Key Takeaways
- The Office of Management and Budget (OMB) issued a Friday memo replacing the Biden‑era cybersecurity logging directive with a risk‑based, priority‑focused approach.
- The new policy aims to reduce “red tape” and costs while still addressing evolving threats, especially those amplified by artificial intelligence and automation.
- Agencies must prioritize Continuous Event Monitoring (CEM) and Threat Hunting, Investigation, Response, and Forensics (THIRF) as their two core logging objectives.
- Within 90 days, CISA—working with OMB and the CISO Council—will produce a Logging Reference Architecture (LRA) to guide implementation.
- Federal agencies must submit detailed logging plans within 90 days of the LRA’s release and update them periodically.
- Past compliance issues persist: a 2023 GAO report found over a dozen agencies failed to meet the basic requirements of the 2021 memo.
- Industry experts, such as former Elastic government affairs head Bill Wright, argue that continuous, real‑time log collection is essential to defend against modern cyber threats.
OMB’s New Direction on Cybersecurity Logging
The Office of Management and Budget released a memo on Friday that rescinds and replaces the Biden administration’s 2020 directive issued after the SolarWinds breach. OMB Director Russell Vought explained that while the earlier policy improved foundational logging capabilities across federal agencies, the volume of data required to be retained became costly and operationally burdensome. The new guidance shifts the focus from indiscriminate data retention to a risk‑based, prioritized logging strategy designed to cut unnecessary “red tape” and reduce expenses.
Rationale: Addressing AI‑Driven Threats
OMB’s memo cites growing concern over the use of artificial intelligence and automation by threat actors. These technologies can accelerate initial intrusion, enable stealthy persistence, and expand the scale of cyberattacks. Effective event logging remains a cornerstone of agency defenses, providing the visibility needed to detect anomalous activity, trigger timely responses, and support forensic analysis. By aligning logging practices with current threat landscapes, the memo seeks to ensure that federal defenses keep pace with adversarial innovation.
How Agencies Will Use Logs
The memo emphasizes that agencies rely on log information to monitor system activity, identify events requiring attention, and underpin analysis and response actions that protect sensitive data and maintain operational continuity. Logs serve as the primary source of situational awareness, enabling security teams to distinguish benign noise from genuine threats and to reconstruct attack timelines when incidents occur. Consequently, the quality and relevance of logged data directly influence an agency’s ability to mitigate cyber risks.
Core Objectives: CEM and THIRF
Under the revised policy, agencies must prioritize two specific objectives: Continuous Event Monitoring (CEM) and Threat Hunting, Investigation, Response, and Forensics (THIRF). CEM refers to capabilities that allow real‑time observation of network traffic and system behavior, ensuring that anomalous actions are detected as they happen. THIRF encompasses the broader suite of activities needed to hunt for hidden threats, investigate alerts, respond to incidents, and conduct forensic examinations to understand the full scope of an attack. By focusing resources on these areas, agencies can achieve a more effective security posture without being overwhelmed by excessive data collection.
Development of a Logging Reference Architecture
To operationalize the new priorities, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) will, within the next 90 days, collaborate with OMB and the Chief Information Security Officer (CISO) Council to create a Logging Reference Architecture (LRA). The LRA will provide a standardized framework that aligns with the memo’s requirements while allowing agencies to tailor implementations to their unique missions and existing investments. This guidance aims to bridge the gap between high‑level policy and practical, agency‑specific logging solutions.
Agency Planning and Reporting Requirements
Following the publication of the LRA, each federal agency must submit a detailed logging plan within 90 days. These plans will outline the concrete steps agencies will take to meet the memo’s baseline requirements, including how they will implement CEM and THIRF capabilities, allocate resources, and integrate logging with existing security tools. Agencies are also expected to update their plans periodically to reflect changes in technology, threat intelligence, and organizational priorities, ensuring sustained compliance and effectiveness.
Lessons from Past Implementation Challenges
The memo acknowledges that the previous 2021 directive, while beneficial in raising baseline logging standards, faced significant implementation hurdles. A Government Accountability Office (GAO) report from August 2023 documented that over a dozen agencies failed to meet the most basic logging requirements of that directive. Those shortcomings remain open issues on the GAO website, underscoring the need for a more flexible, risk‑based approach that accommodates varying agency capacities and reduces compliance burden.
Industry Perspective: The Case for Continuous Logging
Some cybersecurity leaders argue that the memo’s risk‑based focus should go further by mandating continuous, real‑time log collection. Bill Wright, formerly the head of government affairs for Elastic and now at Everpure, wrote in a FedScoop piece (October 2025) that requiring agencies to stream all log types to a centralized location would close gaps inherent in intermittent collection methods. Wright contends that an unbroken chain of evidence derived from continuous logging is essential for detecting and responding to sophisticated, AI‑enhanced cyber threats that operate over extended periods.
Conclusion: Balancing Efficiency with Security
OMB’s latest memo represents a strategic pivot toward a more efficient, threat‑informed logging framework for the federal government. By emphasizing CEM and THIRF, providing a forthcoming LRA through CISA, and requiring agency‑specific plans, the administration seeks to reduce unnecessary data retention costs while bolstering defenses against modern cyber threats. The success of this approach will hinge on timely development of the LRA, diligent agency planning, and ongoing vigilance to ensure that the shift to risk‑based logging does not compromise the depth of visibility needed to safeguard national security systems.