OMB M-26-14: What Federal Agencies Need to Know About the New Logging Mandate

Five years ago, M-21-31 told every federal agency to log as much as possible and keep it for as long as possible. The intent was right - agencies needed better visibility after a series of damaging compromises. But the execution created something nobody had time to use: petabytes of undifferentiated log data, retained past any reasonable utility, with price tags to match.

OMB M-26-14, signed May 22, 2026, rescinds M-21-31 immediately. It replaces a blanket retention mandate with a risk-based framework built around two clear objectives. The direction is right. The operational challenge of actually hitting the timelines is real.

Here is what you need to know.

Two objectives, one framework

M-26-14 organizes all logging requirements around two functions.

• ‍Continuous Event Monitoring (CEM) - logs that enable agencies to monitor network activity in real time, flag anomalous activity, and deliver it to a SOC for response. This is the live operations side: your log collection needs to get the right data to the right team, fast, without gaps.
• ‍Threat Hunting, Investigation, Response, and Forensics (THIRF) - logs that enable agencies to investigate after a known or suspected compromise. To support THIRF, agencies must maintain sufficient hot and cold storage and the capability to retrieve and centralize log data from multiple sources to map attack patterns.

Both objectives must cover all information systems - including IoT devices and operational technology. The coverage requirement is broader than it looks. Agencies with legacy OT or mixed-environment infrastructure cannot exclude systems because they are hard to reach.

On retention, the minimum baseline is clear: logs must be actively searchable for six months, retrievable for twelve. Searchable means immediately usable for detections and analytics - no preparation steps. Retrievable means usable after intermediary steps such as thawing from cold storage.

The timeline that starts with CISA

M-26-14 does not set its compliance deadlines directly. CISA has 90 days from May 22 - until around August 20, 2026 - to publish a Logging Reference Architecture (LRA). Agency clocks start from that publication date.

Once the LRA is published, the schedule is:

• ‍90 days - submit your Agency Logging Plan‍
• 120 days - reach Basic maturity (Level 1) across all elements‍
• 180 days - reach Intermediate maturity (Level 2)‍
• 320 days - reach Advanced maturity (Level 3)

The maturity model covers five dimensions: inventory visibility, collection coverage, collection operations, data retention, and log management. Maturity is calculated at the lowest watermark - if your retention reaches Level 3 but your inventory visibility is at Level 1, you are Level 1.

Basic maturity alone requires 70% of IT/OT/IoT assets in a centralized inventory, logs searchable and retrievable for 50% of those assets, and retention of at least six months. That is the floor. Agencies have 120 days from LRA publication to reach it.

The compliance challenge is a log engineering problem

The memo describes outcomes. It does not prescribe the architecture to achieve them - that is what the LRA is for. But the underlying challenge is already clear. Agencies need to collect logs from IT, OT, and IoT environments that use different protocols and write different formats. Those logs need to arrive at the SOC normalized, accurately timestamped, and organized for real-time detections and forensic analysis. The same log record that supports CEM needs to be routable to cost-effective long-term storage for THIRF - without a rearchitecture project.

M-26-14's required log categories reinforce this: identity operations, network address information, object and resource events, privilege changes, infrastructure modifications, security tool alerts, indicator of compromise monitoring, anomalous activity detection, and automated alerting across all of the above. Across IT, OT, and IoT.

How well you solve the log engineering problem determines how smoothly you reach Level 1 in 120 days and Level 3 in 320.

How Axoflow maps to M-26-14

Axoflow was built by the creators of syslog-ng™ - the log management infrastructure running in tens of thousands of enterprise and government environments since 1998. Federal agencies have been running syslog-ng for years. Axoflow is where that work goes next.

Three capabilities map directly to M-26-14's hardest requirements.

Automatic log classification across IT, OT, and IoT

The Axoflow Platform classifies, parses, and routes logs based on their structure - across 262 log formats from 47 vendors - without static source configuration. When a new device comes online, the platform identifies the format and begins routing immediately. No parser engineer. No ticket.

For agencies managing heterogeneous OT alongside traditional IT, the format diversity is not a problem the platform hands back to you. When vendors update log schemas, the classification rules update centrally - your collection coverage does not break silently.

‍Tiered retention without recreating M-21-31

The six-month searchable / twelve-month retrievable requirement maps directly to a hot/warm/cold storage architecture. AxoLake provides tiered storage in open formats - Parquet, OCSF - so logs are retained in full fidelity and remain searchable without paying SIEM-tier prices for long-tail data.

The Axoflow Platform routes what the SOC needs in real time. Everything else goes to the lake at the right tier, on M-26-14's retention schedule. Agencies running this architecture have cut SIEM ingest volume by 50% or more while expanding coverage - exactly the dynamic M-26-14 was designed to enable.

Log what matters. Store the rest where it costs less and surfaces on demand.

Non-disruptive deployment against a tight timeline

For agencies already running syslog-ng™, Axoflow deploys alongside the existing infrastructure. The platform instruments what is already there, adds classification and visibility, and begins routing immediately - no rip-and-replace, no new agents across every endpoint.

For agencies starting from a lower baseline, autonomous classification means getting to correct, normalized log collection across a heterogeneous environment without writing parsers for every source. The platform handles it.

Where Axoflow is sharpest

M-26-14 is most demanding for agencies with heterogeneous environments - mixed OT and IT, legacy infrastructure that cannot be replaced, distributed sites that need to feed a central SOC. That is the environment Axoflow was built for. The combination of carrier-grade throughput, zero-maintenance log classification, and open-format tiered storage is purpose-built for that profile.

On compliance credentials: Axoflow holds SOC 2 Type II and ISO/IEC 27001 certification. FedRAMP authorization is the active next milestone.

One important caveat: wait for the architecture

CISA's Logging Reference Architecture has not been published yet. It will define the specific log categories, maturity benchmarks, and implementation options that M-26-14's compliance timeline runs against - including guidance on IoT and OT logging, AI use for CEM and THIRF, and retention recommendations beyond the minimums.

Some of the compliance picture is still open until that document arrives.

We will publish a follow-up as soon as the architecture is out, with a specific mapping of Axoflow's capabilities to the maturity levels it prescribes.

In the meantime, if you are starting to scope your M-26-14 response now, we are happy to walk through what your current log infrastructure can and cannot cover. Book a conversation.