Memorandum M-26-14 from the Office of Management and Budget (OMB) marks a significant evolution in federal cybersecurity guidance, establishing a new risk-based framework for logging and network visibility across the United States federal government. The memo replaces the prescriptive requirements of Memorandum M-21-31 with an approach that emphasizes continuous monitoring, threat detection, investigation, and forensic readiness.
Agencies must meet a series of maturity milestones while implementing the required logging, retention, and investigation capabilities. In this post, we’ll explore the requirements of M-26-14, the timeline for implementation, the role of a unified observability and security platform, and how Datadog helps agencies prepare for advanced logging maturity.
M-26-14’s new logging framework
One of the most significant changes introduced by M-26-14 is its shift from prescriptive logging requirements to a maturity-based model. Rather than focusing solely on log collection and retention, the memo emphasizes operational outcomes: helping agencies detect threats earlier, investigate incidents faster, and strengthen cyber resilience over time.
M-26-14 establishes two primary objectives for logging programs: continuous event monitoring (CEM) and threat hunting, investigation, response, and forensics (THIRF). It also expands visibility requirements across federal environments.







