OMB M-26-14 Makes the Case for Packet-Level Visibility
Federal agencies can meet M-26-14 logging mandates while still missing key network activity. Packet capture closes critical visibility and forensic gaps across these complex environments.
cPacket Networks
On May 22, the White House Office of Management and Budget (OMB) issued Memorandum M-26-14 – a federal directive that changes network-related cybersecurity requirements for U.S. civilian agencies. The memo’s title is deliberate: “Ensuring Effective and Efficient Agency Logging and Network Visibility to Defend Against Evolving Cyber Threats.” Two objectives, named together. The body of the memo delivers a rigorous framework for logging. Network visibility, the second named objective, depends on a data source the memo does not address: packet capture.
M-26-14 rescinds the policies outlined in M-21-31, which established the original federal logging baseline in 2021, and replaces its prescriptive tiering model with an outcome-based framework. That shift matters most in the memo’s two core operational goals: Continuous Event Monitoring (CEM), the real-time detection of anomalous activity, and Threat Hunting, Investigation, Response, and Forensics (THIRF), the forensic capability to reconstruct and remediate a compromise after it occurs. Logs are indispensable to both. For THIRF especially, they are not sufficient.
What the Memo Gets Right
M-26-14 frames the right operational objectives. CEM and THIRF together cover the full response lifecycle: detect early, investigate thoroughly. The emphasis on forensic retention, six months of searchable data and twelve months of retrievable data, reflects the reality that adversaries often maintain access for months before discovery. The direction toward AI-enhanced detection and the explicit requirement for consistent and accurate timestamps across all agency systems reflect a mature policy framework.
These are the right requirements. The question is whether logs alone satisfy them.
Where Logs Reach Their Limit
Logs record what a system reports about itself. Appendix B of M-26-14 requires agencies to determine “the attack vector(s) of a cybersecurity attack, including any associated with initial access as well as lateral movement.” Lateral movement through compromised credentials inside encrypted east-west traffic typically produces no log event on most systems. The adversary is authenticated, moving through valid channels, and generating no alerts. The record of that activity exists on the wire, not in any endpoint log.
Appendix A identifies a second gap and names it directly: the Logging Reference Architecture (LRA) must address “IoT devices and OT that do not have native logging capability.” Passive packet capture is the mechanism that provides coverage for devices that generate no logs. Without it, a meaningful portion of agency infrastructure remains dark regardless of what logging maturity level an agency achieves.
M-26-14’s maturity framework measures agencies across five elements, one of which is collection coverage. Collection coverage cannot reach its intended level if IoT and OT devices without native logging and encrypted east-west traffic that produces no endpoint alerts, are outside the assessment boundary. An agency can score coverage across every managed endpoint and cloud log source and still have no visibility into the lateral movement paths that matter most to THIRF. The coverage element is only as complete as the data sources it accounts for.
A third constraint runs through the memo’s references to security tooling: “intrusion detection systems, endpoint protection platforms, security gateways.” These systems appear as sources of log data. Network Detection and Response (NDR) platforms and intrusion detection systems do generate log output, but they require packet delivery as input. The packet delivery infrastructure feeding those tools is a prerequisite the memo assumes without specifying.
Packet Data Completes the Picture
Packet data is one of three parallel sources of observability truth – alongside component metrics and component logs. To know whether a system is working, or whether an adversary is operating within it, agencies need to examine both what the components report and what the signals between them reveal.
cPacket Packet Capture addresses the THIRF requirement directly. Full-fidelity packet capture at line rate, with indexed retrieval, maps to the memo’s forensic retention requirements. Wire-level evidence provides what log reconstruction cannot: an unalterable record of what passed between systems, not just what each system chose to report about itself. The exact sequence of connection attempts, the precise timing of lateral movement, and the content of data transfers are preserved at the packet level.
cPacket Packet Delivery feeds the security tools required to meet the new mandate. NDR platforms and intrusion detection systems receive high-fidelity packet streams with nanosecond-accurate timestamps. Those timestamps substantially exceed the NTP synchronization standard the memo establishes as a minimum. For forensic reconstruction of multi-hop attack sequences, nanosecond accuracy enables precise ordering of events across network segments.
cPacket’s AI-driven analytics apply to continuous packet telemetry rather than discrete log events. Behavioral baselining across a complete packet record detects anomalies that log-based AI cannot surface, because the underlying events produced no log.
The LRA Window
The Cybersecurity and Infrastructure Security Agency (CISA) has a 90-day window (closing August 20, 2026) to publish the Logging Reference Architecture (LRA). Agencies will then have 90 days to submit their Agency Logging Plans. That sequence is a concrete timeline to establish packet capture as a required component of agency network visibility programs, before agency plans are written and before the architecture is set.
The LRA will also be re-evaluated at least annually. After each update, agencies have 30 days to revise their logging plans and must demonstrate maturity levels within 60 to 120 days. An Agency Logging Plan that excludes packet capture at the start doesn’t just miss the first submission window. It encodes that gap into every subsequent annual cycle, and logging architectures built around the original design become progressively harder to revise. The right time to include packet capture is before the first plan is written.
Agencies that exclude packet data from their plans will satisfy the logging requirements of M-26-14 while leaving the network visibility objective the memo names only partially addressed. The IoT and OT coverage gap, the THIRF forensic reconstruction requirement, and the packet delivery infrastructure feeding NDR and IDS platforms all point to the same inclusion.
Leverage cPacket's Federal Expertise
For two decades, cPacket has been a trusted provider of network observability solutions for U.S. Defense, Intelligence, and Civilian agencies. We work with federal agencies and their systems integrators to build packet capture and delivery into M-26-14-aligned programs. To discuss how packet data fits your agency’s THIRF and CEM architecture, request a meeting with our Federal Sales team.
