OMB revamps cyber event logging requirements

Agencies should take a more risk-based approach to logging cybersecurity data. Agency chief information security officers have to submit to the Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget an updated logging plan that focuses on two specific areas: continuous event monitoring (CEM) and threat hunting, investigation, response and forensics (THIRF).

A new memo from OMB Director Russ Vought rescinds previous logging requirements and establishes a new set of expectations that “minimizes red tape” and contains cost.

“In 2021, OMB issued Memorandum M-21-31 , Improving the Federal Government ‘s Investigative and Remediation Capabilities Related to Cybersecurity Incidents, to raise logging baselines and enhance agencies’ knowledge of events occurring in their systems. Implementation of that memorandum improved foundational capabilities across agencies,” Vought wrote in OMB’s latest memo released Friday. “However, some requirements, such as the retention of vast quantities of logging data without clear utility, proved neither operationally feasible nor cost-effective for most agencies. To address these inefficiencies and the evolving cyber threat environment, this memorandum directs agencies to employ a risk-based, prioritized logging approach.”

OMB added cyber event logging as a requirement for agency CISOs after the SolarWinds incident, saying at the time increased visibility before, during and after a cybersecurity incident, especially through cloud service providers environments and other third-parties is invaluable in the detection, investigation and remediation of cyber threat.

But over time, the amount of data collected by these logging tools became expensive to maintain and required new and advanced tools with artificial intelligence and machine learning capabilities to understand and act on this data.

The Government Accountability Office found in December 2023 that 20 of 23 agencies missed the deadline to reach maturity level 3 by August 2023.

“Until the agencies implement all event logging requirements, the federal government’s ability to fully detect, investigate, and remediate cyber threats will be constrained,” GAO stated. “Agencies described three key challenges that hindered their abilities to fully prepare to respond to cybersecurity incidents: (1) lack of staff, (2) event logging technical challenges, and (3) limitations in cyber threat information sharing.”

The first step in this revised logging strategy is for CISA to develop logging reference architecture (LRA) in the next 90 days. The architecture will help agencies meet the CEM and THIRF objectives and serve as a core source of guidance for agencies on how to implement related logging capabilities.

Then, within 90 days of CISA publishing the LRA, agencies will have to update their new logging plans.

“This plan must describe the operational steps required for the agency to deploy and maintain effective CEM and THIRF objectives. The plan will document the series of actions that will be taken to achieve the minimum baseline requirements defined in this memorandum as well as any additional log collection and activities that will be conducted to achieve CEM and THIRF objectives, with consideration given to the agency’s threat environment, risk profile and mission as provided in the guidance of the CISA Logging Reference Architecture,” the memo stated.

The minimum baseline requirements and objectives include ensuring logs are retained and searchable for six months, logs must include a timestamp synchronized using the network time stamp protocol and the logs must be readily available to the top level agency security operations center.

OMB defines CEM as the ability to monitor network activity in real time, flagging anomalous activity and responding to that activity in a timely manner, typically by the security operations center (SOC).

THIRF logs “enable agencies to investigate and perform forensic analysis of network activity after a known or suspected compromise with the purpose of mitigating, remediating and recovering from threat actor activity. To enable THIRF, agencies must maintain sufficient hot and cold storage as well as the capability to retrieve and centralize logging data from multiple sources to map attack patterns.”

“Each agency must pursue these objectives with respect to all information systems owned or operated by the agency or by third parties on the agency’s behalf, including any Internet of Things (IoT) devices or operational technology (OT) that is part of or constitutes such an information system,” the memo stated.

As a part of this risk-based approach, OMB also issued a revised maturity model to measure agency progress.

“The maturity model defines a set of performance benchmarks that correspond to varying levels of proficiency and sophistication in the following functions: visibility into system inventory, log management planning, log collection and data retention. Agencies will measure and report on progress in terms of the percentage of systems that are determined to be operating at each maturity level,” the memo stated.

There are elements of the maturity model and each includes four levels of maturity:

• Inventor visibility
• Collection coverage
• Collection operations
• Data retention
• Log management

OMB has set a series of deadlines of 120 days, 180 days and 320 days for agencies to reach the first three levels of maturity for each category.

When agencies do find a known or suspected cyber compromise, they should continue to provide logs and other relevant data to both CISA and the FBI.

“Agencies shall provide such data in a format and by means agreed upon by the agency and CISA or the FBI as appropriate. To the greatest extent practicable, agencies shall provide access to logs within the timeframes requested by CISA or the FBI,” the memo stated. “In cases in which agency data is subject to relevant statutory, regulatory, or judicial access restrictions, the directors of CISA and the FBI will comply with any processes and procedures required to access such data or work with the agency to develop an appropriate administrative accommodation consistent with any such restrictions, if such an accommodation is legally available.”

Over the years, OMB and CISA tried to make logging less complex and expensive. In 2024, CISA and Microsoft piloted an advanced free logging capability with a handful of agencies and eventually expanded it to all agencies.

CISA also released an “Expanded Cloud Log Implementation Playbook” in coordination with Microsoft in February 2024. The agency said it provides details on “each newly available log and how these logs can be used to support threat hunting and incident-response operations.”

Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.