OMB Issues Updated Federal Cyber Logging Guidance

• OMB has issued updated federal cyber logging guidance focused on CEM and THIRF priorities
• Agencies must submit logging plans after CISA releases new reference architecture
• CISA will publish baseline requirements for centralized logging and threat detection

The Office of Management and Budget has released updated guidance directing agencies to adopt a risk-based logging framework focused on two priorities: continuous event monitoring, or CEM, and threat hunting, investigation, response and forensics, or THIRF.

In a memorandum published Friday, OMB said the latest guidance rescinds a 2021 policy that establishes a maturity model for event log management.

The memo came two months after the Trump administration released its cyber strategy that outlines a governmentwide effort to strengthen national cyber defenses while expanding offensive capabilities to counter foreign threats.

What Cybersecurity Priorities Should Agencies Focus On?

OMB directed agencies to prioritize two logging objectives: CEM and THIRF. Continuous event monitoring requires agencies to maintain logs and logging infrastructure that support real-time monitoring of network activity, rapid detection of anomalous behavior and timely incident response through security operations centers.

THIRF focuses on post-compromise analysis and recovery efforts. OMB said agencies must maintain sufficient hot and cold storage capabilities and ensure they can retrieve and centralize logs from multiple sources to identify attack patterns. The requirements apply to all federal information systems, including Internet of Things devices and operational technology environments.

What Is the Agency Logging Plan?

The memorandum directs agencies to submit an agency logging plan to OMB and the Cybersecurity and Infrastructure Security Agency within 90 days after CISA publishes the new Logging Reference Architecture, or LRA.

OMB said the plan must describe the operational steps agencies will take to deploy and maintain CEM and THIRF capabilities. Agencies also must outline actions required to meet minimum logging baseline requirements, describe additional logging activities tied to mission needs and threat environments, and explain how they will address agency-specific risk profiles.

According to OMB, agencies should align implementation plans with guidance in the LRA and periodically update the plans as needed.

What Are the Base Requirements for the Logging Reference Architecture?

OMB said CISA, in coordination with OMB and the Chief Information Security Officer Council, must publish the LRA within 90 days.

The guidance must address several baseline requirements, including:

• Prioritization guidance for CEM and THIRF activities
• Alignment with CISA’s Zero Trust Maturity Model
• Options for centralized or hybrid log management architectures
• Protections against the collection or exposure of sensitive data
• Logging guidance for IoT and operational technology systems
• Use of artificial intelligence technologies to enhance logging capabilities
• Self-assessment guidance for agencies evaluating logging maturity
• Recommendations for data retention practices beyond minimum requirements
• Annual reassessment of the architecture to address emerging technologies and threats

What Are the Agency Implementation Deadlines?

OMB established phased implementation deadlines associated with the release of the LRA.

Under the schedule, agencies must:

• Complete an initial Agency Logging Plan within 90 days of the architecture’s release
• Achieve Basic Level 1 maturity within 120 days
• Achieve Intermediate Level 2 maturity within 180 days
• Achieve Advanced Level 3 maturity within 320 days

The memorandum also establishes ongoing update requirements whenever CISA revises the LRA.