The U.S. White House, through its Office of Management and Budget, issued a new federal cybersecurity directive ordering agencies to adopt a risk-based logging and network visibility strategy to defend against increasingly automated cyber threats. The memo rescinds the Biden-era M-21-31 logging mandate and replaces it with a more flexible framework focused on CEM (continuous event monitoring) and threat hunting, investigation, response, and forensics (THIRF) capabilities across federal systems, including IoT and OT (operational technology) environments.
In Memorandum M-26-14, released May 22, OMB warned that hackers are using automation and AI (artificial intelligence) to accelerate attacks against critical systems, enabling faster unauthorized access, lateral movement across networks, and prolonged undetected persistence. Under the directive, the CISA (Cybersecurity and Infrastructure Security Agency) will develop a new Logging Reference Architecture within 90 days to guide agencies in implementing centralized visibility, log management, and AI-enhanced detection capabilities aligned with federal zero trust objectives.
Agencies will be required to submit detailed logging plans and progressively meet new maturity benchmarks covering inventory visibility, data retention, alert generation, and log management. The memorandum also establishes minimum retention requirements, requiring searchable logs for six months and retrievable records for one year, while emphasizing the use of automated alerts, anomaly detection, and monitoring of IT, OT, and IoT infrastructure to improve cyber defense and incident response readiness.
To raise logging baselines and enhance agencies’ knowledge of events occurring in their systems, Russell Vought, director of the OMB, wrote in the memo that “Implementation of that memorandum improved foundational capabilities across agencies. However, some requirements, such as the retention of vast quantities of logging data without clear utility, proved neither operationally feasible nor cost-effective for most agencies.”
He added, “To address these inefficiencies and the evolving cyber threat environment, this memorandum directs agencies to employ a risk-based, prioritized logging approach.”
Moreover, agencies will operate within an adaptive framework designed to improve network monitoring efficiency while reducing red tape and controlling costs.
The memo directs agencies to prioritize two core objectives in their logging activities of CEM and THIRF. Agencies are required to maintain logging infrastructure capable of monitoring network activity in real time, rapidly detecting anomalous behavior, and enabling timely response through security operations centers. The framework also requires agencies to retain and centralize logging data to support forensic investigations and post-compromise analysis, including the ability to map attack patterns, mitigate intrusions, and recover from threat actor activity.
The requirements apply across federal information systems operated directly by agencies or by third parties on their behalf, including IoT and OT environments. Agencies must also maintain sufficient hot and cold storage capabilities to retrieve and analyze logging data from multiple sources as part of broader cyber defense and incident response efforts.
Vought identified that within 90 days of the date of this memorandum, the CISA, in coordination with OMB and the Chief Information Security Officer (CISO) Council, will develop a logging reference architecture (LRA) that satisfies the requirements in this memorandum and assists agencies in meeting CEM and THIRF objectives.
“The LRA will serve as a core source of guidance for agencies on how to implement their CEM and THIRF logging capabilities, allowing them to build upon their progress under M-21-31 while affording them greater flexibility to accommodate their disparate mission requirements and associated cybersecurity risks,” he added. “Agencies must adhere to the reference architecture by the timelines outlined in the ‘agency actions’ section of this memorandum.”
The Logging Reference Architecture will provide federal agencies with guidance for prioritizing continuous event monitoring and threat-hunting, investigation, response, and forensics capabilities, with a particular focus on High Value Assets and High Impact Systems. The framework is intended to help agencies determine the most effective approach for achieving cybersecurity objectives based on their individual mission requirements and risk environments.
The architecture will align with CISA’s Zero Trust Maturity Model and support risk-based decision-making tied to visibility and analytics across all five Zero Trust pillars. It will also provide agencies with options for centralized or hybrid logging deployments, ensuring centralized visibility through agency security operations centers while supporting continuous monitoring and forensic analysis.
In addition, the framework will include safeguards to reduce the risk of exposing sensitive data through log collection and will provide guidance on protecting the confidentiality and integrity of logging information. It will also address logging requirements for IoT and OT environments, including systems that lack native logging capabilities.
The memorandum further states that the architecture will examine how AI can enhance monitoring and forensic capabilities in line with government-wide AI guidance. Agencies will also receive guidance on conducting self-assessments of logging maturity and cybersecurity readiness, while the framework will include recommendations for data retention practices that go beyond minimum federal requirements. CISA will review and update the architecture at least annually to reflect emerging technologies, evolving cyber threats, and changes in strategy and policy.
Agencies must submit an Agency Logging Plan to OMB and CISA within 90 days of the publication of the LRA. This plan must describe the operational steps required for the agency to deploy and maintain effective CEM and THIRF objectives.
The plan will document the series of actions that will be taken to achieve the minimum baseline requirements defined in this memorandum as well as any additional log collection and activities that will be conducted to achieve CEM and THIRF objectives, with consideration given to the agency’s threat environment, risk profile, and mission as provided in the guidance of the CISA Logging Reference Architecture. Each agency should periodically update its plan as necessary.
Vought detailed that the memorandum establishes a revised maturity model to guide and measure agency implementation of logging requirements. “The maturity model defines a set of performance benchmarks that correspond to varying levels of proficiency and sophistication in the following functions: visibility into system inventory, log management planning, log collection, and data retention. Agencies will measure and report on progress in terms of the percentage of systems that are determined to be operating at each maturity level.”
“In the event of a known or suspected compromise of one or more Federal networks, agencies shall provide logs and other relevant data to CISA and the Federal Bureau of Investigation (FBI) upon request, to the extent consistent with applicable law, to assist in incident response, investigation, and remediation,” Vought wrote in the memo. “Agencies shall provide such data in a format and by means agreed upon by the agency and CISA or the FBI as appropriate.”
To the greatest extent practicable, he added that agencies shall provide access to logs within the timeframes requested by CISA or the FBI. “In cases in which agency data is subject to relevant statutory, regulatory, or judicial access restrictions, the Directors of CISA and the FBI will comply with any processes and procedures required to access such data or work with the agency to develop an appropriate administrative accommodation consistent with any such restrictions, if such an accommodation is legally available.”
Earlier this month, international cybersecurity partners published guidance on the secure adoption of agentic artificial intelligence (agentic AI), outlining cybersecurity risks linked to deploying these systems. The document comes as critical infrastructure and defense sectors increasingly adopt agentic AI to support mission-critical operations and drive automation. As agentic AI systems play a growing operational role, defenders must implement security controls to protect national security and critical infrastructure from agentic AI-specific risks.
