With the release of Office of Management and Budget (OMB) Memorandum M-26-14 last month, the White House has continued its broader efforts to evolve federal cybersecurity decision-making from governmentwide edicts to frameworks that agencies are expected to tailor to unique needs.
The new memorandum repeals previous requirements under M-21-31, which was issued in response to a major federal incident in 2020 where Russian government-backed threat actors leveraged supply chain attack on SolarWinds's Orion software to infiltrate federal agencies. That memo was far-reaching, and resulted in the retention of vast quantities of data–as well as a fair amount of confusion around the specific requirements for its storage and use.
This new memorandum reflects current concerns in an age of rapidly changing software and AI-enabled threats. It seeks to move the federal government to a more agile, risk-based, and prioritized approach to logging.
To initiate this process, CISA has until August 20 to develop a logging reference architecture (LRA). The LRA will not only serve as a guide for agencies to develop their plans, but also serve as a starter pistol for agencies to kick off a sprint for adapting their approach to logging over the coming year. Agencies will have 120 days from the release of CISA’s Logging Reference Architecture (LRA) to meet basic maturity, and must scale up to "Advanced" maturity within 320 days.
From Data Retention to Actionable Security Context
These milestones are about more than just storing data; they are about achieving actionable context. M-26-14 focuses on two core objectives:
The first is Continuous Event Monitoring (CEM), to monitor activity in real time as a means of rapidly detecting and responding to anomalous activity.
The second, Threat Hunting, Investigation, Response, and Forensics (THIRF), seeks to ensure agencies have appropriate logs to investigate any potential compromise.
This will become increasingly critical and more complex as we enter an era of AI-fueled vulnerability hunting and exploitation. Having a framework that agencies are updating to meet the ever-evolving cyberecosystem sets a solid foundation for the future we all face.
How Wiz Can Help
Wiz ingests vital logs across the environment, including identity provider logs (e.g., Entra, Okta), cloud audit logs (e.g., CloudTrail, Azure Activity Logs), and AWS VPC Flow Logs.
In addition to ingesting these logs directly, Wiz can ingest information from pre-existing third-party deployments through our Unified Vulnerability Management (UVM) capability. This allows us to pull information regarding a range of on-premises devices, including Internet of Things and Operational Technology, into the Wiz Security Graph. By leveraging this context of assets and identities, Wiz is able to enhance threat detection analysis to quickly identify connected events, and reduce alert fatigue.
Combined with our AI-powered Blue Agent, which investigates suspicious behavior to render accurate verdicts, agencies can establish automated response workflows to contain threats at machine speed.
Wiz’s new Audit History functionality can help agencies with this requirement. Audit History acts as a "time machine" for your cloud environment, and supports THIRF requirements. Instead of manually sifting through disparate logs to figure out what changed, Wiz stores historical revisions to build a complete, versioned timeline of your cloud infrastructure. When a security event occurs, security and DevOps teams can leverage visual differences to compare a broken resource against its last known good state.
Administrators can configure default data retention periods and override rules to align exactly with federal timelines. Additionally, proving compliance to external auditors is simplified. Agencies can export comprehensive, custom Audit History reports detailing historical configuration changes, vulnerability findings, and resolutions directly to their own data storage.
Replacing M-21-31 has been discussed for years. M-26-14 represents a significant change in how the federal government thinks about logging, pushing agencies to move toward prioritized, context-aware threat response.
Wiz is positioned to help federal agencies rapidly mature their cloud logging practices and bridge the gap between logging compliance and actual security outcomes.
By leveraging Wiz’s continuous monitoring, AI-assisted forensics, and comprehensive asset visibility, agencies can confidently secure their environments, meet OMB's aggressive new deadlines, and maintain the operational resilience needed to defend against modern cyber threats.
1. Achieving Continuous Event Monitoring (CEM)
M-26-14 mandates real-time network monitoring, rapid anomaly detection, and automated alerting to supply Security Operations Centers (SOCs) with usable telemetry.
Real-Time Log Ingestion & Analytics: The Wiz Detection Engine ingests and processes multi-layered logs in near real-time across your Cloud, SaaS, IdP, and VCS infrastructure.
Behavior-Based Anomaly Detection: Rather than relying purely on static indicators, Wiz establishes daily behavioral baselines for users, workloads, and data objects utilizing a 30- to 90-day lookback window. Hundreds of out-of-the-box Threat Detection Rules (TDRs) leverage these baselines to immediately flag anomalous, malicious, or atypical activities.
Lightweight Workload Visibility: The eBPF-based Wiz Runtime Sensor provides real-time container- and process-level application visibility (such as tracking process executions, command inputs, and connections).
Alert Noise Reduction: To prevent SOC analyst burnout (a primary concern highlighted in the directive) Wiz uses context-aware grouping to synthesize millions of isolated events occurring within a 24-hour window into a single, high-fidelity Threat alert that tells a coherent attack story.
Centralized SOC/SIEM Ecosystem Support: Wiz natively streams these prioritized Threats and context-rich cloud security alerts directly to existing SIEM and SOAR platforms (like Splunk, Microsoft Sentinel, and Google SecOps) to drive automated response workflows.
2. Driving Threat Hunting, Investigation, Response, and Forensics (THIRF)
The memo requires agencies to establish deep post-compromise capabilities to map attack patterns, mitigate intrusions, and preserve an unbroken chain of forensic evidence.
Automated & On-Demand Forensics: Wiz facilitates rapid triage with hybrid forensic collection. When critical threats trigger, the Wiz Runtime Sensor automatically captures localized forensic packages (including scripts, system logs, binaries, and live execution context) from the affected workload.
Agentless Evidence Preservation: For broader infrastructure isolation, Wiz's Agentless Forensics can copy and securely transmit snapshots of suspicious virtual machine volumes to an isolated forensics account without disrupting ongoing agency operations. Additionally, the platform allows on-demand downloading of scrubbed Machine Log ZIP archives containing comprehensive host artifacts.
Mapping Attack Patterns and Lateral Movement: Leveraging the Wiz Security Graph, investigators can visualize complex chains of exposures and trace exactly how an attacker could move laterally to high-value assets or administrative control planes. Analysts can inspect step-by-step interactive attack timelines to quickly discern root causes.
Proactive Threat Hunting: Security teams can proactively hunt for dormant threats, independent of the primary detection engine, by running advanced cross-domain queries over raw telemetry and Runtime Execution Data (RED).
3. Operationalizing "Log What Matters" via Cost Optimization & Pre-Filtering
A cornerstone of M-26-14 is mitigating the financial drain of storing vast quantities of data by promoting optimized log management.
Network Log Pre-Filtering: Wiz includes predefined, cost-optimized log pre-filtering controls directly configurable from the portal dashboard.
Volume and Cost Reduction: For high-volume data streams like VPC Flow Logs, Wiz can filter out internal-to-internal traffic based on custom internal IP ranges. For DNS logs, it can systematically exclude custom internal domains and cloud provider endpoints, allowing agencies to permanently discard service-initiated cloud storage events before they travel to Wiz, drastically minimizing ingestion overhead.
4. Categorizing Assets via Rigorous Data Classification
The directive highlights that a risk-based approach to logging fails if an organization cannot properly differentiate between critical components and background resources. It also will require agencies to ensure that logs will not capture or expose data in contravention of law.
AI-Driven Data Discovery: Wiz utilizes sophisticated AI-driven algorithms and Data Classification Rules to scan files, disks, and databases to automatically discover and map sensitive data patterns (such as PII, PHI, or regulated financial documents).
Strategic Log Placement: By using Wiz Data Security Posture Management (DSPM), agencies gain the contextual insight needed to proactively verify that continuous data access logging is enabled specifically on data stores containing high-risk or sensitive information, replacing guesswork with data-driven prioritization.
5. Managing Compliance via the Incident Readiness Framework
M-26-14 mandates that agencies progressively track and report their progress across basic, intermediate, and advanced levels of logging maturity.
Incident Readiness Board: Wiz provides a dedicated Incident Readiness Board specifically designed to measure how well an environment is prepared to detect and investigate breaches based on active log coverage footprints. It monitors boundaries across control, data, network, compute, containers, and secret domains.
Weighted Maturity Scores: The platform calculates a unified Readiness Score using a weighted formula that perfectly mirrors federal priorities. For example, foundational management logs (like AWS CloudTrail, Azure Activity Logs, and GCP Audit Logs) are marked as Critical-level requirements, ensuring that administrators can easily identify configuration drifts and address gaps via auto-generated remediation commands.
Eliminating Blind Spots: Wiz's core agentless-first architecture maps the complete cloud architecture to continuously discover newly deployed workloads, building an active inventory of Cloud Resources and Hosted Technologies to ensure that parts of the enterprise do not remain untracked or invisible.
Conclusion
M-26-14 represents a shift from logging for compliance to logging for action. Rather than prescribing broad data retention requirements, the memorandum emphasizes real-time detection, effective investigations, and risk-based prioritization.
As agencies work toward new maturity milestones, they will need the visibility, context, and operational capabilities to turn telemetry into security outcomes. By combining continuous monitoring, threat hunting and forensics, and cloud-native visibility, Wiz helps agencies strengthen cyber resilience while meeting the intent of M-26-14.
Get a Wiz Demo
