Skip to main content
Compliance

White House Overhauls Federal Cybersecurity Logging Rules

Government officials gather in a well-lit conference room with a laptop and notes on the table, surrounded by modern and…

“Implementation of that memorandum improved foundational capabilities across agencies,” the Office of Management and Budget wrote, as it announced a new set of federal logging rules intended to pare back requirements it calls infeasible and redirect agency effort to current operational priorities.

OMB replaces M-21-31 with M-26-14 and reframes federal logging

The Office of Management and Budget released a new memorandum, M-26-14, that replaces the 2021 memo M-21-31. The White House described the update as an effort to cut red tape and align logging requirements with how cybersecurity risks have evolved. The release “continues revisions that President Donald Trump has made to federal cybersecurity guidance under his predecessor,” the memorandum says.

The OMB memo credits M-21-31 with improving foundational capabilities but says some earlier requirements were impractical: “However, some requirements, such as the retention of vast quantities of logging data without clear utility, proved neither operationally feasible nor cost‑effective for most agencies.” To remedy that, the updated guidance directs agencies to “employ a risk‑based, prioritized logging approach.”

CISA must produce a logging reference architecture within 90 days

M-26-14 assigns a concrete, time‑bound task to the Cybersecurity and Infrastructure Security Agency (CISA): deliver a “logging reference architecture” within 90 days. The architecture must prioritize the objectives of conducting continuous event monitoring and “enabling investigations of forensic analysis after a known or suspected compromise,” the memo states.

After CISA issues that architecture, agencies will have another 90 days to submit logging plans that adhere to the new principles. The memorandum therefore structures implementation as a two‑step sequence: CISA guidance first, agency plans second.

New progress measurement and watchdog findings

M-26-14 also establishes a new model for measuring agency progress in implementation. That change follows findings from multiple government watchdogs, which concluded that agencies were not meeting the benchmarks set by the prior memo. The updated maturity model is presented in the memo as a way to sharpen focus on real‑time detection and post‑incident investigation and recovery.

Industry praise and timing concerns from policy experts

Reaction to the memorandum in CyberScoop’s reporting split along predictable lines. John Harmon, regional vice president of cyber solutions at Elastic, told CyberScoop the new memo “sharpens focus on real‑time threat detection and the ability to investigate and recover after a cyber attack.” Harmon added that the guidance “gives agencies the flexibility to build logging architectures that fit their specific mission,” and he praised the memo’s recognition of artificial intelligence risks to cybersecurity and the revised maturity model.

By contrast, Nick Leiserson, senior vice president for policy at the Institute for Security and Technology think tank — who “served in the Biden administration’s Office of the National Cyber Director,” the story notes — warned that the timing of the replacement could have harmful operational consequences. Leiserson told CyberScoop that rescinding M‑21‑31 before the new directives are in place “will give agencies a reason not to budget and prioritize logging for a period of time that adds up to six months or more.” He added, “Moving from that to nothing is not ideal, and that’s essentially what this is doing.”

Leiserson also questioned the decision to separate the rescission from the new guidance: “This is saying ‘We’re rescinding 21‑31 right now’ You won’t have any new guidance for at least 90 days, when CISA publishes this logging reference architecture, and it’s not clear to me why you would disaggregate that and not have the two of those things come out at the same time.” The story also notes that there have been calls to update the 2021 memo, and that “one observer praised the new version to CyberScoop.”

What this means for agencies, CISA, and security vendors

  • Agencies: They will need to prepare and submit logging plans within 90 days after CISA publishes the reference architecture; however, critics warn the immediate rescission of the older memo could create a budgeting and prioritization gap that lasts “up to six months or more.”
  • CISA: The agency must produce the logging reference architecture in 90 days and shape the priorities for continuous event monitoring and forensic readiness that agencies will be expected to adopt.
  • Security vendors and practitioners (represented here by Elastic): Some welcomed the flexibility and the memo’s inclusion of artificial intelligence risk as part of the revised maturity model, seeing the update as a refocusing of federal effort toward real‑time detection and post‑incident investigation.

The practical test of M‑26‑14 will arrive on a fixed clock: CISA’s 90‑day deadline to publish a logging reference architecture and the subsequent 90‑day window for agencies to submit plans. That schedule is precisely the point of contention: backers call it a recalibration toward operational priorities, while critics warn the interim could become a budgeting and capability gap lasting months. The next tangible milestone is therefore CISA’s publication — and the pace at which agencies follow with compliant, risk‑based logging plans.

Original CyberScoop story