Back

OMB Updates Cyber Event Logging Requirements for Federal Agencies

Severity: Low (Score: 27.9)

Sources: Federalnewsnetwork, Fedscoop, fedscoop.com, Cyberscoop

Published: 2026-05-26 · Updated: 2026-05-26

Keywords: logging, agencies, white, house, federal, requirements, cybersecurity

Summary

On May 25, 2026, the Office of Management and Budget (OMB) released a new memorandum, M-26-14, revising the cybersecurity event logging requirements for federal agencies. This memo rescinds the previous M-21-31, which aimed to enhance logging capabilities but proved costly and operationally challenging. The new guidelines emphasize a risk-based approach to logging, focusing on continuous event monitoring and threat hunting. Agencies are required to submit updated logging plans within 90 days of the Cybersecurity and Infrastructure Security Agency (CISA) developing a logging reference architecture. The changes aim to improve the efficiency of cybersecurity operations in light of evolving threats. Critics have raised concerns about the potential gaps in security during the transition period. The Government Accountability Office previously noted that many agencies failed to meet the logging maturity benchmarks set by M-21-31. Key Points: • OMB's new memo M-26-14 replaces the previous M-21-31 logging requirements. • Agencies must adopt a risk-based approach to logging and submit updated plans within 90 days. • Concerns exist about the timing of the transition and potential security gaps during implementation.

Detailed Analysis

**Impact** Federal agencies across the U.S. government are affected by the updated logging requirements, impacting cybersecurity operations nationwide. The rescinded 2021 memo’s broad logging mandates led to high costs and operational challenges, with 20 of 23 agencies failing to meet maturity benchmarks by August 2023. The new approach aims to reduce data retention burdens while maintaining visibility for threat detection and response, potentially affecting incident investigation capabilities during the transition period. The scope includes all federal agencies subject to OMB and CISA oversight, with no specific data breach or compromise reported. **Technical Details** No specific cyberattack, malware, or CVEs are detailed in the articles. The technical focus is on logging practices, emphasizing continuous event monitoring (CEM) and threat hunting, investigation, response, and forensics (THIRF). The new guidance mandates logs be retained for six months, timestamped via network time protocol, and accessible to agency security operations centers. The transition includes development of a logging reference architecture by CISA within 90 days to guide agencies on prioritized, risk-based logging aligned with evolving threat environments. **Recommended Response** Agencies should prepare to update their logging plans within 90 days following CISA’s release of the logging reference architecture, focusing on implementing continuous event monitoring and forensic capabilities. Defenders must ensure logs are timestamped accurately, retained for six months, and accessible to SOC teams. Monitoring for the timely publication of CISA’s architecture and subsequent agency plan submissions is critical. No specific patching or detection rules are provided; emphasis is on adapting logging infrastructure and operational processes to the new risk-based model.

Source articles (4)

  • OMB revamps cyber event logging requirements — Federalnewsnetwork · 2026-05-25
    A new memo from OMB rescinds logging requirements and establishes a new set of expectations that “minimizes red tape” and contains cost. Agencies should take a more risk-based approach to logging cybe…
  • White House charts new course for federal agencies and cybersecurity logging — Cyberscoop · 2026-05-26
    The White House has updated rules for federal agencies to keep logs of significant cyber activities in their networks, touting it as a measure to cut back on red tape and focus on how cybersecurity ri…
  • There have been calls — fedscoop.com · 2026-05-26
    When the White House released memorandum M-21-31 in August 2021, it marked a turning point for federal agencies by establishing much-needed baseline logging and data preservation requirements. The mem…
  • OMB swaps Biden-era cyber memo for new prioritized logging tactic — Fedscoop · 2026-05-26
    Federal agencies will shift to a priority and risk-based method of logging cybersecurity events under a Friday memo from the Office of Management and Budget aimed at cutting “red tape” and costs. The…

Timeline

  • 2021-08-01 — M-21-31 released: OMB issued memorandum M-21-31 to establish baseline logging requirements for federal agencies.
  • 2023-12-01 — GAO report on agency compliance: The Government Accountability Office reported that 20 of 23 agencies missed deadlines for logging maturity.
  • 2026-05-25 — M-26-14 released: OMB released a new memorandum that rescinds M-21-31 and introduces a risk-based logging approach.
  • 2026-05-26 — Industry reactions to M-26-14: Experts expressed mixed reactions, highlighting both the potential benefits and risks of the new logging requirements.

Related entities

  • Data Breach (Attack Type)
  • Government (Industry)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • Log4j Vulnerability (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed