How to Meet the OMB M-26-14 and CISA BOD 26-04 Cybersecurity Requirements for OT and IoT Assets 

For federal civilian agencies, M-26-14, the new OMB logging mandate; and CISA BOD 26-4, a binding directive requiring risk-based vulnerability management, put OT and IoT firmly in scope for cybersecurity programs. Here's how to get ahead of approaching deadlines for both.

In the span of three weeks, the Office of Management and Budget (OMB) and Cybersecurity and Infrastructure Security Agency (CISA) rewrote and expanded the scope of two foundational cybersecurity pillars or federal civilian agencies: logging and vulnerability management. Why are these two mandates dropping now? Both OMB Memorandum M-26-14 and CISA BOD 26-04 explicitly call out AI-accelerated attacks as the driver: adversaries are using automation to compress the window between vulnerability disclosure and weaponization to mere hours. With frontier AI models, that may soon hold true for zero-days, too.  

Treat M-26-14 and BOD 26-04 as Two Halves of One Strategy  

Before reading further, take a look at the joint timeline for the two mandates. (Details about each milestone are provided further below.)  Phase 1 of BOD 26-04 is already underway:

Agencies have about two months to focus solely on logging changes (July-August) before an intense five-month period of dual logging and vulnerability management changes (September-January) to achieve full BOD 26-04 compliance and Level 1 M-26-14 compliance. That’s quite a sprint.  

Treating the two mandates as a single program will streamline implementation and compliance, especially for agencies evaluating OT/IoT-focused cybersecurity platforms for the first time.

Given the tight timelines, agencies should treat the two mandates as one, especially because the first — achieving 100% visibility of your attack surface, including operational technology (OT) and Internet of Things (IoT) assets — enables the second: taking a risk-based approach to patching vulnerabilities to close your most critical security gaps. Before you can assess and prioritize risk, you have to know what assets you have, their vulnerabilities and whether they’re exposed. Treating the two mandates as a single program will streamline implementation and compliance, especially for agencies evaluating OT/IoT-focused cybersecurity platforms for the first time.  

Recognized for two straight years as a Leader in the Gartner® Magic Quadrant™ for CPS Protection Platforms, the AI-powered Nozomi Networks platform automates OT/IoT asset inventory, threat and anomaly detection, risk prioritization and analytics. Vantage for Government is the FedRAMP Moderate In Process version of the same platform, delivering the OT/IoT security capabilities federal agencies need with the compliance assurances they require.

Following are overviews of M-26-14 and BOD 26-04 and how Nozomi can help ensure compliance with these and other mandates that increasingly require you to secure your entire attack surface.

OT and IoT, the Fastest-growing Part of Your Attack Surface, Are Now in Scope

M-26-14 and BOD 26-04 are welcome updates that rescind outdated regulations and bring federal civilian agencies in line with cybersecurity best practices. The biggest challenge for many federal CISOs will be incorporating OT and IoT assets into their security programs. Until now, most agencies have focused exclusively on securing their IT assets. The new mandates require them to include OT and IoT in scope “wherever those devices are part of an agency information system.”  

Even agencies that don’t think they have OT and IoT in their environment will need to explore security tools that can safely discover these assets and read their non-standard protocols to detect threats and behavioral anomalies.

Just like in most modern organizations, these devices are now everywhere, often insecure, exposed and unpatchable. Ignoring them is no longer an option. That’s especially true of IoT, which is ubiquitous in building management systems, security cameras and physical access control systems. Often unmanaged and with default credentials intact, they’re easily exploited by threat actors to gain initial access and move laterally.  

Even agencies that don’t think they have OT and IoT in their environment will need to explore security tools that can safely discover these assets, generate non-existent security telemetry, and read non-standard protocols to detect threats and behavioral anomalies.

M-26-14: Purpose-driven Logging and Data Retention

On May 22, 2026, OMB issued M-26-1, “Ensuring Effective and Efficient Agency Logging and Network Visibility to Defend Against Evolving Cyber Threats.” The memo rescinds M-21-31, which was issued in the wake of the SolarWinds compromise but became known for driving costly, sprawling data retention with little operational payoff. In its place, M-26-14 reframes logging around two objectives:

• ‍Continuous Event Monitoring (CEM) — real-time visibility, alerting and detection of suspicious activity in the SOC. Retained logs must be actively searchable for at least six months.  ‍
• Threat Hunting, Investigation, Response and Forensics (THIRF) — the telemetry and infrastructure needed to investigate and forensically reconstruct a known or suspected compromise. Retained logs must be retrievable for at least 12 months.

The memo also relaxes rigid centralization requirements, providing logs remain readily available to the top-level agency security operations center (SOC).  

Key Implementation Deadlines for M-26-14

The memo instructs CISA to publish a Logging Reference Architecture (LRA) with detailed implementation requirements cisa.gov/Logging within 90 days, which sets the clock ticking for agencies to create a logging plan and reach three maturity levels by July 2027:

• Logging Plan (+90 days): Agencies must submit a first Agency Logging Plan within 90 days of the LRA's publication.
• Level 1: (+120 days): Agencies must reach Basic maturity as outlined in the memorandum.
• Level 2 (+180 days): Agencies must reach Intermediate maturity.
• Level 3: Agencies much reach Advanced maturity.

Challenges with Generating Security Telemetry from OT and IoT Devices

Among other things, the LRA will provide “guidance on implementing logging capabilities for agency IoT and OT, including IoT devices and OT that do not have native logging capability.”

That may come as a surprise to IT-focused cyber defenders. OT and IoT systems weren’t designed to generate security-ready telemetry. Instead of producing SIEM-ready logs that fit SOC workflows, they communicate via specialized protocols, generating telemetry related to physical processes. A field instrument may produce continuous readings about temperature, pressure, flow rates and other conditions vs. structured event logs about user logins, file modifications and privilege escalations.

Generating telemetry from OT and IoT systems demands a fundamentally different approach than traditional IT logging tools provide. It involves deriving security insights from network traffic using techniques like deep packet inspection (DPI) and passive monitoring to avoid disrupting critical processes. Because IT security tools can’t read OT and IoT protocols, they can’t understand asset behavior and can’t detect threats and anomalies.

DPI is used to interpret hundreds of industrial protocols and reconstruct device behavior from network communications. But DPI-derived telemetry has limits: it only captures what’s on the network. To fill those gaps, Nozomi sensors augment passive wired and wireless network monitoring with safe, protocol-aware techniques that can query devices non-disruptively and, where appropriate, host-based security sensors for OT endpoints. Together, these approaches create a complete and accurate picture of OT and IoT activity.

To summarize, the Nozomi Networks platform generates the OT and IoT visibility, security telemetry and detections required by M-26-14 that IT security tools cannot and feeds them into the agency's SOC, SIEM and/or CISA’s Continuous Diagnostics and Mitigation (CDM) dashboard.

BOD 26-04: Risk-based Vulnerability Management  

On June 10, the CISA published BOD 26-04, “Prioritizing Security Updates Based on Risk.” The directive supersedes and replaces both BOD 22-01 (the Known Established Vulnerabilities (KEV) catalog directive) and BOD 19-02 (which imposed static remediation deadlines), consolidating seven years of remediation policy into a single, risk-weighted framework. It ends flat, one-size-fits-all patch deadlines and drops the requirement to use the Common Vulnerability Scoring System (CVSS) as the prioritization mechanism.  

In its place is a four-variable model, informed by CISA's Stakeholder-Specific Vulnerability Categorization (SSVC) methodology, which scores every vulnerability based on four variables:

1. ‍Asset Exposure: Is the vulnerable asset publicly exposed?  ‍
2. KEV Status: Is the vulnerability, as identified by a common vulnerabilities and exposures identifier (CVE ID), on CISA’s KEV catalog?  ‍
3. Exploit Automation: Is an adversary able to automate all the steps necessary to exploit the vulnerability? ‍
4. Technical Impact: Does an adversary gain partial control or total control of the vulnerable asset after exploitation of the vulnerability?

Each agency determines the answer to the first variable using its asset inventory. CISA supplies the answers to the remaining three through its Vulnrichment project, a public repository of CISA’s enrichment of public CVE records on Github. The resulting risk score places the vulnerability in one of five tiers that determines the remediation schedule:

Note that Tier 1 vulnerabilities require the agency to determine whether the system has already been compromised. That’s exactly the post-compromise investigation and forensic reconstruction capability the M-26-14 THIRF objective calls for. Also, these scores are dynamic. When an asset moves from internal to publicly exposed, its remediation deadline shifts immediately; when CISA adds a CVE to the KEV, the clock accelerates.  

Key Implementation Deadlines for BOD 26-04

The shift to risk-based vulnerability management should already be underway, and full enforcement of tiered remediation timelines for all vulnerabilities is less than six months way. There are three milestones between now and December:

• Phase 1 (N=0): Agencies must update their vulnerability management policies to match the new requirements immediately.
• Phase 2 (+60 days): Agencies must align remediation processes to the tiered model. Within this same window CISA must publish machine-level asset tagging data schema and integrate tags with the CDM program to maintain an authoritative inventory list.  
• Phase 3 (+180 days): Agencies must fully operationalize all requirements in the directive. That includes (1) continuously identifying and tagging exposed assets with required metadata and (2) actively remediating assets based on their risk, according to the new tiered schedule.

Especially for OT, Calculating Risk Is Different Than IT Risk

Just as logging, asset discovery and security monitoring in OT are different from IT methods and tools, assessing, calculating and prioritizing risk requires a different approach. Here’s why.  

1. ‍Consequence-based. Especially in OT, where cyber assets control physical processes, risk assessment focuses on consequences such as physical safety, the environment and continuity of operations. ‍That goes far beyond the IT cybersecurity triad (confidentiality, integrity and availability).   ‍
2. Interconnected risk. Every component in an OT network is part of a larger process in a distributed environment, so everything is connected and consequential. In a data center you could probably reboot every other server with no impact. In OT, if a machine has a problem, immediately you need to learn what it depends on and what is depending on it. ‍
3. Vulnerabilities-only vs. multi-dimensional. ‍In IT, device risk is based solely on vulnerabilities, and you can practically eliminate risk with patching. In OT, it’s multilayered, and patches must often be delayed until the next maintenance window — assuming they exist at all.  

The Nozomi platform identifies, assesses, mitigates and monitors both OT and IoT risk in your environment, helping SOC teams prioritize efforts and take the most impactful actions to reduce risk and increase resilience. It continuously calculates asset risk based on five factors: vulnerability risk, alert risk, communication risk, device risk, asset criticality and compensating controls. You can use our scores out of the box, or you can fully customize the weight of each variable until the calculation accurately reflects how your organization assigns risk ­— or for BOD 26-04 compliance, matches how CISA requires you to. ‍

Mapping Nozomi Networks Platform Capabilities to M-26-14 and BOD 26-04 Requirements  

While we won’t have the detailed implementation requirements for M-26-14 until CISA publishes the LRA around late August, here’s how the Nozomi Networks platform and Vantage for Government capabilities map to known requirements for both mandates.

The Global, Commercial Reach of OMB and CISA Regulations

As with many cybersecurity mandates aimed at federal civilian agencies, both M-26-14 and BOD 26-04 apply to all agency-owned or agency-operated information systems, including systems run by third parties on an agency's behalf. Moreover, they set the direction for the broader market: Within two years of BOD 22-01 establishing the KEV catalog, it became the global commercial standard. BOD 26-04 rescinds that directive, and its risk-based vulnerability management model is likely to quickly replace the flat model commercially as well. Indeed, Gartner's First Take on BOD 26-04 projects that by 2027, board-level reporting will shift from patching metrics to risk-exposure metrics in more than 60% of large enterprises.  

Get Ahead of Both Mandates with Vantage for Government

Looking to map these mandates to your own environment? Request a platform demo or talk to our federal team about Vantage for Government.

‍