Advertisement

Logging has entered the AI era. Here’s what federal cyber leaders should know

OMB’s M-26-14 is about speed, visibility and operational resilience, an Elastic executive and former NSA analyst writes.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
(Getty Images)

Federal cyber leaders face an environment of increasingly sophisticated, high-speed threats. AI-enabled reconnaissance, automated vulnerability discovery, and lateral movement can reduce the time between initial access and operational impact.

At the same time, agency environments have become more distributed across cloud platforms — on-premises systems, IoT and OT devices, regional networks and mission-specific infrastructure. The government can’t defend what it can’t see, search, correlate and act on quickly.

President Trump’s Management Agenda and the Promoting Advanced AI Innovation and Security executive order highlight how federal agencies must work to successfully defend against and combat cyber enemies, especially as threat actors increasingly rely on automation and AI to speed up attacks.

The Office of Management and Budget’s Memorandum M-26-14 arrives at a critical moment, and updates federal logging expectations for this new operating reality.

Advertisement

Effective event logging is central to being able to detect, respond to, and analyze unusual network activity quickly: the timely, consistent recording of meaningful activities within an information system to safeguard sensitive data and keep operations running.

Previous logging data retention requirements turned out to be neither practical for storage nor cost-effective for agencies. To build efficiencies and keep pace with a shifting cyber threat landscape, M-26-14 instructs agencies to adopt a risk-based, prioritized approach to logging.

The directive moves away from a model that emphasized broad retention and prescriptive requirements, and toward one focused on measurable security outcomes.

Why M-26-14 matters now

In the five years since M-21-31 helped raise the federal logging baseline after major incident-response failures exposed gaps in visibility, M-26-14 is a step forward that acknowledges the practical realities of today’s AI-driven threat landscape. Agencies need to determine which data matters, make it available to security teams, and use it to detect and reconstruct activity across environments.

Advertisement

The memorandum acknowledges the practical realities that threat timelines are compressed, logs must be available fast enough to support active defense, and federal environments have become increasingly distributed. It also addresses the fact that centralized access is more important than centralized storage because access enables security outcomes, while storage just creates data sprawl.

Agencies can retain logs where they reside, while giving authorized SOC analysts centralized search access. This isn’t a new concept; this model has been running in CISA’s CDM Dashboard for years, spanning almost 100 federal agencies and their data. This approach means less forced data migration and more flexibility to adapt as policy and technology evolve.

M-26-14 reduces the minimum retention burden. That means logs must be actively searchable for at least six months and retrievable for at least one year. The change here is the emphasis on active searchability. Logs sitting in storage don’t help during a fast-moving investigation if analysts cannot query and analyze them quickly.

New requirements are more outcome-based. Rather than relying on a long catalog of specific log types and retention periods, the new rules center logging around operational outcomes. This gives agencies flexibility, but requires stronger planning, governance and measurement.

Treating the core pillars as one operational model

Advertisement

M-26-14 organizes logging around two priorities: Continuous Event Monitoring (CEM) and Threat Hunting, Investigation, Response, and Forensics (THIRF). Both are worth understanding as operational disciplines that work together, rather than two separate pathways to compliance.

  • CEM is the always-on capability to collect, normalize, index, analyze and review security event data. For agency leaders, CEM is the foundation for detecting anomalous activity before it becomes a larger incident.
  • THIRF covers the proactive and reactive activities that occur when something appears suspicious or when an incident is confirmed. It depends on being able to reconstruct activity across identities, endpoints, networks, applications, cloud services and mission systems.

CEM creates the visibility needed for early warning. THIRF depends on that visibility being complete, searchable and retained long enough to support investigation and response.

Using a unified logging and security platform across both CEM and THIRF reduces operational friction that costs time during high-pressure incidents. This is essential for aligning with these two OMB priorities, and operationalizing AI at scale across the full SOC lifecycle.

Advertisement

Agencies should treat CEM and THIRF as two halves of the same operational model.

What agencies should prioritize

While agencies wait for the official logging reference architecture, they shouldn’t get rid of progress made with M-21-31. They can take preliminary steps to be ready when the LRA is released:

  • Build the logging plan around mission risk. Agencies should identify high-value assets, high-impact systems, mission-essential services and likely adversary paths. Logging priorities should map to the systems and activities most relevant to agency risk.
  • Treat search as a core security capability. Searchability should be designed into the architecture rather than bolted on later. Analysts need the ability to query across distributed data, correlate events and pivot quickly during investigations. Having federated search capabilities and the ability to bring the search to the data is critical for rapid response, especially as information continues to spread across environments.
Advertisement
  • Prepare for AI-enabled defense responsibly. M-26-14 points toward a future where AI can support analysts with everything from triage and anomaly detection to threat hunting and investigation. But AI is only as useful as the data foundation beneath it. Agencies should focus first on trusted, searchable and well-governed telemetry.

OMB’s M-26-14 is a pragmatic update, but it also sends a larger signal. Federal cyber defense is moving from retention-heavy compliance toward operational visibility, outcomes, effective threat hunting and actionable response capabilities. In the age of AI-driven threats, the agencies that succeed will be those that can turn logs into timely security decisions.

This flexible, mission-focused framework allows agencies to strengthen cybersecurity while improving efficiency and reducing unnecessary costs — the challenge now is to use that flexibility to build logging architectures that are searchable, interoperable and ready for the next generation of cyber threats.

John Harmon is regional vice president of cyber solutions for Global Public Sector at Elastic. He previously served as a global network analyst at the National Security Agency.

Latest Podcasts