Cybersecurity has spent too many years confusing activity with progress.
We count tools. We count tickets. We count findings. We count controls. Then we package those counts into dashboards and hope they say something useful about security. Too often, they do not.
OMB Memorandum M-26-14, Ensuring Effective and Efficient Agency Logging and Network Visibility to Defend Against Evolving Cyber Threats, is important because it moves in a better direction. It does not simply tell agencies to “do more logging.” It establishes a performance-oriented model for one of the most critical areas of cybersecurity: logging, auditability, and network visibility.
That matters.
Logging is not a back-office compliance exercise. It is the evidentiary foundation for detecting malicious activity, investigating incidents, supporting threat hunting, validating Zero Trust assumptions, and proving whether security operations are actually working. When logging fails, visibility fails. When visibility fails, risk decisions become opinion-based. And when cyber risk decisions are opinion-based, executives are managing blind.
The memo recognizes this directly. It prioritizes two operational outcomes: Continuous Event Monitoring and Threat Hunting, Investigation, Response, and Forensics. In practical terms, agencies must be able to monitor activity in near real time, flag anomalous behavior, support timely response, retain the right data, and retrieve it when an incident demands deeper analysis.
That is not just compliance. That is operational performance.
The most notable part of the memo is the maturity model. Agencies are directed to measure logging maturity across specific components: inventory visibility, collection coverage, collection operations, data retention, and log management. They must progress from Basic to Intermediate to Advanced maturity on defined timelines, with Advanced required within 320 days of the Logging Reference Architecture release.
That structure is a textbook example of what TDI has long called Cybersecurity Performance Management.
CPM is broader than logging. It is an enterprise operating model for measuring cybersecurity performance across risk, maturity, compliance, business value, and operational effectiveness. TDI defined CPM in 2017 to move cyber leadership beyond static checklists and toward evidence-backed, decision-grade performance indicators. But M-26-14 is a strong example of how CPM principles can be applied to a specific security domain.
This is what good cyber performance looks like in the real world.
The memo does not ask agencies to report abstract intent. It asks them to measure actual operating conditions. What percentage of assets are visible in inventory? What percentage of required logs are searchable and retrievable? Are alerts actionable? Are detections being evaluated and tuned? How long is data searchable? How long is it retrievable? Are logs protected in transit and at rest? Is integrity being preserved?
Those are Cybersecurity Performance Indicators in practice.
A CPI is not a vanity count. “We collected ten billion events” is not a CPI. “Ninety percent of mission-relevant assets are producing required logs that are searchable, retrievable, and supporting tuned detection logic” is much closer to a CPI. It has a denominator. It has operational meaning. It can be tracked over time. It can be assigned to an owner. It can be weighted by mission criticality. It can drive investment decisions.
That is the difference between cyber reporting and cyber management.
For operators, this approach creates a daily improvement loop. Teams can identify which systems are missing required log sources, where retention gaps exist, which detections are not producing actionable alerts, and which assets lack sufficient inventory fidelity. The work becomes concrete. The next action is visible.
For executives, it creates a governance loop. Leaders can see whether maturity is improving, whether risk is being reduced in the right places, whether investment is producing measurable outcomes, and whether the organization is ready to support detection, response, forensics, and authorization decisions with evidence.
That is the promise of CPM: operators get something to improve every day; executives get something to decide with every week.
This also aligns directly with where federal cyber policy has been heading. Zero Trust depends on visibility and analytics. DevSecOps depends on feedback loops. Supply chain risk management depends on traceability and evidence. AI-readiness depends on governed data. Continuous authorization depends on current, trustworthy signals. None of these priorities work if the underlying telemetry is incomplete, stale, unprotected, or disconnected from operational decision-making.
M-26-14 makes logging measurable in a way that supports all of those priorities. It is not the whole CPM story, but it is a meaningful execution example.
The important lesson for agencies, and for commercial enterprises, is that maturity models only become useful when they are operationalized through CPIs. A five-level model by itself can become another compliance artifact. A performance model tied to authoritative data sources, system ownership, mission criticality, and trend analysis becomes something different. It becomes a management system.
That is where cybersecurity needs to go.
The security community should be honest about this: many organizations still lack a disciplined way to prove whether cyber investments are working. They can show that tools were purchased, policies were published, assessments were completed, and dashboards were generated. But they struggle to show whether performance improved, whether risk was reduced, whether maturity increased, whether compliance became more continuous, or whether mission resilience got stronger.
That is the gap CPM was designed to close.
TDI created Cybersecurity Performance Management because cybersecurity needed a common performance language. Boards, agency heads, CISOs, operators, auditors, and mission owners cannot continue speaking in disconnected metrics. They need governed indicators that connect technical execution to business and mission outcomes.
M-26-14 is a timely reminder that the future of cyber is not more reporting for reporting’s sake. It is evidence-backed performance management.
For logging and audit, that means knowing what assets exist, what logs are required, what is actually being collected, what is searchable, what is retrievable, what generates actionable alerts, what is tuned, what is protected, and how those measures are improving over time.
For the enterprise, it means applying the same discipline across the full cyber program.
Performance. Risk. Maturity. Compliance. Business value.
One coherent operating picture.
The organizations that get this right will not be the ones with the most dashboards. They will be the ones with the most defensible signals. They will know where they are exposed, where they are improving, where they are falling behind, and where investment is producing measurable security outcomes.
That is the shift underway.
And frankly, it is time for the market to catch up.
Cybersecurity is no longer just a control implementation problem. It is a performance management problem. Logging and audit are simply one of the clearest places to see it. M-26-14 gives agencies a concrete mandate. CPM gives organizations the broader operating model to make that mandate sustainable, repeatable, and useful.
Because at the end of the day, cybersecurity performance is not what we say we are doing.
It is what the evidence proves.