LIVE · cybersecurity feed
federal governmenthigh

OMB M-26-14: Why federal agencies must fix asset visibility first

zeroday.news·23h ago

The Office of Management and Budget (OMB) has released Memorandum M-26-14, a significant update to federal agency cybersecurity requirements, focusing on enhanced logging and network visibility. This new directive supersedes M-21-31, shifting away from broad data retention mandates towards a more structured, risk-based approach.

M-26-14 introduces a five-level logging maturity model, ranging from Level 0 to Level 4. Agencies must progress through these levels according to a strict timeline, which begins once the Cybersecurity and Infrastructure Security Agency (CISA) publishes its logging reference architecture (LRA). Each maturity level is contingent upon an agency's success in identifying and cataloging its assets.

Specifically, the directive mandates that agencies must achieve certain percentages of IT, OT, and IoT asset capture to meet each maturity level. Level 1 requires 70% asset visibility, Level 2 requires 80%, Level 3 requires 90%, and the optimal Level 4 requires 95%. This dependency highlights that effective log collection and analysis are impossible for assets that remain undiscovered.

The scope of M-26-14 explicitly includes operational technology (OT) and internet-of-things (IoT) devices, even those lacking native logging capabilities. This broad inclusion necessitates the use of passive asset discovery tools, as actively scanning some OT/IoT devices can be risky or impractical.

Agencies must reach Level 1 within 120 days, Level 2 within 180 days, and Level 3 within 320 days of the LRA's publication. A critical aspect of the maturity model is that an agency's overall rating is determined by its lowest-performing element, meaning a weakness in asset inventory can prevent advancement even if other areas are strong.

This foundational requirement for asset visibility addresses what is known as the 'denominator problem.' Since log coverage is measured as a percentage of the total asset inventory, an incomplete inventory directly limits an agency's ability to demonstrate adequate log coverage. This challenge is often exacerbated by administrative silos, air-gapped networks, and legacy systems that are difficult to inventory.

Vendors like Tenable, already integrated with federal systems through the Continuous Diagnostics and Mitigation (CDM) program, offer solutions that align with M-26-14's requirements. Their platforms provide comprehensive asset discovery across IT, OT, and cloud environments, serving as a crucial data source for meeting the inventory visibility milestones.

The directive also emphasizes the connection between asset visibility and the CISA Zero Trust Maturity Model, positioning visibility and analytics as key enablers for all zero-trust pillars. Furthermore, historical vulnerability data, provided by tools like Tenable's, can offer essential forensic context for post-incident investigations, complementing log data.

federal governmentcybersecurityasset managementloggingcompliance
← Back to latest

More News

view all →
zeroday.news · 2h ago·high

China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors

A China-linked advanced persistent threat (APT) group, identified as LapDogs, has reportedly enhanced its malicious toolkit. Security researchers have observed the deployment of three new backdoors: LongLeash, DogLeash, and JarLeash, which are designed to compromise small office/home office (SOHO) routers.

zeroday.news · 2h ago·high

RedWing Android Spyware Sold as a Service on Telegram

A new Android spyware called RedWing is being offered as a service on Telegram, allowing less sophisticated attackers to compromise phones and steal banking information. Researchers have identified it as a polished malware-as-a-service operation with extensive documentation and a subscription model, potentially linked to Russian threat actors. RedWing employs fake login overlays, SMS interception, call forwarding, and even screen control to harvest credentials and conduct further malicious activities.

zeroday.news · 3h ago·high

Operationalizing Day Minus Seven: The Cloud-Native ROC

The article introduces the concept of a Risk Operations Center (ROC) as a necessary evolution for cybersecurity teams facing AI-driven threats. It argues that traditional risk management models are insufficient due to the speed at which AI can discover and exploit vulnerabilities, especially in cloud environments. A ROC, powered by platforms like Qualys Enterprise TruRisk Management (ETM), aims to unify disparate security findings, hyper-prioritize risks based on exploitability and business impact, and enable autonomous remediation to keep pace with attackers.

zeroday.news · 3h ago·critical

Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS

Ubiquiti has released security updates to address several critical vulnerabilities affecting its UniFi product line, including UniFi Connect, Talk, Access, Protect, and OS. These flaws could allow attackers to escalate privileges or execute arbitrary commands on affected devices. While no active exploitation has been reported for these specific vulnerabilities, the company has previously seen its UniFi OS and Edge OS products targeted by threat actors.

zeroday.news · 3h ago·high

Armored Likho Hits Government, Energy Sectors With BusySnake Stealer

Cybersecurity researchers have identified a new threat actor, dubbed Armored Likho, targeting government and energy sectors in Russia, Kazakhstan, and Brazil with a sophisticated phishing campaign. The operation utilizes a custom-built Python infostealer named BusySnake, designed to steal credentials, sensitive documents, and other high-value data. The attackers employ AI-generated payloads to obscure their activities and maintain persistence through various methods, including reverse SSH tunneling.

zeroday.news · 3h ago·critical

Attackers using Langflow flaw for credential harvesting (CVE-2026-55255)

CISA has issued a warning regarding a critical vulnerability (CVE-2026-55255) in the Langflow AI framework, which is being actively exploited by attackers. The flaw allows authenticated users to execute arbitrary flows belonging to other users, potentially leading to the theft of sensitive credentials and data exposure, especially in multi-tenant environments. US federal agencies have been mandated to patch this vulnerability by July 10th.