Update M-21-31 with add'l guidance #2272
Comments
|
I'm also asking more broadly of FedRAMP® and others:
|
|
Per the email response from FedRAMP: "We do not have guidance under development to address 21-31." |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We're getting more questions here, so we should at least say something like:
DRAFT
The only logs that Agency has an M-21-31 responsibility for are those that are emitted by their applications. So, for example, there are no CloudWatch logs specific to their agency/app that fall under M-21-31.
The underlying platform/infrastructure logs that are generated by Cloud.gov services are subject to complying with FedRAMP requirements and GSA agency (since cloud.gov is operated by GSA) requirements per M-21-31. And we are meeting our compliance obligations in those respects.
For Agency customers, cloud.gov Platform already has log shipping mechanisms for those logs emitted by their applications. Customer can configure their logging instance to accept those logs per https://cloud.gov/docs/deployment/logs/#how-to-automatically-copy-your-logs-elsewhere - e.g. if they're running agency-specific Splunk or ELK
We recognize that not all customers can do this, so we are scheduling work to enable logging to customer-specific S3 buckets since that’s emerging as a generally interoperable way to share logs between entities.
Other M-21-31 requirements, such as packet logging and flow logs, are not within the shared responsibility model. These are security requirements that are met by cloud.gov and GSA on the customer’s behalf, and we are ready to work with DHS or the FBI in the event of an incident.
Acceptance Criteria
The text was updated successfully, but these errors were encountered: