Federal agencies will be required to adopt a new phased cybersecurity logging framework under updated White House guidance that rewrites government standards for log retention, network monitoring, and digital forensics.
Under a new memo from the Office of Management and Budget (OMB), the White House rescinded a 2021 memo that outlined how agencies should log cyber incidents and replaced it with a new directive ordering agencies to use a risk-based, prioritized logging approach.
According to OMB, the Biden-era memo “improved foundational capabilities across agencies,” but had overly burdensome requirements, such as requiring agencies to retain “vast quantities of logging data without clear utility.”
The new memo, released May 22, directs agencies to work within an “adaptive framework” to monitor their networks while minimizing red tape and costs. That framework prioritizes continuous event monitoring logs and threat hunting, investigation, response, and forensics logs.
The Cybersecurity and Infrastructure Security Agency (CISA) is responsible for developing a new government-wide framework within 90 days to help federal agencies improve real-time cyber monitoring and digital forensics, according to the memo.
Beyond prioritizing real-time network monitoring and cyber forensics for high-value and high-impact systems, CISA’s framework will encourage agencies to centralize log visibility through top-level security operations centers. It will also expand monitoring to internet-connected devices and operational technology systems.
The framework will also include guidance on protecting sensitive log data, using artificial intelligence to improve threat detection and response, conducting self-assessments, and extending data retention practices.
Agencies will have 90 days to submit detailed logging implementation plans to CISA and OMB outlining how they will strengthen real-time cyber monitoring, threat investigation, and forensic capabilities based on government-wide security guidance and their own risk environments.
After those plans are submitted, agencies must reach basic monitoring and logging maturity standards within 120 days, meet intermediate standards within 180 days, and achieve advanced capabilities within 320 days, OMB said.
Hemant Baidwan, chief information security officer (CISO) at Knox Systems and former CISO at the Department of Homeland Security, called the update a “practical reset” and “something the agency CISOs have been asking for a while.”
“[The memo] … moves the conversation from logging as a checklist to logging as an operational capability,” Baidwan said in comments shared with MeriTalk. “The focus is on continuous monitoring, threat hunting, investigations, response, and forensics. That is the work that actually matters.”
Baidwan said the memo means that CISOs should build the agency logging plan around mission risk, prove the security operations center can use the log for continuous monitoring, threat hunting, investigation, response, and forensics, and create a retention and access model that is usable and cost-effective.
“This should not be viewed as a reason to do less. It is a reason to do logging smarter,” Baidwan added.