M-26-14 Just Ended the Era of Tool-Stack Zero Trust

Zero TrustExecutive Memo

May 27

Written By Aquia

Mackenzie Wartenbeger

Principal Security Architect

Nina Sawyer

Director of Data Engineering

On May 22, the Office of Management and Budget (OMB) issued Memorandum M-26-14, “Ensuring Effective and Efficient Agency Logging and Network Visibility to Defend Against Evolving Cyber Threats,” and rescinded M-21-31, “Improving the Federal Government 's Investigative and Remediation Capabilities Related to Cybersecurity Incidents,” in the same breath. Framed as a security-based logging policy update, M-26-14 touches on some key elements of mature zero trust security posture, and how that maturity can help FedCiv agencies avoid catastrophic outcomes. Read the first paragraph: "Threat actors have increasingly used automation and artificial intelligence to accelerate attacks against critical systems."

Adversaries are moving at machine speed, and the old approach to logging can’t keep up. M-26-14 is a security memo with a logging label, and zero trust is the real security work behind it. The gap between agencies that did the foundational work and agencies that tried to fix their zero trust approach with tools is about to get visible.

There's also a real catch. M-26-14 pulls a lot of M-21-31's guardrails out before the new logging reference architecture is published. Whether this memo strengthens or weakens posture comes down to what the Cybersecurity and Infrastructure Security Agency (CISA) delivers in 90 days. Here's the quick frame:

Where M-21-31 Ended and M-26-14 Begins

📉 The Old Way (M-21-31)

Goal: Drastically raise the logging baseline across all agencies.
Problem: It forced agencies to retain massive quantities of data that, for most, became a financial drain and an operational nightmare with no clear security payoff.

🔄 The New Way (M-26-14)

Goal: A flexible, risk-based approach focused on cost containment instead of rigid red tape.
Focus: Two priorities. Continuous event monitoring (CEM) for real-time triage, and threat hunting, investigation, response, and forensics (THIRF) for post-incident clean-up.

⚠️ The Risks (The "Guardrail Removal" Part)

Blind Spots by Choice: Prioritized logging means agencies stop logging everything. Miscalculate your risk profile and critical attack data won't be captured.
The "Unmonitored" Gap: The maturity model has low bars at the bottom. At Level 1, agencies only need to track 70 percent of hardware/software assets, and logs only have to cover 50 percent of that already-incomplete inventory. Even at Advanced (Level 3), 10 percent of the environment can stay invisible. Not very zero-trusty.
The Classification Question: A risk-based approach assumes agencies actually know what they’re looking at. “Log what matters” requires rigorous, clear data classification and categorization—a key component of data management that is routinely overlooked. If you haven’t categorized your assets by criticality, your log prioritization is just guesswork.
Delayed Alerts: At the initial tiers, automated alerts cover less than 50 percent of baseline requirements, with ad hoc investigations. Hardly ideal for agencies and systems facing the kind of advanced threats that the memo suggests.

Bottom line: The government is trading a "log everything" blanket for a "log what matters" shield. It's cheaper and faster, but leaves a margin of error sophisticated attackers could exploit. And that’s a tough needle to thread: you have to help often-quagmired agencies do the hard work of holistically mapping their maturity and logging visibility, while also enabling CEM and THIRF capabilities that keep them ahead of advanced adversaries. That’s exactly the kind of work Aquia is doing in our support of the Centers for Medicare and Medicaid Services (CMS) as a part of the zero trust and incident response teams.

Four Things for FedCiv CISOs to Focus On

1. The CISA ZTMM Visibility and Analytics Capability Is Now a Federal Mandate

Buried in Appendix A is the line that reframes this:

"CISA's Zero Trust Maturity Model defines the Visibility and Analytics cross-cutting capability that supports and enables all five Zero Trust pillars. The LRA will align with the Zero Trust Maturity Model."

Visibility and analytics is no longer something agencies self-score once a year and file. It's the foundational layer agencies must align with. Your logging posture is your zero trust posture. Full stop.

If your SOC telemetry doesn't feed your zero trust pillars, you're behind. "We have a SIEM" isn't the answer when an AI-assisted threat actor is moving laterally faster than your detections fire. The right answer is a documented mapping of logs to zero trust controls across all five pillars, with evidence behind every claim. Most agencies don't have it.

Most agencies don't have it because the federal zero trust market has spent the last four years being sold the same handful of tools: identity platforms; SIEM upgrades; security orchestration, automation and response (SOAR) playbooks; a dashboard with five pillars colored in. Vendors can demo any of them in thirty minutes and turn them into a procurement vehicle. They close fast, they look like progress, and they leave the visibility and analytics capability entirely unaddressed because no one ever wired the rest of the agency into it. Agencies didn't end up here by accident. It was the path of least resistance and the easiest spend to justify.

Our team at CMS has spent years working on the harder side of that problem, building the visibility infrastructure an organization of that size actually needs. The work spans all six zero trust pillars (including cross-cutting, where visibility and analytics lives), grounded in evidence: control verification gets pulled automatically from the systems agencies already run, then reconciled against ISSO insights. Pillar dashboards overlay current performance against historical, so weak spots surface where leadership can act. That's the difference between knowing where you're soft on visibility and analytics and finding out the hard way, from an adversary or from CISA.

2. M-21-31 Died Because "Collect Everything" Was Never a Strategy

In killing M-21-31, OMB admitted what security operations center (SOC) engineers have been saying for years: agencies were drowning in log data they couldn't use, couldn't afford to store, and couldn't put to work. That's the dirty secret behind "we ingest 50 terabytes a day." Most of it never feeds a detection, and a lot of it can't be searched in time to matter.

That said, M-21-31's baseline was a (clumsy) guarantee that agencies kept enough data around to investigate something they hadn't yet recognized as an incident. Replacing it with a prioritized framework is the right call. Doing it before logging reference architecture (LRA) exists is the gamble.

The new framework is an acknowledgment that quality of detection beats quantity of data for this administration. CEM is real-time logs, alerting, and response. THIRF is the hot and cold storage you can retrieve from to map attack patterns after the fact. You can’t fake either with a bigger SIEM license. CEM lives or dies on whether the right logs feed detections inside sub-five-minute latency. THIRF lives or dies on whether you can retrieve what you stored and stitch it back together when CISA or the Federal Bureau of Investigation (FBI) shows up asking.

This is the work our team does at CMS every day across 200-plus FISMA-reportable systems and 50 data centers. It's where M-26-14 will draw the cleanest line between real CEM and THIRF capability and a vendor relationship.

Our team’s log ingestion side runs more than one terabyte of security event data per day with sub-five-minute alert latency. The platform sustains 99.9 percent uptime with sub-10-percent false-positive rates across ML-driven monitoring. CEM lives or dies on signal quality, and signal quality is a data engineering problem.

The engineering underneath the pipelines is where CEM and THIRF live. Those pipelines require the foundational data management work that gets skipped because it isn’t flashy or quick: clear data classification and structured categorization. We ran the first phase of Splunk index cataloging at CMS, the unsexy work of mapping every data source and tracing data lineage across the target environment. Without that step and a clear understanding of what data actually matters, a "centralized SIEM" is just a billing line. We integrated the CMS security data lake with Splunk so analysts can reach hot, warm, and cold data through one workflow, without waiting on a thaw three days after the incident closes. We stood up Alteryx Designer and Server on top of that stack, so hunting workflows aren't gated on someone remembering to run a script. We built two production ML pipelines in Python (a Cisco VPN anomaly detector and a KMeans DLP classifier for M365 SSN/MBI events) with retraining loops so they adapt as threat patterns shift. And we partnered with CMS Cyber Threat Intelligence on a data exfiltration use case in Splunk, because exfil detection lives or dies on cross-team engineering.

None of that is "buy a SIEM." All of it is engineering. When adversaries move at AI speed, the agencies that own that engineering foundation are the ones whose SOCs stand a chance.

3. The Maturity Model's "Lowest Watermark" Rule Will Expose Inventory as the Real Gap

Appendix C is the new logging maturity model: five levels, five elements (inventory visibility, collection coverage, collection operations, data retention, log management). The rule for overall maturity is in the footnote:

"Overall maturity is calculated based on the lowest watermark for each component in the maturity model."

In plain terms: you can’t buy your way to “Advanced” by stacking tools on top of broken fundamentals. If your HWAM/SWAM inventory only covers 60 percent of your IT/OT/IoT footprint, you're stuck at “Ineffective on Inventory Visibility,” which means you're “Ineffective” overall. The SIEM doesn't save you. The SOAR doesn't save you. The auditor reads the lowest score. So, more importantly, does the threat actor.

Every zero trust control downstream of asset coverage assumes you know what's in your environment. Without a centralized Hardware/Software Asset Management (HWAM/SWAM) inventory updated daily, your CEM coverage and THIRF gaps are unknowable. It's the unsexy work agencies skip because it's hard: months of cross-team coordination, asset enumeration, reconciling stale configuration management database (CMDBs), integrating continuous diagnostics and mitigation (CDM) data, and refusing to accept "we think that's everything" as an answer. But knowing where the assets are is only half the battle; you also have to categorize what flows through them. Neglecting clear data classification means you are flying blind on data management, leaving your CEM coverage and THIRF capabilities based on assumptions, rather than architectural reality.

4. The Catch: The Guardrails Are Gone, the LRA Is TBD

Those risks aren't theoretical. What makes this dangerous is the timing. M-21-31 is rescinded today. CISA has 90 days to publish the LRA, and they have to get it right. Agencies get 90 more days to plan, 120 to “Basic,” 320 total to “Advanced.” The gap between today and Advanced is a regulatory vacuum, and any attacker reading this now knows how long the soft window is.

So the LRA has to do an enormous amount of work. If CISA publishes a thoughtful, well-scoped architecture that closes the maturity-model gaps in practice, M-26-14 becomes a real upgrade. If it's thin or vendor-shaped, it weakens posture instead of strengthening it. Don't read this as a license to right-size down. “Prioritized” doesn't mean less data. An agency that uses M-26-14 as cover to retire telemetry before visibility and analytics is wired across its pillars will discover the cost the way agencies always do: in retrospect, from a CISA notification.

The Easy Button Is Going to Stop Working

The tools that got most agencies through the last four years don't survive contact with this memo. They don't move the needle on visibility and analytics. They don't fix a broken inventory. They don’t help you target the right logs to keep and the data to throw out, and they don't give you a defensible answer when an AI-assisted intrusion is already inside your environment and you have six hours to figure out where it came from. The easy button never built a zero trust program. It just made the slide deck prettier while attackers got faster.

M-26-14 makes that game harder because the threat OMB is responding to isn’t slowing down. FedCiv CISOs working the 320 days: start with inventory, wire visibility and analytics across your pillars, then design CEM and THIRF as two separate efforts with different cost models. That's the order threat actors exploit. Keep one eye on the LRA. The right one strengthens this memo. A weak one undoes it, and pivoting will be required.

For more information on how Aquia is helping federal agencies like HHS, CMS, and DOW navigate the zero trust landscape, contact us at federal@aquia.us.

Aquia

Securing The Digital Transformation ®

Aquia is a cloud and cybersecurity digital services firm and “2024 Service-Disabled, Veteran-Owned Small Business (SDVOSB) of the Year” awardee. We empower mission owners in the U.S. government and public sector to achieve secure, efficient, and compliant digital transformation.

As strategic advisors and engineers, we help our customers develop and deploy innovative cloud and cybersecurity technologies quickly, adopt and implement digital transformation initiatives effectively, and navigate complex regulatory landscapes expertly. We provide multi-cloud engineering and advisory expertise for secure software delivery; security automation; SaaS security; cloud-native architecture; and governance, risk, and compliance (GRC) innovation.

Founded in 2021 by United States veterans, we are passionate about making our country digitally capable and secure, and driving transformational change across the public and private sectors. Aquia is an Amazon Web Services (AWS) Advanced Tier partner and member of the Google Cloud Partner Advantage Program.