OMB rescinds Biden logging directive, shifts agencies to risk-based framework
The first major rollback of the post-SolarWinds logging posture trades prescriptive retention mandates for a continuous-monitoring priority, and leaves minimum retention floors to CISA guidance that doesn't exist yet.
TL;DR
OMB Director Russell Vought rescinded the Biden-era logging memo Friday, replacing it with a risk-based directive that prioritizes continuous event monitoring (CEM) and threat hunting, investigation, response, and forensics (THIRF) over comprehensive log retention. Federal agencies must submit logging compliance plans within 90 days of CISA publishing a logging reference architecture (LRA), which itself is due within 90 days. That's two sequential deadlines before agencies know what minimum retention periods or tool requirements they'll actually face. A 2023 GAO review found more than a dozen agencies couldn't meet the basic requirements of the directive now being replaced, those recommendations remain open.
The Biden-era logging memo, issued in response to the 2020 SolarWinds breach, set prescriptive retention requirements that OMB now describes as costly and operationally burdensome. Friday's replacement memo from OMB Director Russell Vought keeps the threat-hunting focus (agencies are still required to build toward real-time network visibility and forensic response capability) but strips out the mandatory retention floors and swaps them for agency-specific risk assessments.
The two named priorities, CEM and THIRF, track closely with what the previous directive was building toward in practice. CEM covers real-time network monitoring; THIRF covers investigation, analysis, and forensic response. The memo frames both as essential counters to AI-accelerated threats, noting that adversaries are increasingly using automation to speed initial access and extend dwell time covertly. That context is load-bearing: the policy justifies loosening retention mandates partly by pointing to a threat environment that makes detection speed more valuable than log depth.
What practitioners actually face
The operational sequencing matters here. CISA, in coordination with OMB and the CISO Council, has 90 days to publish the LRA. Agencies then have 90 days from LRA publication to submit their logging plans. That means the earliest any agency submits a plan is roughly six months out, and the LRA (which will define what "baseline requirements" actually mean in practice) does not yet exist. Whether it will specify minimum retention periods, approved tooling, or architecture standards is unresolved. Until CISA publishes, agencies are working from the memo's framework language without the implementation detail underneath it.
The GAO finding from August 2023 is relevant context: more than a dozen agencies failed to meet the most basic requirements of the directive now being rescinded, and those recommendations remain open per the GAO website. The new memo's flexibility framing may ease some of that compliance pressure, or it may simply shift where the gap shows up. If agencies that couldn't meet prescriptive retention requirements also can't build continuous monitoring infrastructure, the detection posture question doesn't go away; it just becomes harder to measure against a risk-based standard than against a defined floor.
What state CISOs and contractors watch
The memo's direct authority runs to federal civilian executive branch agencies, but state and local governments operating under federal grant conditions and contractors handling federal data will track the LRA closely. CISA's reference architecture historically shapes procurement language and FedRAMP-adjacent expectations. Contractors with existing logging investments built around the 2021 directive's retention tiers should treat the 90-day LRA window as a planning horizon, not a signal to stand down.
Published ·Updated ·Deep Fathom