We're getting more questions here, so we should at least say something like:

DRAFT

The only logs that Agency has an M-21-31 responsibility for are those that are emitted by their applications. So, for example, there are no CloudWatch logs specific to their agency/app that fall under M-21-31.

The underlying platform/infrastructure logs that are generated by Cloud.gov services are subject to complying with FedRAMP requirements and GSA agency (since cloud.gov is operated by GSA) requirements per M-21-31. And we are meeting our compliance obligations in those respects.

For Agency customers, cloud.gov Platform already has log shipping mechanisms for those logs emitted by their applications. Customer can configure their logging instance to accept those logs per https://cloud.gov/docs/deployment/logs/#how-to-automatically-copy-your-logs-elsewhere - e.g. if they're running agency-specific Splunk or ELK

We recognize that not all customers can do this, so we are scheduling work to enable logging to customer-specific S3 buckets since that’s emerging as a generally interoperable way to share logs between entities.

Other M-21-31 requirements, such as packet logging and flow logs, are not within the shared responsibility model. These are security requirements that are met by cloud.gov and GSA on the customer’s behalf, and we are ready to work with DHS or the FBI in the event of an incident.

Acceptance Criteria

• Determine next steps and acceptance criteria

I'm also asking more broadly of FedRAMP® and others:

cloud.gov is working to meet M-21-31 requirements as a US Gov entity, but our customers are asking how they're to meet M-21-31 as cloud.gov customers. M-21-31 seems to be written for agencies running on-prem or IaaS systems, and is not generally applicable to (as far as I can tell) to agencies using SaaS or PaaS services.

Per the email response from FedRAMP:

"We do not have guidance under development to address 21-31."