New Memo Replaces SolarWinds-Era Rules With Risk-Based Model
On May 26, 2026, a significant shift in federal cybersecurity policy was announced, as the Trump administration moved to repeal the logging requirements implemented during the Biden administration. This decision, aimed at adopting a more targeted risk-based model for cybersecurity, was formalized through a new memorandum released by the Office of Management and Budget (OMB). This substantial policy change follows the earlier federal logging mandates, which were established in response to the infamous SolarWinds cyber breach.
The 2021 directive had called for stringent logging retention and visibility requirements, designed to bolster the government’s ability to track and respond to cyber threats. However, OMB Director Russel Vought criticized these earlier measures as overly aggressive and ineffective. According to Vought, the previous regulations imposed financial burdens and operational impracticalities on many federal agencies. He pointed out that the logging requirements often resulted in massive collections of data that ultimately offered little in terms of actionable defensive value. As a result, the memo now emphasizes a streamlined approach to event monitoring, focusing on two principal objectives: continuous event monitoring and thorough post-compromise threat hunting, investigation, and forensics.
The newly introduced framework comes amid rapidly evolving cybersecurity threats, including the increasing use of automation and artificial intelligence (AI) by cyber adversaries. These technologies allow malicious actors to accelerate their attacks and execute lateral movements across systems at unprecedented speeds, often outpacing traditional detection methods. In light of these risks, the updated policy directs federal agencies to invest in faster detection protocols and to develop robust response mechanisms. Agencies will also need to retain sufficient logging data to reconstruct incidents and carry out forensic investigations if compromises are realized.
In addition to addressing traditional information technology (IT) systems, the new policy expands its scope to encompass Internet of Things (IoT) devices and operational technology (OT) environments. Agencies, as well as their contractors, will be required to implement these guidelines rigorously. Notably, the Cybersecurity and Infrastructure Security Agency (CISA), in cooperation with OMB and the federal Chief Information Security Officer (CISO) council, will have a pivotal role in developing a comprehensive government-wide "logging reference architecture." This initiative is expected to be accomplished within 90 days following the establishment of baseline implementation guidance for all federal agencies.
The forthcoming logging reference architecture is anticipated to align closely with current federal zero trust modernization efforts. According to the memorandum, it will provide detailed instructions on centralized log visibility, the integration of AI-assisted monitoring capabilities, logging methodologies for operational technology, and crucial strategies to protect sensitive information stored within log files.
The timeline set forth in the memo outlines clear expectations for agencies to reach various levels of logging maturity. Agencies are expected to achieve baseline logging maturity within 120 days following the release of the reference architecture. Subsequently, they must work toward intermediate maturity within 180 days and aim for advanced maturity within a total of 320 days.
Moreover, several of the data retention expectations have been revised to create a more manageable set of standards compared to the previous administration’s framework. Under the new guidelines, agencies are required to keep logs in a searchable format for six months and ensure that they are retrievable for up to one year. This streamlined approach aims to balance the need for effective cybersecurity measures with operational realities, ultimately enhancing the overall efficiency of agency operations.
In conclusion, this new memorandum signals a pivotal transition in how federal cybersecurity practices will be structured moving forward. By shifting focus from broad logging mandates to a more tailored risk-based approach, the Trump administration seeks to enhance agility and efficacy in the U.S. government’s cybersecurity framework. As threats continue to evolve, agencies will be challenged to adapt quickly, embracing innovative technologies while ensuring robust defenses against potential vulnerabilities.