OMB swaps Biden-era cyber memo for new prioritized logging tactic

Source Domain: fedscoop.com

Federal agencies will shift to a priority and risk-based method of logging cybersecurity events under a Friday memo from the Office of Management and Budget aimed at cutting “red tape” and costs.

The memo from OMB Director Russell Vought rescinds and replaces a previous directive from the Biden administration issued after the 2020 SolarWinds breach that affected both the public and private sectors. While the previous policy “improved foundational capabilities across agencies,” OMB said the amount of data agencies were required to retain was costly and operationally difficult.

In its place, the Trump directive outlines “a risk-based, prioritized logging approach” to logging.

OMB’s policy comes amid concern about the use of artificial intelligence and automation to fuel cyberattacks. That technology can speed up the process of gaining access to a system and help covertly maintain that access for a long time. It’s also increasingly being used by threat actors, the memo said. Event logging is a “key” aspect of agencies’ ability to mitigate those threats.

“Agencies rely on information from logs to understand activity across their systems, recognize events that require attention, and support the analysis and response actions that protect sensitive data and maintain operations,” OMB said.

Under the policy, agencies are instructed to prioritize two objectives: continuous event monitoring (CEM) and threat hunting, investigation, response and forensics (THIRF). Specifically, CEM refers to capabilities that allow agencies to monitor their networks in real time, and THIRF encompasses each agency’s ability to investigate and analyze network activity.

In the next 90 days, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), in coordination with OMB and the Chief Information Security Officer (CISO) Council, will develop more guidance for agencies. That guidance will be in…

Source