惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Schneier on Security
F
Fortinet All Blogs
B
Blog
GbyAI
GbyAI
P
Proofpoint News Feed
量子位
The Register - Security
The Register - Security
宝玉的分享
宝玉的分享
大猫的无限游戏
大猫的无限游戏
云风的 BLOG
云风的 BLOG
V
Visual Studio Blog
B
Blog RSS Feed
WordPress大学
WordPress大学
Recorded Future
Recorded Future
Recent Announcements
Recent Announcements
V
Vulnerabilities – Threatpost
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
S
Secure Thoughts
雷峰网
雷峰网
Stack Overflow Blog
Stack Overflow Blog
C
Cybersecurity and Infrastructure Security Agency CISA
Webroot Blog
Webroot Blog
AWS News Blog
AWS News Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
The GitHub Blog
The GitHub Blog
爱范儿
爱范儿
O
OpenAI News
月光博客
月光博客
H
Hacker News: Front Page
S
Security Affairs
W
WeLiveSecurity
The Hacker News
The Hacker News
aimingoo的专栏
aimingoo的专栏
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Help Net Security
Help Net Security
MongoDB | Blog
MongoDB | Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
D
Docker
T
The Blog of Author Tim Ferriss
Spread Privacy
Spread Privacy
Blog — PlanetScale
Blog — PlanetScale
J
Java Code Geeks
S
Securelist
Microsoft Azure Blog
Microsoft Azure Blog
TaoSecurity Blog
TaoSecurity Blog
T
Threat Research - Cisco Blogs
M
MIT News - Artificial intelligence
A
About on SuperTechFans

Tenable Blog

SharePoint CVEs FAQ: CVE-2026-56164, CVE-2026-32201, CVE-2026-45659 | Tenable® Build agentic AI security at Tenable Swarm, Black Hat 2026 SonicWall CVE-2026-15409 and CVE-2026-15410 zero-day exploited | Tenable® Understanding Anthropic’s new AI agent Claude Tag’s access model in Slack 5 reasons to integrate AppSec data with your exposure management platform July 2026 Patch Tuesday: Largest Patch Tuesday 569 CVEs FedRAMP High, IL5, and zero trust: How federal agencies can secure cloud environments CISO’s guide to CISA BOD 26-04 and risk-based security metrics for vulnerability management How much cyber risk does AI create for organizations? 457 million security issues. Here’s what you can do about it. The Developer Credential Economy: An inside look at the Miasma worm campaign Oracle Critical Security Patch Update June 2026 | Tenable® How Tenable helps federal agencies comply with CISA BOD 26-04 Get critical cyber risk context: Understanding control validation, CTEM & Tenable One CISA BOD 26-04: Frequently asked questions about the new risk-based patching directive Microsoft’s June 2026 Patch Tuesday Addresses 198 CVEs ( CVE-2026-49160, CVE-2026-50507) The June 2026 AI Executive Order: What federal agencies need to know and how Tenable can help Tenable joins Anthropic’s Project Glasswing to advance AI-era cyber defense Tenable CTO Vlad Korsunsky Q&A: Countering AI threat multipliers with AI-powered exposure management | Tenable CTO Q&A: C-suite views AI as massive threat, as cyber teams adopt exposure management to counter AI attacks Oracle May 2026 Critical Security Patch Update Addresses 35 CVEs Download pumping: New npm deception technique for supply chain attacks Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect EXPOSURE 2026 prepares cybersecurity professionals for the AI era Mini Shai-Hulud: Frequently asked questions about the TeamPCP npm and PyPI supply chain campaign CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004) Tenable One deepens third-party integrations with new Open Connector for unified risk visibility Implement agentic AI in cybersecurity with Tenable Hexa AI: Reduce cyber risk at machine speed Key findings from the Verizon DBIR 2026: Slower vulnerability remediation meets faster exploitation Frequently asked questions about the continued exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182) Bring out your dead: How agentic AI for cybersecurity helps you rid your cloud of forgotten, risky assets Fragnesia (CVE-2026-46300): Frequently asked questions about new Linux Kernel XFRM ESP-in-TCP privilege escalation Securing data centers in the agentic AI era Microsoft’s May 2026 Patch Tuesday Addresses 118 CVEs (CVE-2026-41103) Dirty Frag (CVE-2026-43284, CVE-2026-43500): Frequently asked questions about this Linux kernel privilege escalation vulnerability chain Why the approaching flood of vulnerabilities changes everything — and what to do about it The AI-vs-AI battle is already happening. Watch it live at EXPOSURE 2026. Anthropic’s CEO warns the “moment of danger” is real. But most are looking in the wrong place. Security for AI: A strategic framework for closing the AI exposure gap Vulnerability remediation: Match CVEs to asset owners in seconds with Tenable Hexa AI Bridging the gap: How to integrate Claude Security into the Tenable One Exposure Management Platform Copy Fail (CVE-2026-31431): Frequently asked questions about Linux kernel privilege escalation vulnerability Mastering agentic AI security through exposure management As the NVD scales back CVE enrichment, here’s what Tenable customers need to know Five steps to become Mythos ready Oracle April 2026 Critical Patch Update Addresses 241 CVEs Beating the Mythos clock: Using Tenable Hexa AI custom agents for automated patching Unlocking foundational visibility for cyber-physical systems with OT vulnerability management Claude Mythos: Prepare for your board’s cybersecurity questions about the latest AI model from Anthropic Microsoft’s April 2026 Patch Tuesday Addresses 163 CVEs (CVE-2026-32201) Crushing the Axios supply chain threat with Tenable Hexa AI: Use cases for agentic AI What to Know About CyberAv3ngers: The IRGC-Linked Group Targeting Critical Infrastructure CVE-2026-35616: Fortinet FortiClientEMS improper access control vulnerability exploited in the wild The developer credential economy: Why exposure data is the new front line in the supply chain war Frequently Asked Questions About the Axios npm Supply Chain Attack by North Korea-Nexus Threat Actor UNC1069 Supply chain attack on Axios npm package: Scope, impact, and remediations What’s new in Tenable Cloud Security: Custom policies, AWS ABAC, and research-driven protection Uncover prompt injection, insider threats with the Tenable One Model Refusal Detection Security for AI: A guide to managing the risks of vibe coding and AI in software development Meet Tenable Hexa AI: Agentic AI for exposure management
OMB M-26-14: Why federal agencies must fix asset visibility first
Joshua Moll · 2026-07-08 · via Tenable Blog

The new OMB logging directive raises the bar on log collection and explicitly ties every maturity milestone to how well agencies know what’s on their networks. Learn why asset visibility is the first problem to solve.

Key takeaways

  1. M-26-14 rescinds M-21-31 and replaces blanket data-retention mandates with a five-element logging maturity model (levels 0-4) that agencies must progress through on a strict timeline after CISA publishes the logging reference architecture (LRA).
  2. Every maturity level is gated by inventory visibility. Specifically, agencies must demonstrate 70%, 80%, 90%, and 95% IT/OT/IoT asset capture at levels 1 through 4, respectively. After all, you can’t claim log coverage for assets you haven’t discovered.
  3. OT and IoT devices are explicitly in scope, including systems without native logging capability. This inclusion makes passive asset discovery tools a necessity rather than an add-on.
  4. The clock starts when CISA publishes the LRA within 90 days of the memo. Agencies that close asset-inventory gaps now will be positioned to hit the required deadlines, such as reaching level 1 in 120 days and level 3 in 321 days.

You can’t log what you can’t see, and you can’t measure logging maturity against an incomplete inventory

On May 22, the U.S. Office of Management and Budget (OMB) Director Russell Vought issued Memorandum M-26-14, titled “Ensuring Effective and Efficient Agency Logging and Network Visibility to Defend Against Evolving Cyber Threats.” The directive rescinds M-21-31 and replaces it with a risk-based, prioritized logging framework designed to be both operationally achievable and aligned with today’s threat landscape.

For federal cybersecurity leaders, M-26-14 represents a meaningful shift away from blanket data retention mandates and toward measurable, outcome-driven logging maturity. But hidden within its requirements is a foundational dependency that many agencies will need to address before their logging investments can deliver results: complete asset visibility.

What M-26-14 requires, and why it’s different from M-21-31

The memorandum organizes logging around two objectives:

  • Continuous event monitoring (CEM): Real-time log ingestion, anomaly detection, and SOC-driven response.
  • Threat hunting, investigation, response, and forensics (THIRF): Centralized retrieval of historical log data to support post-compromise analysis and recovery.

Agencies must achieve these objectives across all information systems, explicitly including internet-of-things (IoT) devices and operational technology (OT) systems, whether owned, operated, or managed by third parties.

The memo also establishes a logging maturity model with five levels (0–4) that agencies must progress through on a defined timeline, with milestones measured across five elements:

  1. Inventory visibility: What percentage of IT/OT/IoT assets are captured in centralized hardware asset management (HWAM)/ software asset management (SWAM) inventories?
  2. Collection coverage: Are logs searchable and retrievable for those assets?
  3. Collection operations: Do logs generate actionable, tuned alerts?
  4. Data retention: Are logs retained for 6 months (searchable) and 12 months (retrievable)?
  5. Log management: Are logs encrypted, access-controlled, and properly retired?

Agencies must reach level 1 (Basic) within 120 days, level 2 (Intermediate) within 180 days, and level 3 (Advanced) within 320 days of CISA publishing the logging reference architecture (LRA).

A critical detail in the maturity model’s design: Overall maturity is calculated based on the lowest watermark across all five elements (Appendix C footnote 8). For example, an agency that achieves level 3 in collection coverage but only level 1 in inventory visibility gets an overall rating of level 1. There is no averaging. This lowest-watermark principle makes inventory completeness the single most consequential element to address first.

The denominator problem: Why incomplete inventories break the maturity model

Look closely at the maturity model and a pattern emerges: Inventory completeness gates every level.

  • Level 1 requires 70% of IT/OT/IoT assets captured in a centralized inventory
  • Level 2 requires 80%
  • Level 3 requires 90%
  • Level 4 (Optimal) requires 95%

The expansive scope of this OMB mandate — spanning on-premises IT, cloud workloads, identity providers, OT, and IoT — creates an immediate challenge: the denominator problem. Because log collection is measured as a percentage of your total inventory, you can’t claim 80% coverage if you only know about 60% of your assets. This operational gap is typically driven by administrative silos, air-gapped networks, and legacy OT/IoT environments that lack native logging or are unsafe to actively scan. Ultimately, managing visibility across this massive footprint comes down to one simple truth: You can’t write a logging plan for assets you haven’t discovered.

How Tenable maps to M-26-14’s requirements

Tenable has been embedded in the federal cybersecurity ecosystem as an approved continuous diagnostics and mitigation (CDM) vendor whose technology acts as the vulnerability management backbone for hundreds of civilian agencies, and increasingly as the platform that unifies visibility across IT, OT, and cloud attack surfaces. 

With M-26-14’s asset inventory requirements front and center, the foundation that Tenable’s technology provides is directly relevant to compliance milestones agencies must now achieve.

The mapping below shows how Tenable capabilities correspond to M-26-14’s five maturity elements.

-- Ground truth for the maturity model: Authoritative asset inventory

Tenable One Vulnerability Management and Tenable One OT Exposure provide continuous, comprehensive asset discovery across traditional IT, operational technology, and IoT devices. This inventory serves as the ground truth for agencies to measure their maturity model progress, the denominator against which log collection coverage is calculated.

-- Already CDM-connected: How Tenable accelerates HWAM/SWAM compliance

M-26-14 explicitly directs agencies to use CDM, HWAM, and SWAM data to validate log coverage (Appendix B, Requirement 4). As an established primary data source for federal CDM dashboards, Tenable eliminates the need for new data collection by pre-packing and reporting the inventory details M-26-14 requires.

-- The Tenable solution: A phased approach to full visibility

Standard IT scanners can crash fragile OT equipment like programmable logic controllers (PLCs). To meet M-26-14 requirements safely, Tenable offers a tiered approach:

  • Phase 1: Baseline (Level 1): If you’re starting from scratch, use the OT Recon scan policy in Tenable Security Center or Tenable One Vulnerability Management. It uses “Safe Active Querying” with native industrial protocols to discover hardware and firmware details without downtime, helping you reach the 70% Level 1 baseline.
  • Phase 2: Optimal Maturity (Level 4): To hit the 95% asset visibility threshold requiring daily updates, deploy Tenable One OT Exposure. By combining passive network monitoring with safe active querying, you gain persistent, real-time visibility into the deepest parts of the industrial network, bridging the gap to Level 4 maturity.

-- From inventory to zero trust: Connecting visibility to the CISA Zero Trust Maturity Model

Appendix A requires the LRA to align with CISA’s Zero Trust Maturity Model, which defines visibility and analytics as a cross-cutting capability enabling all five zero-trust pillars. The Tenable One Exposure Management Platform provides continuous attack surface visibility and risk quantification that feeds directly into zero trust analytics, connecting vulnerability, identity, and configuration data into a unified exposure view.

-- Beyond log retrieval: Vulnerability history as forensic evidence

When investigating a compromise, security operations center (SOC) analysts need more than logs; they need to know which vulnerabilities existed on affected assets at the time of the incident. Tenable’s scan history and vulnerability timeline provide the forensic context required by Appendix B (items j–k): determining attack vectors, lateral movement paths, and root-cause analysis.

-- AI-driven prioritization: Focusing logging resources where risk is highest

Appendix A explicitly states that the LRA will address using AI to enhance CEM and THIRF capabilities. Tenable Hexa AI and Vulnerability Priority Rating (VPR) deliver AI-driven risk context that helps agencies prioritize which assets and vulnerabilities demand the most urgent logging and monitoring attention, directly supporting the “risk-based, prioritized” philosophy of M-26-14.

Beyond inventory: Prioritizing logging resources where threat intelligence risk is highest

Establishing an authoritative asset inventory provides the necessary compliance foundation, but it immediately introduces an operational challenge: once an agency uncovers thousands of previously unmanaged IT, OT, and IoT assets, where should security teams begin deploying limited logging resources?

The same challenge exists across other parts of the modern attack surface. Cloud workloads, identity providers and directories, web applications, APIs, and containerized environments frequently operate in silos with incomplete inventories and inconsistent visibility. These assets can become equally unknown or poorly logged, creating additional blind spots that M-26-14’s risk-based, prioritized framework requires agencies to close.

OMB M-26-14 explicitly shifts federal strategy away from legacy, blanket data -retention mandates and toward a “risk-based, prioritized” logging philosophy. However, the directive does not prescribe a formula for that prioritization. Leaving agencies to manually identify high-value assets (HVAs) and determine logging priorities across complex hybrid IT/OT/cloud/identity environments creates compliance bottlenecks.

This is where asset discovery must transition into unified exposure management and threat intelligence. Tenable doesn’t just establish what is deployed on the network; Tenable One delivers continuous discovery, contextual risk scoring (including external exposure and business criticality), and real-time vulnerability intelligence across the entire attack surface — IT, OT, IoT, cloud, identity, web apps, and containers.

By continuously cross-referencing all assets with active threat telemetry and exposure context, agencies can instantly identify which systems — regardless of where they reside — are currently being targeted or represent the highest risk. 

Instead of treating every newly discovered asset with equal urgency, security leaders can use Tenable One’s exposure intelligence to focus CEM and log collection capabilities where the threat and business impact are highest. This directly answers the “what to log first” dilemma while supporting the risk-based, prioritized philosophy of M-26-14.

The pre-LRA window: What agencies should do before the clock starts

M-26-14’s timelines are aggressive. Once CISA publishes the LRA (within 90 days of the memo), the clock starts:

MilestoneDeadline
Submit Agency Logging Plan90 days after LRA
Achieve Level 1 (Basic)120 days after LRA
Achieve Level 2 (Intermediate)180 days after LRA
Achieve Level 3 (Advanced)320 days after LRA


Where is Level 4? While Level 4 (“Optimal”) represents the highest tier in the five-level maturity framework, OMB M-26-14 does not prescribe a strict day-count deadline for it. Instead, it serves as the ultimate target for continuous operational excellence that agencies build toward once the rigid Level 1 through 3 milestones are secured.

Agencies should use the time between now and LRA publication to:

  • Audit asset inventory completeness. Can you account for 70% of IT/OT/IoT assets today? 80%? If not, close the gap now; this is the prerequisite for everything else.
  • Validate log coverage against known assets. Use existing HWAM/SWAM and CDM data to identify systems without adequate logging.
  • Assess OT/IoT blind spots. These environments are explicitly in -scope and often the least visible. Passive discovery tools can illuminate what’s deployed without operational risk.
  • Map existing capabilities to the maturity model. Understand where you stand at, say, Level 0 vs. Level 1 across all five elements, then prioritize the gaps that block progression.

Logging maturity starts with knowing what you have

M-26-14 makes logging maturity measurable, and it makes asset visibility the foundation of that measurement. Every percentage point of maturity progression, from Level 0 to Level 4, is anchored to how completely an agency knows its IT, OT, and IoT attack surface.

Agencies that invest in comprehensive, continuous asset discovery across IT, OT, and IoT will be positioned to meet the memo’s timelines. Those that don’t will struggle to demonstrate the coverage percentages the maturity model demands.

The question is whether you know what’s missing from your SIEM logs, and whether you can prove it.

Don’t wait for the clock to start: Secure your OMB M-26-14 foundation now

The timelines imposed by OMB M-26-14 are aggressive, and the moment CISA publishes the LRA, the compliance clock moves fast. Because overall maturity is tied directly to your lowest-performing element, you cannot afford to let an incomplete asset inventory hold your entire cybersecurity scoring hostage. 

The message of M-26-14 is clear: you can’t log what you can't see. Use the pre-LRA window to find your blind spots, build an authoritative inventory, and ensure your team is positioned to succeed. 

Ready to close your asset visibility gaps and jumpstart your path to Level 4 maturity? Contact the Tenable Federal Team today to schedule an asset visibility assessment.