With the release of Office of Management and Budget (OMB) Memorandum M-26-14 last month, the White House has continued its broader efforts to evolve federal cybersecurity decision-making from governmentwide edicts to frameworks that agencies are expected to tailor to unique needs.
The new memorandum repeals previous requirements under M-21-31, which was issued in response to a major federal incident in 2020 where Russian government-backed threat actors leveraged supply chain attack on SolarWinds's Orion software to infiltrate federal agencies. That memo was far-reaching, and resulted in the retention of vast quantities of data–as well as a fair amount of confusion around the specific requirements for its storage and use.
This new memorandum reflects current concerns in an age of rapidly changing software and AI-enabled threats. It seeks to move the federal government to a more agile, risk-based, and prioritized approach to logging.
To initiate this process, CISA has until August 20 to develop a logging reference architecture (LRA). The LRA will not only serve as a guide for agencies to develop their plans, but also serve as a starter pistol for agencies to kick off a sprint for adapting their approach to logging over the coming year. Agencies will have 120 days from the release of CISA’s Logging Reference Architecture (LRA) to meet basic maturity, and must scale up to "Advanced" maturity within 320 days.
From Data Retention to Actionable Security ContextThese milestones are about more than just storing data; they are about achieving actionable context. M-26-14 focuses on two core objectives:
The first is Continuous Event Monitoring (CEM), to monitor activity in real time as a means of rapidly detecting and responding to anomalous activity.
The second, Threat Hunting, Investigation, Response, and Forensics (THIRF), seeks to ensure agencies have appropriate logs to investigate any potential compromise.
This will become increasingly critical and more complex as we enter an era of AI-fueled vulnerability hunting and exploitation. Having a framework that agencies are updating to meet the ever-evolving cyberecosystem sets a solid foundation for the future we all face.
How Wiz Can HelpWiz ingests vital logs across the environment, including identity provider logs (e.g., Entra, Okta), cloud audit logs (e.g., CloudTrail, Azure Activity Logs), and AWS VPC Flow Logs.
In addition to ingesting these logs directly, Wiz can ingest information from pre-existing third-party deployments through our Unified Vulnerability Management (UVM) capability. This allows us to pull information regarding a range of on-premises devices, including Internet of Things and Operational Technology, into the Wiz Security Graph. By leveraging this context of assets and identities, Wiz is able to enhance threat detection analysis to quickly identify connected events, and reduce alert fatigue.
Combined with our AI-powered Blue Agent, which investigates suspicious behavior to render accurate verdicts, agencies can establish automated response workflows to contain threats at machine speed.
Wiz’s new Audit History functionality can help agencies with this requirement. Audit History acts as a "time machine" for your cloud environment, and supports THIRF requirements. Instead of manually sifting through disparate logs to figure out what changed, Wiz stores historical revisions to build a complete, versioned timeline of your cloud infrastructure. When a security event occurs, security and DevOps teams can leverage visual differences to compare a broken resource against its last known good state.
Administrators can configure default data retention periods and override rules to align exactly with federal timelines. Additionally, proving compliance to external auditors is simplified. Agencies can export comprehensive, custom Audit History reports detailing historical configuration changes, vulnerability findings, and resolutions directly to their own data storage.
Replacing M-21-31 has been discussed for years. M-26-14 represents a significant change in how the federal government thinks about logging, pushing agencies to move toward prioritized, context-aware threat response.
Wiz is positioned to help federal agencies rapidly mature their cloud logging practices and bridge the gap between logging compliance and actual security outcomes.
By leveraging Wiz’s continuous monitoring, AI-assisted forensics, and comprehensive asset visibility, agencies can confidently secure their environments, meet OMB's aggressive new deadlines, and maintain the operational resilience needed to defend against modern cyber threats.
1. Achieving Continuous Event Monitoring (CEM)M-26-14 mandates real-time network monitoring, rapid anomaly detection, and automated alerting to supply Security Operations Centers (SOCs) with usable telemetry.
Real-Time Log Ingestion & Analytics: The Wiz Detection Engine ingests and processes multi-layered logs in near real-time across your Cloud, SaaS, IdP, and VCS infrastructure.
Behavior-Based Anomaly Detection: Rather than relying purely on static indicators, Wiz establishes daily behavioral baselines for users, workloads, and data objects utilizing a 30- to 90-day lookback window. Hundreds of out-of-the-box Threat Detection Rules (TDRs) leverage these baselines to immediately flag anomalous, malicious, or atypical activities.
Lightweight Workload Visibility: The eBPF-based Wiz Runtime Sensor provides real-time container- and process-level application visibility (such as tracking process executions, command inputs, and connections).
Alert Noise Reduction: To prevent SOC analyst burnout (a primary concern highlighted in the directive) Wiz uses context-aware grouping to synthesize millions of isolated events occurring within a 24-hour window into a single, high-fidelity Threat alert that tells a coherent attack story.
Centralized SOC/SIEM Ecosystem Support: Wiz natively streams these prioritized Threats and context-rich cloud security alerts directly to existing SIEM and SOAR platforms (like Splunk, Microsoft Sentinel, and Google SecOps) to drive automated response workflows.
2. Driving Threat Hunting, Investigation, Response, and Forensics (THIRF)The memo requires agencies to establish deep post-compromise capabilities to map attack patterns, mitigate intrusions, and preserve an unbroken chain of forensic evidence.
Automated & On-Demand Forensics: Wiz facilitates rapid triage with hybrid forensic collection. When critical threats trigger, the Wiz Runtime Sensor automatically captures localized forensic packages (including scripts, system logs, binaries, and live execution context) from the affected workload.
Agentless Evidence Preservation: For broader infrastructure isolation, Wiz's Agentless Forensics can copy and securely transmit snapshots of suspicious virtual machine volumes to an isolated forensics account without disrupting ongoing agency operations. Additionally, the platform allows on-demand downloading of scrubbed Machine Log ZIP archives containing comprehensive host artifacts.
Mapping Attack Patterns and Lateral Movement: Leveraging the Wiz Security Graph, investigators can visualize complex chains of exposures and trace exactly how an attacker could move laterally to high-value assets or administrative control planes. Analysts can inspect step-by-step interactive attack timelines to quickly discern root causes.
Proactive Threat Hunting: Security teams can proactively hunt for dormant threats, independent of the primary detection engine, by running advanced cross-domain queries over raw telemetry and Runtime Execution Data (RED).
3. Operationalizing "Log What Matters" via Cost Optimization & Pre-FilteringA cornerstone of M-26-14 is mitigating the financial drain of storing vast quantities of data by promoting optimized log management.
Network Log Pre-Filtering: Wiz includes predefined, cost-optimized log pre-filtering controls directly configurable from the portal dashboard.
Volume and Cost Reduction: For high-volume data streams like VPC Flow Logs, Wiz can filter out internal-to-internal traffic based on custom internal IP ranges. For DNS logs, it can systematically exclude custom internal domains and cloud provider endpoints, allowing agencies to permanently discard service-initiated cloud storage events before they travel to Wiz, drastically minimizing ingestion overhead.
4. Categorizing Assets via Rigorous Data ClassificationThe directive highlights that a risk-based approach to logging fails if an organization cannot properly differentiate between critical components and background resources. It also will require agencies to ensure that logs will not capture or expose data in contravention of law.
AI-Driven Data Discovery: Wiz utilizes sophisticated AI-driven algorithms and Data Classification Rules to scan files, disks, and databases to automatically discover and map sensitive data patterns (such as PII, PHI, or regulated financial documents).
Strategic Log Placement: By using Wiz Data Security Posture Management (DSPM), agencies gain the contextual insight needed to proactively verify that continuous data access logging is enabled specifically on data stores containing high-risk or sensitive information, replacing guesswork with data-driven prioritization.
5. Managing Compliance via the Incident Readiness FrameworkM-26-14 mandates that agencies progressively track and report their progress across basic, intermediate, and advanced levels of logging maturity.
Incident Readiness Board: Wiz provides a dedicated Incident Readiness Board specifically designed to measure how well an environment is prepared to detect and investigate breaches based on active log coverage footprints. It monitors boundaries across control, data, network, compute, containers, and secret domains.
Weighted Maturity Scores: The platform calculates a unified Readiness Score using a weighted formula that perfectly mirrors federal priorities. For example, foundational management logs (like AWS CloudTrail, Azure Activity Logs, and GCP Audit Logs) are marked as Critical-level requirements, ensuring that administrators can easily identify configuration drifts and address gaps via auto-generated remediation commands.
Eliminating Blind Spots: Wiz's core agentless-first architecture maps the complete cloud architecture to continuously discover newly deployed workloads, building an active inventory of Cloud Resources and Hosted Technologies to ensure that parts of the enterprise do not remain untracked or invisible.
ConclusionM-26-14 represents a shift from logging for compliance to logging for action. Rather than prescribing broad data retention requirements, the memorandum emphasizes real-time detection, effective investigations, and risk-based prioritization.
As agencies work toward new maturity milestones, they will need the visibility, context, and operational capabilities to turn telemetry into security outcomes. By combining continuous monitoring, threat hunting and forensics, and cloud-native visibility, Wiz helps agencies strengthen cyber resilience while meeting the intent of M-26-14.
Get a Wiz Demo
Facts Only
The White House released OMB Memorandum M-26-14 in June 2024, replacing M-21-31.
M-21-31 was issued in response to the 2020 SolarWinds supply chain attack by Russian government-backed actors.
M-26-14 mandates a shift from broad data retention to a risk-based, prioritized approach to logging.
CISA must develop a Logging Reference Architecture (LRA) by August 20, 2024.
Agencies have 120 days from the LRA’s release to achieve basic logging maturity and 320 days to reach advanced maturity.
The memorandum focuses on Continuous Event Monitoring (CEM) and Threat Hunting, Investigation, Response, and Forensics (THIRF).
Wiz offers tools to assist agencies, including log ingestion, AI-driven threat detection, and forensic analysis.
Wiz’s capabilities include real-time log processing, behavior-based anomaly detection, and automated forensic collection.
The memorandum emphasizes cost optimization by pre-filtering logs to reduce storage overhead.
Agencies must classify data to prioritize logging on critical assets and comply with legal restrictions.
Wiz provides an Incident Readiness Board to track logging maturity progress.
The directive aims to improve operational resilience against modern cyber threats, including AI-driven attacks.
Executive Summary
The White House has issued OMB Memorandum M-26-14, replacing the previous M-21-31 directive, to shift federal cybersecurity logging from broad data retention to a more agile, risk-based approach. The new memorandum responds to evolving threats, including AI-driven vulnerabilities, and mandates that agencies implement Continuous Event Monitoring (CEM) and Threat Hunting, Investigation, Response, and Forensics (THIRF) capabilities. CISA is tasked with developing a Logging Reference Architecture (LRA) by August 20, with agencies required to achieve basic logging maturity within 120 days and advanced maturity within 320 days. The directive emphasizes real-time anomaly detection, automated threat response, and cost-efficient log management. Companies like Wiz are positioning themselves to assist federal agencies by offering tools for log ingestion, AI-driven threat detection, and forensic analysis, aligning with the memorandum’s goals of operational resilience and compliance.
The shift reflects a broader trend in federal cybersecurity policy, moving away from rigid, one-size-fits-all mandates toward flexible frameworks tailored to agency-specific needs. While the previous directive, M-21-31, was a reaction to the 2020 SolarWinds supply chain attack, M-26-14 aims to address modern challenges, such as AI-enabled threats and the financial burden of excessive data retention. The memorandum’s focus on actionable security context—rather than mere data collection—highlights a growing recognition that effective cybersecurity requires both technological agility and strategic prioritization.
Full Take
This memorandum represents a significant evolution in federal cybersecurity policy, reflecting both technological advancements and lessons learned from past incidents. The shift from M-21-31’s broad data retention requirements to M-26-14’s risk-based, actionable approach suggests a recognition that compliance alone does not equate to security. The emphasis on real-time monitoring and forensic readiness aligns with the growing complexity of cyber threats, particularly those leveraging AI. However, the aggressive timelines—120 days for basic maturity and 320 for advanced—may strain agencies with limited resources, raising questions about feasibility and potential disparities in implementation.
The involvement of private sector solutions like Wiz highlights the federal government’s reliance on commercial tools to meet these mandates. While this partnership can accelerate modernization, it also introduces dependencies on third-party vendors, which may have their own vulnerabilities or conflicts of interest. The memorandum’s focus on cost optimization is pragmatic, but the trade-offs between log retention and actionable intelligence remain a critical balancing act. If agencies prioritize cost savings over comprehensive logging, they risk blind spots in threat detection.
Patterns detected: none
Root cause: The narrative reflects a broader paradigm shift in cybersecurity—from static compliance to dynamic resilience. The unstated assumption is that federal agencies can rapidly adapt to these changes without significant resource constraints or bureaucratic inertia. Historically, such transitions have faced challenges in execution, and the success of M-26-14 will depend on whether agencies receive adequate support and flexibility.
Implications: For human agency, this policy empowers security teams with better tools but also places greater responsibility on them to interpret and act on threat data. The beneficiaries include cybersecurity firms like Wiz, which stand to gain from federal contracts, while the costs—financial and operational—fall on taxpayers and agency personnel. Second-order consequences may include a widening gap between well-resourced and underfunded agencies, as well as potential over-reliance on AI-driven tools that could introduce new vulnerabilities.
Bridge questions: How will agencies with limited budgets and legacy systems meet these deadlines without compromising security? What safeguards are in place to prevent vendor lock-in or over-dependence on private sector solutions? How might adversaries adapt their tactics to exploit the gaps in this new framework?
Counterstrike scan: If this were part of a coordinated influence campaign, the playbook might involve exaggerating the capabilities of commercial solutions to create a false sense of security or downplaying the challenges of implementation to push rapid adoption. However, the content does not align with such a pattern; it presents a balanced view of the policy’s goals and the role of private sector tools without overt manipulation.
Sentinel — Likely Human
The text is highly structured, smoothly transitioning from a public policy directive to a detailed commercial pitch, exhibiting the logical flow often seen in AI-generated content designed for maximum clarity and persuasive impact.