Get Started with Datadog
The Monitor

Preparing for OMB M-26-14: How Datadog supports federal logging maturity

log managementcloud siemsecuritybits aiworkflow automationcompliancefedrampgovcloud

Published

Read time

7m

Preparing for OMB M-26-14: How Datadog supports federal logging maturity
Chris Leffler

Chris Leffler

Sophie Wang

Sophie Wang

Memorandum M-26-14 from the Office of Management and Budget (OMB) marks a significant evolution in federal cybersecurity guidance, establishing a new risk-based framework for logging and network visibility across the United States federal government. The memo replaces the prescriptive requirements of Memorandum M-21-31 with an approach that emphasizes continuous monitoring, threat detection, investigation, and forensic readiness.

Agencies must meet a series of maturity milestones while implementing the required logging, retention, and investigation capabilities. In this post, we’ll explore the requirements of M-26-14, the timeline for implementation, the role of a unified observability and security platform, and how Datadog helps agencies prepare for advanced logging maturity.

M-26-14’s new logging framework

One of the most significant changes introduced by M-26-14 is its shift from prescriptive logging requirements to a maturity-based model. Rather than focusing solely on log collection and retention, the memo emphasizes operational outcomes: helping agencies detect threats earlier, investigate incidents faster, and strengthen cyber resilience over time.

M-26-14 establishes two primary objectives for logging programs: continuous event monitoring (CEM) and threat hunting, investigation, response, and forensics (THIRF). It also expands visibility requirements across federal environments.

Continuous event monitoring (CEM)

Agencies must establish centralized visibility into security-relevant events across their environments. This effort includes:

  • Providing security operations center (SOC) teams with centralized access to security telemetry data

  • Monitoring activity across IT, operational technology (OT), and IoT environments

  • Detecting anomalous or suspicious behavior

  • Generating actionable alerts for security teams

  • Supporting rapid response to incidents and threats

Threat hunting, investigation, response, and forensics (THIRF)

In addition to monitoring, agencies must ensure that they can investigate and reconstruct security events when needed. Requirements include:

  • 6 months of immediately searchable log data

  • 12 months of retrievable historical data

  • Correlation across multiple log sources

  • Support for threat hunting, incident response, and forensic analysis

Together, these objectives reflect M-26-14’s shift toward operational resilience and security observability, requiring agencies to unify visibility across increasingly distributed systems.

Expanded visibility requirements

To support CEM and THIRF, agencies must collect and analyze logging data across a broad set of security-relevant activities. M-26-14 highlights the importance of visibility into identity activity, network traffic, object access, privilege changes, infrastructure events, security tooling telemetry, indicators of compromise (IoCs), anomaly detection, incident scope, attack vectors, and automated alerts.

These requirements reinforce a growing reality for federal security teams: Meaningful investigations require context from across the entire technology stack, not just individual systems or security tools.

Timeline for M-26-14 compliance

After publication of the forthcoming Logging Reference Architecture (LRA) by the Cybersecurity and Infrastructure Security Agency (CISA), agencies will have 320 days to achieve advanced logging maturity.

The timeline includes the following key milestones:

  1. 90 days after LRA publication: Submit agency logging plans to OMB and CISA.

  2. 120 days: Achieve Basic (Level 1) maturity.

  3. 180 days: Achieve Intermediate (Level 2) maturity.

  4. 320 days: Achieve Advanced (Level 3) maturity.

To achieve these milestones, agencies need to demonstrate centralized visibility, effective detection capabilities, retention controls, automated response workflows, and governance mechanisms that support secure access to log data.

How unified observability and security support M-26-14

Historically, agencies have relied on fragmented toolsets for infrastructure monitoring, application observability, SIEM operations, and incident response. As environments become more distributed and threats get more sophisticated, this fragmentation leads to silos that can slow down investigations and make correlation difficult. For example, an investigation of an anomalous login may require analysts to examine identity data, cloud activity, application telemetry data, infrastructure logs, and security findings to determine scope and impact.

A unified platform enables security and operations teams to investigate incidents by using a shared source of truth. Instead of manually correlating logs, metrics, traces, cloud activity, and security findings across multiple tools, teams can analyze that telemetry data together and move more quickly from detection to investigation. This approach becomes particularly important under M-26-14, which emphasizes correlation across diverse data sources and faster response to anomalous activity.

How Datadog can help accelerate M-26-14 readiness

Datadog helps agencies advance logging maturity by bringing observability and security capabilities together on a unified platform. Datadog has more than 1,000 integrations, along with support for agent-based, agentless, and OpenTelemetry collection methods, enabling agencies to centralize telemetry data across cloud, hybrid, on-premises, OT, and IoT environments. With Datadog, agencies can take the following actions to support their CEM and THIRF objectives.

Maintain searchable and long-term retention

Datadog Flex Logs provides scalable and searchable retention for active investigations and monitoring workflows, while Archive Search enables teams to query historical log data directly from cloud storage without permanent rehydration. These features help agencies meet the 6-month searchable retention requirement and the 12-month retrievable retention requirement outlined in M-26-14.

Datadog Log Management screen for configuring storage tier and retention length of logs.
Datadog Log Management screen for configuring storage tier and retention length of logs.

Detect threats faster

Datadog Cloud SIEM provides hundreds of out-of-the-box detection rules mapped to the MITRE ATT&CK® framework, enabling agencies to quickly establish coverage across required logging categories. With built-in threat intelligence capabilities, agencies can compare telemetry data against IoCs without introducing additional tooling or complex integrations.

Datadog Cloud SIEM summary of detection rules performance that shows key metrics such as mean time to detect (MTTD).
Datadog Cloud SIEM summary of detection rules performance that shows key metrics such as mean time to detect (MTTD).

Reduce analyst toil with AI

Security teams face growing alert volumes, increasingly complex environments, and limited analyst resources. Bits Security Analyst helps teams reduce manual effort and accelerate response times by automatically triaging alerts, identifying likely root causes, and investigating threats across Datadog’s unified observability and security data. By correlating signals from infrastructure, applications, logs, cloud services, and security telemetry, Bits Security Analyst helps analysts quickly understand scope, assess impact, and focus on the threats that matter most. 

Datadog Security Signals Explorer showing a list of signals investigated by Bits Security Analyst.
Datadog Security Signals Explorer showing a list of signals investigated by Bits Security Analyst.

Automate response actions

As agencies progress toward advanced maturity, automation becomes critical. Datadog Workflow Automation enables SOC teams to enrich alerts, create tickets, escalate incidents, and execute response actions through no-code blueprints. These capabilities help agencies improve consistency in their response to security events while reducing manual effort during high-pressure investigations.

Datadog Workflow Automation blueprint for triage that eliminates manual steps such as monitoring alert queues and switching between tools for context.
Datadog Workflow Automation blueprint for triage that eliminates manual steps such as monitoring alert queues and switching between tools for context.

Strengthen Zero Trust visibility and analytics

Datadog helps agencies advance their Zero Trust initiatives by covering the Visibility and Analytics capability of CISA’s Zero Trust Maturity Model. Through integrations with existing identity, endpoint, network, cloud, and security controls, Datadog centralizes telemetry across the environment to provide visibility into user activity, system behavior, and security events. By correlating signals across infrastructure, applications, networks, and identities, agencies can improve threat detection, accelerate investigations, and gain the insights needed to continuously validate and strengthen their Zero Trust architecture.

Zero Trust insights, including metrics such as number of sessions and top IP addresses, from the Overview dashboard for Datadog’s Cloudflare integration.
Zero Trust insights, including metrics such as number of sessions and top IP addresses, from the Overview dashboard for Datadog’s Cloudflare integration.

Build toward advanced logging maturity with Datadog

M-26-14 represents a transformation in how federal agencies must approach visibility, detection, and cyber resilience. Agencies that treat logging as a strategic capability, not simply a retention requirement, will be better positioned to identify threats earlier, investigate incidents faster, and operate more securely across increasingly complex environments.

As agencies prepare for CISA’s LRA and the subsequent compliance deadlines, now is the time to evaluate logging coverage, identify visibility gaps, and build a roadmap toward advanced maturity. Datadog helps agencies meet these challenges by unifying observability and security on a single platform to help teams centralize telemetry, accelerate investigations, and automate response workflows at scale. This work is reinforced by Datadog’s achievement of FedRAMP® High certification, which enables agencies to deploy Datadog for Government in environments that support sensitive and mission-critical workloads while meeting one of the government’s most rigorous cloud security standards.

FedRAMP High builds on the foundation established with FedRAMP Moderate. As a result, agencies can extend the same observability and security workflows across higher-impact systems without introducing new tools or rearchitecting their monitoring strategy. Datadog continues to invest in supporting evolving federal requirements, including ongoing work toward Impact Level 5 (IL5) authorization.

Learn more about Datadog for Government

Whether you’re assessing your current logging maturity, preparing for M-26-14 compliance, or modernizing operations for high-impact systems, Datadog can help you build the visibility, security, and operational resilience you need to support mission-critical systems.

If you’re attending AWS Summit Washington, D.C., stop by the Datadog booth to discuss practical approaches for achieving M-26-14 readiness—from centralized logging and security analytics to AI-assisted investigations and automated response. You can also request a demo to learn how Datadog for Government supports federal workloads, or start a 14-day free trial in our FedRAMP High-certified GovCloud region.

Please note that this post does not constitute legal advice or a warranty of any kind. While Datadog offers powerful tools to assist in achieving compliance with government and industry standards, it is incumbent upon users to establish and confirm their own compliance.

Start monitoring your metrics in minutes