OMB M-26-14: Why federal agencies must fix asset visibility first

The Office of Management and Budget (OMB) has released Memorandum M-26-14, a significant update to federal agency cybersecurity requirements, focusing on enhanced logging and network visibility. This new directive supersedes M-21-31, shifting away from broad data retention mandates towards a more structured, risk-based approach.
M-26-14 introduces a five-level logging maturity model, ranging from Level 0 to Level 4. Agencies must progress through these levels according to a strict timeline, which begins once the Cybersecurity and Infrastructure Security Agency (CISA) publishes its logging reference architecture (LRA). Each maturity level is contingent upon an agency's success in identifying and cataloging its assets.

Specifically, the directive mandates that agencies must achieve certain percentages of IT, OT, and IoT asset capture to meet each maturity level. Level 1 requires 70% asset visibility, Level 2 requires 80%, Level 3 requires 90%, and the optimal Level 4 requires 95%. This dependency highlights that effective log collection and analysis are impossible for assets that remain undiscovered.
The scope of M-26-14 explicitly includes operational technology (OT) and internet-of-things (IoT) devices, even those lacking native logging capabilities. This broad inclusion necessitates the use of passive asset discovery tools, as actively scanning some OT/IoT devices can be risky or impractical.
Agencies must reach Level 1 within 120 days, Level 2 within 180 days, and Level 3 within 320 days of the LRA's publication. A critical aspect of the maturity model is that an agency's overall rating is determined by its lowest-performing element, meaning a weakness in asset inventory can prevent advancement even if other areas are strong.

This foundational requirement for asset visibility addresses what is known as the 'denominator problem.' Since log coverage is measured as a percentage of the total asset inventory, an incomplete inventory directly limits an agency's ability to demonstrate adequate log coverage. This challenge is often exacerbated by administrative silos, air-gapped networks, and legacy systems that are difficult to inventory.
Vendors like Tenable, already integrated with federal systems through the Continuous Diagnostics and Mitigation (CDM) program, offer solutions that align with M-26-14's requirements. Their platforms provide comprehensive asset discovery across IT, OT, and cloud environments, serving as a crucial data source for meeting the inventory visibility milestones.
The directive also emphasizes the connection between asset visibility and the CISA Zero Trust Maturity Model, positioning visibility and analytics as key enablers for all zero-trust pillars. Furthermore, historical vulnerability data, provided by tools like Tenable's, can offer essential forensic context for post-incident investigations, complementing log data.





