these logs contain all elements necessary to reconstruct incidents, identify responsible individuals, and support accountability. Sensitive information, including PII and PHI, is recorded only when necessary, with additional safeguards for data integrity.

Data Retention and Storage Capacity

CMS retains audit logs in active storage for 12 months and archives them for 18 months. Logs are stored on separate systems to prevent loss or corruption. The storage infrastructure is scalable to meet the high-capacity requirements outlined in M-21-31.

Access Controls and Audit Log Protection

Privileged Access: Log access is limited to authorized individuals in roles such as SOC Team and CCIC. Privileges are regularly reviewed, and dual authorization is required for sensitive actions.

Encryption: All audit records are encrypted to ensure data integrity and prevent unauthorized modifications.

Real-Time Alerts and Automated Responses

CMS systems are configured to issue alerts for critical logging failures or security-related anomalies. Automated tools in SOAR enable proactive responses, ensuring logs are preserved even in the event of process interruptions.

Continuous Review and Reporting

CMS regularly reviews and analyzes audit records for signs of compromise or unauthorized activity. Findings are shared with relevant system owners and may be escalated to external agencies if warranted.

Cross-Organizational Log Integration

Cross-organizational audit logging ensures CMS maintains transparency and accountability during interagency collaborations. The CCIC oversees these integrations, aligning with M-21-31 standards for interagency incident response.

Non-Repudiation Measures

Non-repudiation measures confirm that actions taken within CMS systems cannot be denied. SIEM logs are secured against modification, ensuring that audit trails reflect true actions taken.

Synchronization and Time Correlation

All systems synchronize audit record timestamps within one minute of UTC, allowing for precise time-correlated event tracking across CMS systems.

Continuous Monitoring and Maturity Model Compliance

CMS adopts a continuous monitoring approach to assess system maturity in alignment with M-21-31. Maturity levels guide logging capabilities and response procedures, ensuring that CMS adapts to emerging cybersecurity threats and incorporates best practices over time.

Additional References

• The M-21-31 Logging Questionnaire can be accessed and completed within CFACTS.
• The Systems Audits section on CyberGeek explains the audit process, including FISMA-mandated quarterly and annual audits.
• The Cyber Risk Management Plan (CRMP) outlines CMS’ cybersecurity risk management strategies by providing guidance on risk-based decision making and threat mitigation.

Conclusion

This information provides CMS personnel with comprehensive guidelines for managing audit and accountability, incorporating M-21-31 standards to ensure compliance with federal cybersecurity requirements.

This structure enhances CMS’s ability to monitor, investigate, and respond to cybersecurity incidents, promoting a resilient and secure environment for CMS’s information systems.