OMB’s M-26-14, released Friday, rescinds M-21-31 effective immediately and replaces it with a mandate for a “risk-based, prioritized logging approach.” The Biden-era memo, signed August 2021 following the SolarWinds breach, had set foundational logging standards for federal agencies. M-26-14’s authors acknowledge M-21-31 improved baseline capabilities but call its data retention requirements neither “operationally feasible nor cost-effective for most agencies.”
The replacement architecture isn’t built yet. CISA has 90 days to publish a logging reference architecture that prioritizes real-time threat detection and post-incident forensics. After that, agencies get another 90 days to submit a compliant logging plan. That gap adds up to six months with no enforceable logging standard in place.
Nick Leiserson, who served in Biden’s Office of the National Cyber Director and now leads policy at the Institute for Security and Technology, told CyberScoop the sequencing is the problem: “This is saying ‘We’re rescinding 21-31 right now.’ You won’t have any new guidance for at least 90 days.” His concern is that agencies will use the gap as justification to deprioritize logging budgets entirely.
I read M-26-14 this week and the structural issue is real. Multiple government watchdogs had already concluded that agencies weren’t meeting M-21-31’s benchmarks before the memo was rescinded. A six-month void doesn’t inherit a strong compliance baseline; it inherits a spotty one.
The risk-based model has real merit, with John Harmon at Elastic calling it progress on both AI threat recognition and the revised maturity model. CISA’s 90-day clock started Friday. Worth auditing your agency’s current logging posture before the reference architecture drops.
Rebecca Lauren