Level One by Christmas. Level Two by Valentine's Day. Level Three by Independence Day. That's the OMB M-26-14 logging mandate clock federal agencies are now racing against — and if you don't want to spend your holidays at the office, it's time to start planning now! In Episode 13 of The GIST of Govt IT, Brian and Sean dig into OMB M-26-14 on the eve of Sean's fireside chat with CISA Director Nick Andersen. Sean breaks down what actually changed: the shift from long-term log hoarding (30 months of cold retention) to an outcomes-driven model focused on defending the cyberspace effectively, and the dramatic expansion of scope to include IoT and operational technology — the unmanaged, line-of-business-owned, often third-party-managed devices that CISOs have never had eyes on. The conversation walks through the mechanics: the Logging Reference Architecture (LRA) dropping mid-August, the 90-day plan requirement, and the three maturity levels with their rising inventory-and-logging thresholds (70/50, 80/80, 90/90). Brian and Sean unpack why asset inventory is the real "creeper" that will blindside teams, why OT discovery requires drop-in kits and passive network detection rather than active scanning that can break physical systems, why centralized logging matters for coordinated FSEB-wide defense, and how to think about "three-for-one" investments that solve this mandate and other capability gaps at once.
RESOURCES MENTIONED IN THIS EPISODE
The Core Policy
- OMB M-26-14 (new logging mandate, issued May 22)
- OMB M-21-31 (the rescinded SolarWinds-era predecessor)
- OMB M-26-14 Signals a New Era for Cyber Visibility (BLOG)
Background: The SolarWinds / Sunburst Hack
- CISA on the SolarWinds supply chain compromise
- GAO review of federal M-21-31 log management adoption
The Maturity Milestones (per the memo)
- Level 1 (Basic) — ~120 days after LRA: 70% of assets inventoried, 50% logged centrally
- Level 2 (Intermediate) — ~Valentine's Day 2027: 80% inventoried, 80% logged
- Level 3 (Advanced) — ~320 days / Independence Day 2027: 90% inventoried, 90% logged
OT/IoT Discovery & Network Detection Solutions Referenced
- Zeek
- Corelight (commercial Zeek / "Sericana" reference
- Armis
- Dragos
- Nozomi Networks
SIEM, SOAR & SOC Modernization
- Continuous Threat Exposure Management (CTEM)
- CISA SIEM-as-a-service with Elastic
Related Episodes
- Episode 12: The Founding Father's Guide to Federal IT
- Episode 7: Iran Came for the US Dams and We Got Lucky: Frontline Insight from the OT Fight
- Episode 6: Cupcakes and OODA Loops: Inside(r)'s Insights Into the New Federal Cyber Playbook
Upcoming Events
- July 14 Breakfast Briefing at the National Press Club — "When the Perimeter Disappears: Securing the Converged Federal Enterprise Across IT, IoT, and OT":
- July 14 Mid-Year Federal IT Priority Setting Session with a fireside chat featuring CISA Director Nick Andersen
The Hosts & Show
- Swish Data
- GIST 360
