NIST is in the process of addressing public comments on Draft Special Publication (SP) 800-92 Revision 1, Cybersecurity Log Management Planning Guide. The purpose of this document is to help all organizations improve their log management so they have the log data they need. The document's scope is cybersecurity log management planning, and all other aspects of logging and log management, including implementing log management technology and making use of log data, are out of scope.
This document replaces the original SP 800-92, Guide to Computer Security Log Management. That material was developed at a time when many organizations were just starting to think about log management. With the wealth of information now available on log management, this revision of NIST SP 800-92 focuses on high-level guidance for organization-wide improvement, not the details of implementation nor the capabilities of particular technologies.
The main content of the new SP 800-92 Revision 1 is a playbook for cybersecurity log management planning. The playbook provides actionable steps that organizations can take to plan improvements to their log management practices in support of best practices and regulatory requirements. The playbook is not comprehensive, but the listed plays are noteworthy and generally beneficial to organizations.
The SP 800-92 revisions were informed by the August 2021 OMB Memorandum M-21-31, "Improving the Federal Government's Investigative and Remediation Capabilities Related to Cybersecurity Incidents," which addresses requirements in Section 8 of Executive Order (EO) 14028.
Your comments and suggestions for the Log Management project are always welcome. Contact us at log-mgmt@nist.gov.
Security and Privacy: audit & accountability
Applications: enterprise
Laws and Regulations: Executive Order 14028