Agencies will soon have new requirements for logging cybersecurity data to better secure their systems and applications against ever-increasing threats.
The Office of Management and Budget’s new memo outlining these changes is one of several ways the Trump administration is recalibrating cyber defenses as the threat of artificial intelligence-fueled cyber attacks increase.
Acting Federal Chief Information Security Officer Mike Duffy wrote on LinkedIn that the new policy “focuses agencies on what matters most: continuous visibility, rapid detection, effective threat hunting and actionable response capabilities.”
And given the recent discovery by Claude’s Mythos of thousands of zero day vulnerabilities in systems that were previously known or not addressed, agencies and industry are being forced to figure out how best to strengthen their partnership against these AI-fueled attacks.
Nick Andersen, the acting director of the Cybersecurity and Infrastructure Security Agency, said he has deep concerns specifically about one type of technology when it comes to cybersecurity vulnerabilities.
“The open source community is one that I’m particularly worried about when we start to think about the rapid escalation of vulnerability discovery. But it is going to result in us having to make some really, really hard decisions on the level of investment that’s going to be required,” Andersen said on May 21 at the Cyber Innovation Summit sponsored by the National Security Institute at George Mason University’s Antonin Scalia Law School. “I think there’s tremendous opportunity here to re-architect areas where we know that they’ve been lacking, to make investments in areas where we know that we’ve been lacking, and to just force some hard security decisions to be made in a way where people thought that their risk profile was different than what it is. When we see the escalation in terms of speed, scale and velocity of vulnerability discovery to weaponization and exploitation, that’s something that a month and a half ago, everybody around here started talking about.”
Andersen said agencies still face an uphill climb to get out from under their technical debt that includes many of these vulnerabilities.
“What is it that we’re going to try to be able to do to modify our approach to vulnerability management, modify our approach to coordinated vulnerability disclosure and modify our approach to remediation, with the explicit understanding that we’re just not going to be able to keep up using traditional mechanisms with the load that we’re going to see for vulnerability discovery moving forward,” Andersen said.
Some of those changes that Andersen is talking about are at the center of OMB’s new data logging policy.
Duffy wrote, “Cybersecurity success is not measured by how much data we collect, but by how effectively we can detect, understand and respond to adversary activity.”
This is why OMB is emphasizing agencies collect data that supports continuous event monitoring (CEM) and threat hunting, investigation, response and forensics (THIRF).
“Threat actors have increasingly used automation and artificial intelligence to accelerate attacks against critical systems. These enhanced capabilities can help threat actors rapidly gain unauthorized access to a system, move from that system to others, and maintain their illicit access undetected over a substantial period of time,” OMB wrote in the memo. “To mitigate the risk posed by these intensifying digital threats, agencies need the ability to rapidly detect, respond to and analyze anomalous activity on their networks.”
Andersen said the velocity, volume and veracity of threats just reinforces the need to deepen partnerships across the government and with industry.
He said a recent incident involving Cloudflare is a good example of where public-private sector partnerships need to go. The company shared with CISA what happened during a recent outage. He said Cloudflare was open and communicative while it was occurring and afterwards.
“Then they were willing to come in and talk about a playbook for the future on how they thought people could learn from their best practices from engaging during that incident, and that was just related to an outage,” Andersen said. “As we are building on those playbooks for the future, we start to look at maliciously derived incidents and that is going to be very important to the work that is going to be taken on over the long term.”
CISA, Army partnership
Another long-term partnership that CISA is pursuing is with the Army and local communities that host military bases.
In fact, earlier in May, CISA, the Army, the Federal Communications Commission and others met with local leaders at Fort Bragg in North Carolina to figure out how to ensure military bases are more resilient against cyber attacks.
This is part of an ongoing effort by CISA to focus on the resiliency of critical infrastructure providers through an intergovernmental approach called the homeland defense working group.
As a part of the Defense Critical Infrastructure Program (DCI), Andersen said the government is changing its approach to critical infrastructure provider protections.
“Where I think we have failed in the past with initiatives of how we took on things like section nine designations for companies that we thought were critically important was we would take an entity level view, we would just say ‘Company X, you are very important, here’s your letter saying that you’re very important, best of luck. Maybe we’ve got some opportunities to collaborate with you going into the future,’” he said. “Where we’re trying to get to now is saying there’s a specific function that is critically important, in this case for defense critical infrastructure, and a specific function that needs to be delivered. How can we set real resilience targets associated with that?”
Andersen added the end goal of this interagency team is to “achieve a higher level of resilience for defense critical infrastructure,” ensure owners and operators have a path to ease recovery and establish resilience metrics.
The DCI is part of how CISA, and the government more broadly, is trying to partner at scale. Andersen said this creates a unified effort that can lead to a good quality understanding of what is the real threat and risk landscape, what are the problems that everyone is trying to solve and how can the government provide resources in a coordinated way.
Andersen said this intergovernmental approach is starting to come together to make the relationships with critical infrastructure providers more seamless.
“When we start to look at some of our partnership elements, we’re deliberatively working right now to prioritize critical infrastructure owner operator entities that we can get to first. And again, this is all months ago that we started kicking all this stuff off. So, this is not in direct response to any of the things we’ve been talking about recently,” he said. “To develop an intergovernmental approach to a homeland defense working group, we need to look at a good blue space view of what is it that’s most significantly important to us. We started to look at public health and safety, national security and defense critical infrastructure, and continuity of the economy. Then taking a good red space view of looking back at our intelligence holdings from the last several years and saying, this is our view of what we think is important, here’s what the adversary thinks is important, where we actually seen them pre-position [attacks], where we see in their activity, where are we seeing them landing on the infrastructure that they believe is going to be most significant for achieving their objectives. Then looking at that overlap and saying, now how do we go engage with joint action plans with those companies directly, and some of those are technology companies, some of those are critical infrastructure owner operators.”
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
