OMB M-26-14: Why federal agencies must fix asset visibility

The new OMB logging directive raises the bar on log collection and explicitly ties every maturity milestone to how well agencies know what’s on their networks. Learn why asset visibility is the first problem to solve.

Key takeaways

  1. M-26-14 rescinds M-21-31 and replaces blanket data-retention mandates with a five-element logging maturity model (levels 0-4) that agencies must progress through on a strict timeline after CISA publishes the logging reference architecture (LRA).
  2. Every maturity level is gated by inventory visibility. Specifically, agencies must demonstrate 70%, 80%, 90%, and 95% IT/OT/IoT asset capture at levels 1 through 4, respectively. After all, you can’t claim log coverage for assets you haven’t discovered.
  3. OT and IoT devices are explicitly in scope, including systems without native logging capability. This inclusion makes passive asset discovery tools a necessity rather than an add-on.
  4. The clock starts when CISA publishes the LRA within 90 days of the memo. Agencies that close asset-inventory gaps now will be positioned to hit the required deadlines, such as reaching level 1 in 120 days and level 3 in 321 days.

You can’t log what you can’t see, and you can’t measure logging maturity against an incomplete inventory

On May 22, the U.S. Office of Management and Budget (OMB) Director Russell Vought issued Memorandum M-26-14, titled “Ensuring Effective and Efficient Agency Logging and Network Visibility to Defend Against Evolving Cyber Threats.” The directive rescinds M-21-31 and replaces it with a risk-based, prioritized logging framework designed to be both operationally achievable and aligned with today’s threat landscape.

For federal cybersecurity leaders, M-26-14 represents a meaningful shift away from blanket data retention mandates and toward measurable, outcome-driven logging maturity. But hidden within its requirements is a foundational dependency that many agencies will need to address before their logging investments can deliver results: complete asset visibility.

What M-26-14 requires, and why it’s different from M-21-31

The memorandum organizes logging around two objectives:

  • Continuous event monitoring (CEM): Real-time log ingestion, anomaly detection, and SOC-driven response.
  • Threat hunting, investigation, response, and forensics (THIRF): Centralized retrieval of historical log data to support post-compromise analysis and recovery.

Agencies must achieve these objectives across all information systems, explicitly including internet-of-things (IoT) devices and operational technology (OT) systems, whether owned, operated, or managed by third parties.

The memo also establishes a logging maturity model with five levels (0–4) that agencies must progress through on a defined timeline, with milestones measured across five elements:

  1. Inventory visibility: What percentage of IT/OT/IoT assets are captured in centralized hardware asset management (HWAM)/ software asset management (SWAM) inventories?
  2. Collection coverage: Are logs searchable and retrievable for those assets?
  3. Collection operations: Do logs generate actionable, tuned alerts?
  4. Data retention: Are logs retained for 6 months (searchable) and 12 months (retrievable)?
  5. Log management: Are logs encrypted, access-controlled, and properly retired?

Agencies must reach level 1 (Basic) within 120 days, level 2 (Intermediate) within 180 days, and level 3 (Advanced) within 320 days of CISA publishing the logging reference architecture (LRA).

A critical detail in the maturity model’s design: Overall maturity is calculated based on the lowest watermark across all five elements (Appendix C footnote 8). For example, an agency that achieves level 3 in collection coverage but only level 1 in inventory visibility gets an overall rating of level 1. There is no averaging. This lowest-watermark principle makes inventory completeness the single most consequential element to address first.

The denominator problem: Why incomplete inventories break the maturity model

Look closely at the maturity model and a pattern emerges: Inventory completeness gates every level.

  • Level 1 requires 70% of IT/OT/IoT assets captured in a centralized inventory
  • Level 2 requires 80%
  • Level 3 requires 90%
  • Level 4 (Optimal) requires 95%

The expansive scope of this OMB mandate — spanning on-premises IT, cloud workloads, identity providers, OT, and IoT — creates an immediate challenge: the denominator problem. Because log collection is measured as a percentage of your total inventory, you can’t claim 80% coverage if you only know about 60% of your assets. This operational gap is typically driven by administrative silos, air-gapped networks, and legacy OT/IoT environments that lack native logging or are unsafe to actively scan. Ultimately, managing visibility across this massive footprint comes down to one simple truth: You can’t write a logging plan for assets you haven’t discovered.

How Tenable maps to M-26-14’s requirements

Tenable has been embedded in the federal cybersecurity ecosystem as an approved continuous diagnostics and mitigation (CDM) vendor whose technology acts as the vulnerability management backbone for hundreds of civilian agencies, and increasingly as the platform that unifies visibility across IT, OT, and cloud attack surfaces. 

With M-26-14’s asset inventory requirements front and center, the foundation that Tenable’s technology provides is directly relevant to compliance milestones agencies must now achieve.

The mapping below shows how Tenable capabilities correspond to M-26-14’s five maturity elements.

— Ground truth for the maturity model: Authoritative asset inventory

Tenable One Vulnerability Management and Tenable One OT Exposure provide continuous, comprehensive asset discovery across traditional IT, operational technology, and IoT devices. This inventory serves as the ground truth for agencies to measure their maturity model progress, the denominator against which log collection coverage is calculated.

— Already CDM-connected: How Tenable accelerates HWAM/SWAM compliance

M-26-14 explicitly directs agencies to use CDM, HWAM, and SWAM data to validate log coverage (Appendix B, Requirement 4). As an established primary data source for federal CDM dashboards, Tenable eliminates the need for new data collection by pre-packing and reporting the inventory details M-26-14 requires.

— The Tenable solution: A phased approach to full visibility

Standard IT scanners can crash fragile OT equipment like programmable logic controllers (PLCs). To meet M-26-14 requirements safely, Tenable offers a tiered approach:

  • Phase 1: Baseline (Level 1): If you’re starting from scratch, use the OT Recon scan policy in Tenable Security Center or Tenable One Vulnerability Management. It uses “Safe Active Querying” with native industrial protocols to discover hardware and firmware details without downtime, helping you reach the 70% Level 1 baseline.
  • Phase 2: Optimal Maturity (Level 4): To hit the 95% asset visibility threshold requiring daily updates, deploy Tenable One OT Exposure. By combining passive network monitoring with safe active querying, you gain persistent, real-time visibility into the deepest parts of the industrial network, bridging the gap to Level 4 maturity.

— From inventory to zero trust: Connecting visibility to the CISA Zero Trust Maturity Model

Appendix A requires the LRA to align with CISA’s Zero Trust Maturity Model, which defines visibility and analytics as a cross-cutting capability enabling all five zero-trust pillars. The Tenable One Exposure Management Platform provides continuous attack surface visibility and risk quantification that feeds directly into zero trust analytics, connecting vulnerability, identity, and configuration data into a unified exposure view.

— Beyond log retrieval: Vulnerability history as forensic evidence

When investigating a compromise, security operations center (SOC) analysts need more than logs; they need to know which vulnerabilities existed on affected assets at the time of the incident. Tenable’s scan history and vulnerability timeline provide the forensic context required by Appendix B (items j–k): determining attack vectors, lateral movement paths, and root-cause analysis.

— AI-driven prioritization: Focusing logging resources where risk is highest

Appendix A explicitly states that the LRA will address using AI to enhance CEM and THIRF capabilities. Tenable Hexa AI and Vulnerability Priority Rating (VPR) deliver AI-driven risk context that helps agencies prioritize which assets and vulnerabilities demand the most urgent logging and monitoring attention, directly supporting the “risk-based, prioritized” philosophy of M-26-14.

Beyond inventory: Prioritizing logging resources where threat intelligence risk is highest

Establishing an authoritative asset inventory provides the necessary compliance foundation, but it immediately introduces an operational challenge: once an agency uncovers thousands of previously unmanaged IT, OT, and IoT assets, where should security teams begin deploying limited logging resources?

The same challenge exists across other parts of the modern attack surface. Cloud workloads, identity providers and directories, web applications, APIs, and containerized environments frequently operate in silos with incomplete inventories and inconsistent visibility. These assets can become equally unknown or poorly logged, creating additional blind spots that M-26-14’s risk-based, prioritized framework requires agencies to close.

OMB M-26-14 explicitly shifts federal strategy away from legacy, blanket data -retention mandates and toward a “risk-based, prioritized” logging philosophy. However, the directive does not prescribe a formula for that prioritization. Leaving agencies to manually identify high-value assets (HVAs) and determine logging priorities across complex hybrid IT/OT/cloud/identity environments creates compliance bottlenecks.

This is where asset discovery must transition into unified exposure management and threat intelligence. Tenable doesn’t just establish what is deployed on the network; Tenable One delivers continuous discovery, contextual risk scoring (including external exposure and business criticality), and real-time vulnerability intelligence across the entire attack surface — IT, OT, IoT, cloud, identity, web apps, and containers.

By continuously cross-referencing all assets with active threat telemetry and exposure context, agencies can instantly identify which systems — regardless of where they reside — are currently being targeted or represent the highest risk. 

Instead of treating every newly discovered asset with equal urgency, security leaders can use Tenable One’s exposure intelligence to focus CEM and log collection capabilities where the threat and business impact are highest. This directly answers the “what to log first” dilemma while supporting the risk-based, prioritized philosophy of M-26-14.

The pre-LRA window: What agencies should do before the clock starts

M-26-14’s timelines are aggressive. Once CISA publishes the LRA (within 90 days of the memo), the clock starts:

Milestone Deadline
Submit Agency Logging Plan 90 days after LRA
Achieve Level 1 (Basic) 120 days after LRA
Achieve Level 2 (Intermediate) 180 days after LRA
Achieve Level 3 (Advanced) 320 days after LRA

Where is Level 4? While Level 4 (“Optimal”) represents the highest tier in the five-level maturity framework, OMB M-26-14 does not prescribe a strict day-count deadline for it. Instead, it serves as the ultimate target for continuous operational excellence that agencies build toward once the rigid Level 1 through 3 milestones are secured.

Agencies should use the time between now and LRA publication to:

  • Audit asset inventory completeness. Can you account for 70% of IT/OT/IoT assets today? 80%? If not, close the gap now; this is the prerequisite for everything else.
  • Validate log coverage against known assets. Use existing HWAM/SWAM and CDM data to identify systems without adequate logging.
  • Assess OT/IoT blind spots. These environments are explicitly in -scope and often the least visible. Passive discovery tools can illuminate what’s deployed without operational risk.
  • Map existing capabilities to the maturity model. Understand where you stand at, say, Level 0 vs. Level 1 across all five elements, then prioritize the gaps that block progression.

Logging maturity starts with knowing what you have

M-26-14 makes logging maturity measurable, and it makes asset visibility the foundation of that measurement. Every percentage point of maturity progression, from Level 0 to Level 4, is anchored to how completely an agency knows its IT, OT, and IoT attack surface.

Agencies that invest in comprehensive, continuous asset discovery across IT, OT, and IoT will be positioned to meet the memo’s timelines. Those that don’t will struggle to demonstrate the coverage percentages the maturity model demands.

The question is whether you know what’s missing from your SIEM logs, and whether you can prove it.

Don’t wait for the clock to start: Secure your OMB M-26-14 foundation now

The timelines imposed by OMB M-26-14 are aggressive, and the moment CISA publishes the LRA, the compliance clock moves fast. Because overall maturity is tied directly to your lowest-performing element, you cannot afford to let an incomplete asset inventory hold your entire cybersecurity scoring hostage. 

The message of M-26-14 is clear: you can’t log what you can’t see. Use the pre-LRA window to find your blind spots, build an authoritative inventory, and ensure your team is positioned to succeed. 

Ready to close your asset visibility gaps and jumpstart your path to Level 4 maturity? Contact the Tenable Federal Team today to schedule an asset visibility assessment.

Similar Posts

Leave a Reply