M-26-14 revokes federal logging mandate before CISA replacement is ready
Rescinding M-21-31 now while giving CISA 90 days to publish a reference architecture leaves agencies with no enforceable logging standard for at least six months.
TL;DR
OMB memorandum M-26-14, released Friday, replaces Biden-era M-21-31 with a risk-based logging framework and directs CISA to produce a reference architecture within 90 days; agencies then get another 90 days to file implementation plans. The problem: M-21-31 was rescinded immediately, not upon delivery of the replacement. Federal agencies have no binding logging requirements for what the Institute for Security and Technology's Nick Leiserson estimates as six months or more, covering any breaches that occur while the architecture is still being written.
M-21-31 was not a perfect memo. Multiple agency watchdogs concluded that agencies were already failing to meet its benchmarks, and the new OMB memo itself acknowledges that requirements to retain "vast quantities of logging data without clear utility" proved neither operationally feasible nor cost-effective. A shift toward risk-based, prioritized logging is a defensible policy direction.
The sequencing is the problem. M-26-14 revokes M-21-31 immediately. CISA has 90 days to publish a logging reference architecture. Agencies then have another 90 days from that publication to submit a conforming implementation plan. That is, at a minimum, six months during which no binding federal logging standard exists. If CISA's deadline slips (and federal 90-day deadlines slip) the gap extends further. Any breach that occurs in that window lands in an environment where the forensic record-keeping baseline is, in Nick Leiserson's word to CyberScoop, "nothing."
What the reference architecture will actually say
The memo describes what the architecture should prioritize: continuous event monitoring and forensic investigation capability after a known or suspected compromise. What it does not specify is whether CISA's output will include minimum retention periods, enumerate required log types, define storage infrastructure standards, or remain a principles document that agencies must interpret independently. That distinction matters. If the architecture is principles-only, agencies face a second round of interpretation after the 90-day deadline, and the compliance vacuum effectively extends until agency-specific plans are reviewed and approved.
The new memo also introduces a revised maturity model to measure agency progress. The prior maturity model under M-21-31 produced documented gaps across agencies, per multiple inspector general reports. Whether the new model is more achievable or simply less demanding will depend on what CISA puts in the architecture.
What agencies should do Monday
Federal information security officers have three near-term decisions to make. First, existing logging investments built to M-21-31 standards should not be dismantled pending the new architecture, M-26-14 directs risk-based prioritization, not reduction, and over-logging is the less dangerous error during the gap. Second, budget and procurement actions tied to M-21-31 retention tiers are now in limbo; agency CISOs should flag those to acquisition officials rather than let them lapse quietly. Third, the 90-day CISA deadline is the date to watch, not the 90-day agency implementation window that follows it. If CISA's architecture is thin on specifics when it publishes, the second window gives agencies cover to delay meaningful action further.
The efficiency rationale in M-26-14 is real. But sequencing a rescission before its replacement is operational does not produce efficiency. It produces a compliance gap that will show up in the next round of IG logging audits, which will now measure against a standard that did not fully exist when the audit period opened.
Published ·Updated ·Deep Fathom