OMB M-21-31, issued in August 2021 under Executive Order 14028 and reaffirmed by OMB M-25-04 in January 2025, establishes a four-tier Event Logging maturity model for federal agencies. The original deadlines have passed. For most agencies, the hardest transition remains EL1 to EL2 — and the primary reason is one specific requirement: Network Device Infrastructure logging.
Endpoint logs, authentication events, and DNS records are largely in place at EL1. Network flow telemetry — the NetFlow, IPFIX, and sFlow records that document every communication between devices — is a different story. It is binary by nature, extremely high-volume, and requires dedicated processing infrastructure before it can reach a SIEM. For many agencies, this category remains incomplete, which means EL2 certification remains out of reach.
M-21-31 does not just require collecting network flow logs. It requires them to be centralized, accessible to your SOC, and sufficiently detailed to support rapid incident investigation. Raw, unenriched flow records — IP addresses and byte counts alone — fall short of that standard in practice.
What EL2 Actually Requires for Network Device Logging
At EL2, M-21-31 requires network flow logs to be:
- Collected across all criticality levels (not just high-criticality systems as in EL1)
- Centralized and accessible to the agency SOC with standardized field schemas
- Containing sufficient contextual fields to support rapid investigation, not raw IP addresses and byte counts alone
- Non-sampled or at a sampling rate that preserves investigative fidelity
- Deliverable to CISA and FBI within required timeframes during an incident
EL3 adds 30-month retention (12 months active, 18 months cold), automated threat hunting, and a 72-hour full packet capture requirement. That PCAP requirement is a distinct capability outside NFO’s scope — it requires dedicated packet capture infrastructure. NFO addresses the flow telemetry layer at EL1 and EL2, and supports the flow components of EL3.
Why Agencies Are Stuck at EL1
The flow data already exists on your network. Every router, switch, and firewall is generating NetFlow records right now. The gap is not data — it is the infrastructure to make that data usable. Four specific technical barriers keep agencies at EL1:
Binary Format
Raw NetFlow and IPFIX exports are binary-encoded. They cannot be ingested directly into a SIEM. Without a dedicated processing layer, network flow records never reach the centralized logging environment EL2 requires.
Sampling
To manage the performance impact of NetFlow generation on network devices, many agencies configure sampling rates of 1:100 or lower — meaning only 1 in every 100 packets is represented in a flow record. M-21-31 explicitly requires non-sampled flow records and warns that low sampling rates dramatically reduce visibility and could prevent teams from meeting its investigative requirements. The tension is real: full-fidelity, un-sampled flow data is the right answer for compliance, but without a processing pipeline to manage the resulting volume before it reaches the SIEM, it is operationally unsustainable. Agencies end up choosing between compliance fidelity and operational practicality — when the right answer is a pipeline that delivers both.
Lack of Enrichment
Raw flow records identify endpoints by IP address only: no user identity, no application name, no threat context. When an incident occurs, investigators face hours of manual lookups and post-hoc correlation. M-21-31’s investigative requirements implicitly demand enriched, actionable records.
Volume and Retention
Full-fidelity flow data at enterprise scale generates hundreds of gigabytes per day. At EL3 retention requirements (30 months total), that volume makes compliance feel financially unachievable without a reduction pipeline upstream.
How NFO Closes the Gap
NetFlow Optimizer (NFO) is a software-only, on-premises telemetry pipeline purpose-built for this problem. It has been in production at federal agencies and DoD enterprises since 2016, runs on standard Linux or Windows Server, requires no proprietary hardware, fits within your existing ATO boundary, and is fully air-gap compatible. It addresses each barrier directly:
| Barrier | The Problem | How NFO Solves It |
| Binary format | SIEM cannot ingest raw binary NetFlow | Decodes all formats (NetFlow v5/v9, IPFIX, sFlow, J-Flow, cloud VPC logs) and outputs normalized JSON or syslog key=value |
| Sampling | Heavy sampling destroys investigative fidelity | Processes full-fidelity un-sampled flow data; eliminates structural redundancy (multi-hop duplication, ingress/egress double-reporting) through aggregation and stitching — 80-90% volume reduction without data loss |
| Lack of enrichment | Raw IPs require manual lookup during investigations | Enriches every record with user identity (AD/Okta/Entra ID), application name (device DPI), cyber threat intelligence, GeoIP/ASN, and FQDN before the record reaches the SIEM. See enrichment documentation |
| Volume and retention | Raw flow volume makes EL3 retention financially unsustainable | 80-90% volume reduction before SIEM ingestion makes 30-month retention operationally achievable |
For SIEM delivery, NFO supports both on-premises deployments (Splunk Enterprise Security, Exabeam LogRhythm) and government-authorized cloud platforms (Microsoft Sentinel on Azure Government, Splunk Cloud FedRAMP, Sumo Logic FedRAMP Moderate). In both cases, the NFO pipeline remains fully on-premises — only the enriched output stream is delivered to the SIEM. Full deployment details are in the NFO Government Solution Brief.
The Bottom Line
M-21-31 is not going away. OMB M-25-04 reaffirmed it in January 2025, and CISA continues to use the maturity model as the benchmark for federal logging assessments. For agencies at EL1 working toward EL2, the network device infrastructure logging gap is the most common, and most solvable, obstacle standing in the way.
The flow data exists on your network today. NFO is the pipeline that makes it usable, compliant, and centralized, deployable in under an hour, inside your security boundary, with no hardware and no data egress.
Ready to close the network flow logging gap in your M-21-31 posture? Request a quote for your agency or program, or schedule a technical demo with a NetFlow Logic engineer who understands federal network requirements.
Request a Quote | Schedule a Demo | Government Solution Brief | Start Free Trial