• June 5, 2026
• Timothy Amerson

On May 22, the Office of Management and Budget (OMB) rescinded M-21-31,  the SolarWinds-era logging directive that had governed federal civilian event logging for nearly five years and replaced it with M-26-14, Ensuring Effective and Efficient Agency Logging and Network Visibility to Defend Against Evolving Cyber Threats. The new memo is shorter, sharper and substantially more honest about the operational realities of federal cyber risk and defense posture. It also imposes a compressed implementation timeline that begins the moment Cybersecurity and Infrastructure Security Agency (CISA) publishes its forthcoming Logging Reference Architecture, expected by late August.

If you lead a federal Security Operations Center (SOC), sit on an agency Chief Information Officers (CIO) Council working group or manage a cybersecurity vendor portfolio in this market, this one matters. Here is what changed, what it means and what federal agencies should be doing right now.

TL;DR: M-26-14 replaces the prescriptive logging requirements of M-21-31 with an outcome-based model focused on operational effectiveness, reducing retention costs while raising the bar for visibility, coverage and detection maturity. 

• Agencies must prove they can answer key investigative and detection questions, not simply collect specific log types
• Retention requirements drop by roughly 60%, but agencies must demonstrate strong asset visibility, coverage and alerting maturity
• Agencies have an accelerated timeline to meet new maturity requirements, with asset inventory, IoT/OT visibility and Zero Trust integration becoming critical success factors

The Drafters Said the Quiet Part Out Loud

M-21-31 (rescinded) set out to fix a real problem. After SolarWinds, the federal government discovered, painfully, that it lacked the logging visibility to reconstruct what threat actors had done inside its networks. M-21-31 responded with a prescriptive, ambitious mandate: forty-plus pages of required log categories, twelve months of active storage plus eighteen months of cold storage and a four-tier maturity model that pushed agencies toward comprehensive event logging across virtually every system they owned.

The intent was sound. The execution proved difficult. Most agencies never reached the highest maturity tier. Storage costs ballooned. Some required log types had little operational value but consumed substantial budgets. And the prescriptive nature of the Appendix C catalog made it hard to adapt as technology evolved.

M-26-14 acknowledges this directly. In a sentence that should be framed and hung in every federal SOC, the new memo states that some M-21-31 requirements, particularly the retention of vast quantities of logging data without clear utility, “proved neither operationally feasible nor cost-effective for most agencies.” That admission shapes everything that follows.

From Prescription to Outcome

The single most important change in M-26-14 is a shift in philosophy. Rather than prescribing what to log, the memorandum focuses on what questions logging must be able to answer. While M-21-31 enumerated dozens of specific log categories with assigned criticality levels, M-26-14 centers on  eleven activity-based outcomes that logging programs must support:

• Identifying the user behind an action
• Mapping source and destination network traffic
• Tracking object and data access
• Detecting privilege changes 
• Identifying infrastructure changes 
• Monitoring for suspicious activity
• Hunting for indicators of compromise
• Hunting for anomalies
• Quantifying data affected during incidents 
• Tracing attack vectors
• Generating automated alerts for all of the above

That list is technology-agnostic. It works across on-prem, cloud, container, Internet of Things (IoT) and Operational Technology (OT) environments. It does not lock agencies into specific log formats or vendor-specific telemetry. It forces a different kind of conversation between security teams and their tooling: not “are we collecting the right log types?” but “can we actually answer these questions when something goes wrong?”

The memo organizes everything under two operational objectives: 

• Continuous Event Monitoring (CEM) – the real-time activities performed by SOC to detect and respond to threats as they occurThreat Hunting, Investigation, Response and Forensics(THIRF) – the activities required to proactively hunt for threats, investigate incidents, reconstruct events and support forensic analysis

The retention model follows from those objectives directly.  Agencies must maintain six months of searchable data to support active monitoring and hunting and twelve months of retrievable data to support investigation and forensic reconstruction. 

This distinction is important. “Searchable” data must be immediately available for analysis and cyber defense activities. “Retrievable” data may reside in lower-cost storage but must remain accessible through processes such as thawing, rehydration or replay when deeper investigation is required.

For most agencies, that is roughly a 60 percent reduction in retention obligations. The storage bill just dropped.

The New Maturity Model Measures Coverage, Not Just Categories

M-21-31 measured maturity by whether you had collected the right log types. M-26-14 measures by the percentage of your environment that is actually under coverage and at what quality.

There are five core capabilities: Inventory Visibility, Collection Coverage, Collection Operations, Data Retention and Log Management. Each is scored across five maturity levels, ranging from Ineffective (0) to Optimal (4). Perhaps the most important aspect of the model is how maturity is measured. Overall maturity is determined by an agency’s lowest watermark across the elements. An agency may excel in log retention and monitoring, but score Initial overall if its asset inventory is at 60 percent. That detail will reshape how agencies prioritize investment.

The thresholds at each level are concrete: 

• 70 percent inventory at Initial
• 80 percent at Intermediate
• 90 percent at Advanced
• 95 percent at Optimal

Collection Coverage scales similarly. Collection Operations measures the percentage of baseline requirements producing actionable alerts and the rigor of tuning, escalating from ad hoc at Initial to machine learning and AI-driven at Optimal. Log Management scales from “stored” at Initial to encryption in transit and at rest with regular hashing at Advanced, then to just-in-time access and two-gate approvals for log retirement at Optimal.

This is a more honest model than M-21-31’s. It rewards agencies that have done the unglamorous foundational work, asset inventory, Extended Detection and Response (XDR) enrollment, identity logging and it does not let an agency claim Advanced because it spent heavily on retention.

IoT and OT Are Now Explicitly in Scope

M-21-31’s Appendix C tried to enumerate every relevant log type and largely ignored IoT and OT environments. M-26-14 sweeps both into scope and directs CISA’s forthcoming Logging Reference Architecture to address devices that lack native logging capability, a requirement that affects facility systems, lab instrumentation, building automation, medical devices, badge readers and the long tail of mission-specific operational technology that exists at virtually every federal agency.

For agencies with significant facility, lab or industrial footprints (Energy, NASA, USDA, Interior, Veterans Affairs medical, Transportation), this is not a paperwork change. It is a new capability requirement that will demand passive-monitoring approaches, OT-specific sensors and a different operational model than IT security teams are used to.

Zero Trust is Now Operative, Not Aspirational

The Logging Reference Architecture must align with the CISA M-22-09 Zero Trust Maturity Model’s Visibility and Analytics cross-cutting capability. That sentence reads like a boilerplate. It is not.

Many agencies have been running their Zero Trust programs and their event logging programs as parallel efforts under different sponsors and different budgets. M-26-14 ends that separation as a matter of policy. Logging investments now feed Zero Trust scorecards and Zero Trust posture now depends on demonstrated logging maturity. Agencies that have been treating M-22-09 implementation and M-21-31 compliance as separate projects need to merge them in the new Agency Logging Plan that M-26-14 requires.

The Clock Has Started

Implementation deadlines pivot from CISA’s publication of the Logging Reference Architecture, which is due within 90 days of the memo, by approximately August 20, 2026. From that date, agencies have 90 days to submit an Agency Logging Plan, 120 days to reach Basic maturity, 180 days to reach Intermediate and 320 days to reach Advanced. That puts Advanced across the federal civilian enterprise at roughly July 2027.

That is a compressed timeline. M-21-31 gave agencies two years. M-26-14 gives them about eleven months from architecture publication. The compression is partly defensible because the bar is lower in raw scope and because storage costs are dramatically reduced. But it is unforgiving for agencies that need to procure tooling, complete authorizations and migrate data inside that window.

The agencies that will hit the deadlines started preparing in May. The agencies that wait for the Logging Reference Architecture (LRA) to publish before engaging will not.

What Remains Unresolved?

A few items in the memo will require CISA’s implementation guidance to resolve and federal cyber leaders should track them closely.

There is an apparent inconsistency between the memo body and the maturity model around minimum retention. 

• Appendix B sets the operative floor at six months searchable and twelve months retrievable. 
• Appendix C’s Data Retention element does not reach that combination until Optimal. 

Agencies should plan to the memo body, not to the maturity model’s Initial threshold, until CISA reconciles them.

The percentage-based maturity thresholds do not specify a denominator. Is it Federal Information Security Management Act (FISMA) system inventory? CDM Hardware Asset Management (HWAM)? Agency Configuration Management Database (CMDB)? Different answers produce different scores. Expect early inconsistency in agency self-reporting until the Logging Reference Architecture settles this.

Full packet capture is not mentioned. M-21-31’s 72-hour PCAP requirement was always cost-prohibitive at scale and had already been softened in CISA’s implementation guidance. Agencies should reevaluate their plan for general-purpose PCAP and re-architect it toward metadata-rich network detection, while preserving targeted PCAP at sensitive boundaries.

And the memo’s AI provisions hedge significantly. The Logging Reference Architecture must discuss AI methods for enhancing detection, but the memo provides no specific requirements or constraints beyond referencing government wide AI policy. Expect vendor positioning to run ahead of policy clarity here.

What Should Federal Agencies Do Now?

Suggested sequence of actions following OMB M-26-14

Each step builds on the previous; sequence reduces rework and shortens the path compliance

The first action is not procurement,it is assessment. The Agency Logging Plan is the first artifact OMB and CISA will grade and it requires a current-state inventory, a gap analysis against the new outcomes and architectural decisions about centralization. Most of that work can be done before the Logging Reference Architecture publishes; the Plan then conforms to whatever templates CISA introduces.

The second action is asset inventory remediation. Because Inventory Visibility is a measured maturity element and the denominator for Collection Coverage, an agency cannot reach Advanced without ninety percent accurate, daily-updated inventory. For agencies struggling with CDM implementation, this is the binding constraint on everything else.

The third action is right-sizing. Every agency over-provisioned for M-21-31’s retention requirements. The new retention model is roughly 60 percent lighter. Renegotiating storage and SIEM ingestion contracts at the next renewal or sooner, is the no-regret move. The savings can fund the IoT/OT visibility, identity logging and detection tuning work that the new model rewards.

The fourth action is governance. M-26-14 requires top-level enterprise SOC visibility but allows agencies to choose centralized architecture, centralized access or hybrid models. Large multi-component agencies should resolve that choice early, document it in the Plan and ensure component SOCs understand where their authority ends and the enterprise SOC’s begins.

The Bottom Line

M-26-14 reflects a more operationally grounded approach. It is shorter, more honest about operational reality, more aligned with how agencies actually operate and substantially less expensive to comply with. It also forces conversations many agencies have been deferring: about asset visibility, about IoT and OT exposure, about whether their Zero Trust and logging programs are actually integrated and about whether their detection content can answer real investigative questions.

Cybersecurity is the art and science of maintaining operations. M-26-14, at its core, directs federal logging to serve that purpose rather than compliance for its own sake. That is a policy worth helping agencies implement well and the agencies that engage early will be the ones that hit the deadlines without burning out their teams in the process. If you’re evaluating how these requirements apply to your environment, GuidePoint Security can help you assess readiness, identify gaps and build a roadmap that supports both compliance and operational outcomes.

• BLOG
• CYBERSECURITY
• DATA SECURITY