OMB swaps Biden-era cyber memo for new prioritized logging tactic
Federal agencies will shift to a priority and risk-based method of logging cybersecurity events under a Friday memo from the Office of Management and Budget aimed at cutting “red tape” and costs.
The memo from OMB Director Russell Vought rescinds and replaces a previous directive from the Biden administration issued after the 2020 SolarWinds breach that affected both the public and private sectors. While the previous policy “improved foundational capabilities across agencies,” OMB said the amount of data agencies were required to retain was costly and operationally difficult.
In its place, the Trump directive outlines “a risk-based, prioritized logging approach” to logging.
OMB’s policy comes amid concern about the use of artificial intelligence and automation to fuel cyberattacks. That technology can speed up the process of gaining access to a system and help covertly maintain that access for a long time. It’s also increasingly being used by threat actors, the memo said. Event logging is a “key” aspect of agencies’ ability to mitigate those threats.
“Agencies rely on information from logs to understand activity across their systems, recognize events that require attention, and support the analysis and response actions that protect sensitive data and maintain operations,” OMB said.
Under the policy, agencies are instructed to prioritize two objectives: continuous event monitoring (CEM) and threat hunting, investigation, response and forensics (THIRF). Specifically, CEM refers to capabilities that allow agencies to monitor their networks in real time, and THIRF encompasses each agency’s ability to investigate and analyze network activity.
In the next 90 days, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), in coordination with OMB and the Chief Information Security Officer (CISO) Council, will develop more guidance for agencies. That guidance will be in the form of a logging reference architecture (LRA) that meets the requirements of the memo.
Per the document, the guidance will allow agencies to implement their new priorities while building on their progress under the old memo and providing flexibility for their varying missions.
Agencies, meanwhile, are required to submit their logging plans within 90 days of the LRA’s publication. Those plans will outline each agency’s steps to meet the memo’s baseline requirements and must be periodically updated.
While the 2021 memo helped the government make progress on cybersecurity, many agencies struggled to implement its requirements on time. In August 2023, the Government Accountability Office documented that over a dozen agencies failed to meet the directive’s most basic logging requirements. Those recommendations appear to still be open, per the GAO website.
At the same time, at least one IT leader has argued that continuous logging was a needed next step for agencies to reflect the current threat environment.
Writing for FedScoop in October 2025, Bill Wright, then-head of government affairs for Elastic, suggested that OMB and CISA should require continuous data collection to “defend against modern cyber threats.” He’s now the head of government affairs at Everpure.
“By revising the memo’s language to require agencies to continuously collect and stream all log types in real time to a centralized location, agencies can close the gaps that are inherent in intermittent collection methods and create an unbroken chain of evidence for security events,” Wright wrote.
