Department of Defense Instruction (DoDI) 8500.2 Compliance

Your entire IT environment can generate millions of individual log entries daily, if not hourly. DoDI 8500.2 recommendations of analyzing and reporting on log data can render manual or homegrown remedies inadequate and cost-prohibitive. The collection, management and analysis of log data are integral to meeting many DoDI 8500.2 guidelines. With LogRhythm’s Security Intelligence Platform, you’ll meet many of these recommendations directly, while greatly reducing your cost to meet others. LogRhythm delivers log collection, archiving and recovery across your entire IT infrastructure and automates the first level of log analysis.

Matrices

The LogRhythm DoDI 8500.2 Compliance Package provides bundled reports, investigations, alarms, and log source lists to help you demonstrate regulation compliance. Your site compliance auditor will check for specific line-item regulations to be met by LogRhythm. This section describes each of the following for DoDI 8500.2 compliance:

• Compliance Reporting for DoDI 8500.2 Auditors
• Compliant Monitoring
• Alarming
• Audit Deliverables

Compliance Reporting for DoDI 8500.2 Auditors

DoDI 8500.2 responsibilities are detailed in Department of Defense Instruction 8500.2. Auditors are instructed to review the minimum security requirements outlined in DoDI 8500.2 to determine if compliance is met. This guide references each of the affected regulations in the notation of “Security Requirement Family” and “Control Number”. For example, the following regulation highlighted in grey would ECRR-1 from Page 88:

ECRR-1 Audit Record Retention

Control: If the DoD information system contains sources and methods intelligence (SAMI), then audit records are retained for 5 years. Otherwise, audit records are retained for at least 1 year.

Because DoDI 8500.2 is a solution and vendor-agnostic, DoDI 8500.2 auditors must determine if the control provided by LogRhythm is appropriate for the organization for the specific regulation. In some cases, LogRhythm will provide enhancements to existing controls, such as centralization, investigations, alarming, reporting, auditing, monitoring, and discovery.

Compliant Monitoring

LogRhythm provides automated processes to reduce the amount of manual processes involved with monitoring. In addition, LogRhythm provides the necessary tools to conduct detailed manual monitoring and investigations.

DoDI 8500.2 does not specify a timeframe for monitoring (such as daily, monthly, etc.) but instead allows each organization to determine its own levels of protection necessary for compliance. The best practice would be continuous monitoring with a 15-minute time window for escalation, and the most relaxed practice would be reporting on a monthly basis. LogRhythm can provide a range of responses and monitoring techniques that would meet DoDI 8500.2’s intent.

LogRhythm has settings for the retention duration of logs available for reporting and investigations. The DoDI 8500.2 auditor should note that the period between reports being generated for auditing should never exceed the retention period. Therefore, if logs are being retained for 14 days, audit reports should be generated in 14-day intervals.

Alarming

Immediate action in the event of a breach or system failure can help limit the damages to the organization. LogRhythm’s alarming capability notifies the appropriate security personnel when a security monitoring device detects activities that could jeopardize the integrity of the organization.

The following table shows the thresholds and suppression of alarm rules pertaining to DoDI 8500.2compliance: