OMB rescinds M-21-31, shifts federal logging to risk-based model

M-21-31 was always a blunt instrument. It told agencies to collect and retain broadly, operate against a four-level maturity model, and catch up to a forensics-readiness standard that most civilian agencies couldn't staff or fund. OMB's May 22 memo acknowledges as much: "retention of vast quantities of logging data without clear utility proved neither operationally feasible nor cost-effective for most agencies." That's a fair diagnosis. The follow-through, though, introduces its own ambiguities.

What actually changed

The new framework collapses the Biden-era maturity model into two priority lanes: CEM, which maps to continuous real-time visibility into network and endpoint events, and THIRF, which covers the forensic and hunt-team use cases. CISA, working with OMB and the Chief Information Security Officer (CISO) Council, must publish a Logging Reference Architecture (LRA) within 90 days. That document will define what "meeting CEM and THIRF objectives" actually means in practice. Until it's published, agencies are working against a framework whose technical floor is undefined.

Once the LRA drops, the clock starts: agencies submit a logging plan within 90 days, then hit level-one requirements within 120 days of LRA publication, level two within 180, and level three within 320. For agencies that have been operating under M-21-31 for three-plus years and built tooling around it, the transition isn't zero-cost even if the new baseline turns out to be less demanding.

The deregulatory signal and its limits

This is the second OMB memo explicitly unwinding Biden's 2021 cyber EO. The first, issued January 23, rescinded the software vendor self-attestation requirement tied to that EO. Together they represent a clear policy direction: replace prescriptive mandates with agency-discretion frameworks. The memo's language about "minimizing red tape and containing costs" tracks that posture.

What the memo doesn't do is eliminate federal oversight of agency logging. CISA and the FBI retain on-demand access to logs "in the event of a known or suspected compromise," and agencies must provide data "within the timeframes requested." That clause is worth noting: the incident-response access requirement isn't discretionary, and the obligation to respond to a CISA or FBI request runs to whatever the agencies actually have, not to a defined retention floor. Agencies that exercise their new flexibility to store less may find themselves explaining gaps during the next significant incident.

Practitioner read for contractors and state CISOs

For contractors supporting federal IT systems, the immediate action is to watch for the LRA publication date, which triggers the agency-plan clock. Proposals for logging, security operations, or SIEM work written against M-21-31 controls will need to be re-scoped once the LRA defines the new technical requirements. Bidding against CEM or THIRF as undefined terms before that document lands is a scope risk.

State CISOs running GovRAMP or state-equivalent frameworks that borrowed from M-21-31's maturity model should treat this as a signal, not a mandate. Nothing in the OMB memo binds state agencies. But if CISA's reference architecture lands substantially lighter than M-21-31's logging floors, expect vendors to use it as a benchmark argument in state contract negotiations.

The deeper question the memo defers: does a risk-based approach actually reduce the log data that agencies collect and retain, or does it shift the burden to agencies to document and justify retention decisions that were previously just required? If the LRA specifies detailed criteria for what must be logged under CEM and THIRF, the administrative overhead may not be meaningfully lower than what M-21-31 demanded. CISA's 90-day deadline is the next data point.