July 3rd Daily Policy Monitoring

JUL 2 — CISA: Release of the Emergency Communications System Lifecycle Planning Guide 

• The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with SAFECOM and the National Council of Statewide Interoperability Coordinators (NCSWIC), has released the Emergency Communications System Lifecycle Planning Guide and Lifecycle Planning Tool.
• CISA works to ensure that emergency responders and government officials maintain interoperable communications during natural disasters, terrorism events, and other crises.
• The Lifecycle Guide offers comprehensive recommendations for agencies to build, operate, sustain, and eventually decommission (update) emergency communications systems, while the companion Planning Tool distills key checklists to support each lifecycle phase.
• The guidance outlines a phased planning model, starting pre-planning and ending at system disposition, outling roles, goals, and practical checklists for agency project teams to reference throughout each stage.
• This new guidance updates 2011 and 2018 materials and reflects real-world input from the public safety community, emphasizing stakeholder-driven development.

JUL 2 — Lawfare: Release of an Annotated Review on the Security by Design Project 

• Lawfare has published a review examining Security by Design (SbD) as a key cybersecurity approach and process.
• SbD integrates security throughout software development to address growing cyber threats to U.S. infrastructure.
• This review is categorized under four main issue areas: definitions, measurement, principles and standards, and incentives to promote effective SbD adoption.
• The review provides reccomendations like amending anti-hacking laws to support security research and empowering the Federal Trade Commission (FTC) to require vulnerability disclosures for large vendors, among others.
• The review also urges Congressional action to mandate transparency around vulnerabilities, modeled after safety reporting in other industries, to counter foreign threats like those from foreign adversaries.
• The document cites data from 90,000+ organizations that shows insecure configurations cause more cyber issues than software flaws, and asserts that SbD should prioritize securing default settings and multi-factor authentication, especially for small businesses in critical supply chains.

JUN 26 — GAO: Open Recommendations for the Nuclear Regulatory Commission's CIO

• The Government Accountability Office (GAO) identified six open recommendations for the Nuclear Regulatory Commission’s (NRC) Chief Information Officer (CIO) related to cybersecurity and IT management.
• GAO supports Congress by auditing and evaluating federal programs and has designated federal cybersecurity and IT acquisitions as High-Risk areas requiring urgent reform.
• GAO recommended that NRC fully implement federal event logging requirements, standardize cloud service level agreements, and conduct annual IT portfolio reviews to enhance security and accountability across NRC’s digital infrastructure.
• The report states that the NRC must align its cloud service level agreements with Office of Management and Budget (OMB) guidance, including provisions ensuring confidentiality, integrity, availability, performance metrics, and visibility into high-value digital assets.
• GAO’s recommendations stem from prior audits and statutory mandates like the Federal Information Technology Acquisition Reform Act and remain open due to NRC’s incomplete implementation.

July 2nd Daily Policy Monitoring

JUL 1 – House: Subcommittee on Cybersecurity, Information Technology, and Government Innovation Chair Mace Announces Bipartisan Roundtable on Artificial Intelligence

• The Subcommittee on Cybersecurity, Information Technology, and Government Innovation announced a roundtable titled “Bipartisan Roundtable: Artificial Intelligence in the Real World” on Tuesday, July 8 at 2:00 PM ET.
• Members include representatives from Anthropic, Knightscope, and Fiddler AI.
• During the roundtable, members will view demonstrations from the three AI companies and discuss how these technologies will impact the use of AI across the industry.
• The roundtable is open to the press and will be livestreamed.

JUN 30 – OCC: Report Highlights Key Risks in the Federal Banking System

• The Office of the Comptroller of the Currency (OCC) released its Semiannual Risk Perspective for Spring 2025 in which it reported three key issues facing the federal banking system.
• The OCC reported that the strength of the federal banking system remains strong, though consumer sentiment, geopolitical risk, sustained higher interest rates, and downward movement in some macroeconomic indicators have increased economic uncertainty.
• The OCC also reported that the adoption of new technologies, products, and services and or engagement with financial technology companies to deliver banking products and services can offer benefits to banks and customers.
• The OCC highlighted credit, market, operational, and compliance risks as key risk themes in the report.
• The OCC highlighted that operational risk is elevated and that evolving cyber threats by malicious actos continue to pose a threat to banks and their key service provider, highlighting the importance of sound third-party risk management.

JUN 30 – NIST: Analyzing Collusion Threats in the Semiconductor Supply Chain

• The National Institute of Standards and Technology (NIST) has created a framework in a new white paper for organizations to address collusion threats in the supply chain.
• The paper proposes a “metric that quantifies the severity of different threats subjected to a collusion of adversaries from different stages of the supply chain.”
• The framework offers a five-stage approach to analyzing potential threats in the semiconductor supply chain: identifying the adversary, determining what hardware threats are associated with the adversary’s intent, analysis of the hardware development lifecycle to determine the exploitability of the threat, analyzing the effects of collusion among adversaries in different stages, and identifying security-critical stages for the respective threat.
• NIST also provides examples from two case studies using the frameworks that are focused on assessing the risk of a hardware infiltration cyber attack and intellectual property theft.
• For next steps, NIST plans to integrate different hardware vulnerabilities into the framework and extend the framework to analyze supply chain threats.

July 1st Daily Policy Monitoring

JUN 30 – FCC: FCC Opens Seventh Broadband Data Collection Filing Window

• The Federal Communications Commission (FCC) announced the seventh Broadband Data Collection (BDC) filing window for submitting broadband availability and other data on July 1, 2025.
• In addition, the June 2025 update of the Broadband Serviceable Location Fabric (Fabric) is being made available to existing Fabric licenses.
• The Fabric serves as the foundation for the collection of fixed broadband availability data in the BDC. The new version of the Fabric incorporates data from updated sources and other improvements conducted by the FCC and CostQuest, as well as results of Fabric challenges submitted by state, Tribal, and local governments, broadband service providers, and the public through the National Broadband Map.
• Beginning on July 1, facilities based broadband service providers may begin to submit data into the BDC system, specifying where they made mass-market broadband Internet access service available as of June 30, 2025.
• All availability and subscription data must be submitted no later than September 2, 2025.  

JUN 27 – NIST: NIST Finalizes Guidance for Application Programming Interfaces with Details on Vulnerabilities

• The National Institute of Standards and Technology (NIST) released guidance on security application programming interfaces (API) with details on vulnerabilities and controls to address them.
• NIST defines an API as “a collection of commands or endpoints that operate on data or objects via some protocol to define how two pieces of software communicate.”
• The document provides guidance on risk factors or vulnerabilities in various phases of the API life cycle and the development of controls or protection measures.
• The document outlines various elements to deploy security API’s, including: the identification and analysis of risk factors or vulnerabilities during various activities of API development and runtime, recommended basic and advanced controls and protection measures during the pre-runtime and runtime stages of API’s, an analysis of the advantages and disadvantages of various implementation options for those controls to enable security practitioners to adopt an incremental, risk-based approach to securing their API’s.

JUN 26 – FERC: FERC Approves Reliability Standard for Bulk Power Operators to Require Internal Network Security Monitoring

• The Federal Energy Regulatory Commission (FERC) finalized a new reliability standard for bulk power systems on internal network security monitoring and withdrew a proposal to put in place requirements addressing cyber risks in data security.
• The standard mandates that all high-impact Bulk Electronic System (BES) Cyber Systems and medium-impact systems with external roundtable connectivity must implement internal network security monitoring (INSM) to detect and respond to malicious activity within their networks.
• The final rule was approved at a June 26 meeting, along with a new directive for the North American Electric Reliability Corporation (NERC) to develop modifications to INSM standards “to include electronic access control or monitoring systems and physical access control systems outside of the electronic security perimeter.”
• The directive aims to enhance cybersecurity by increasing the chances of early detection of attacks and allowing for quicker mitigation and recovery.

June 30th Daily Policy Monitoring

JUN 30 – CISA: Joint Statement from CISA, FBI, DC3, and NSA on Potential Targeted Cyber Activity Against U.S. Critical Infrastructure by Iran

• The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory detailing observed cyber threats from Iran-affiliated threat actors and mitigation steps to help critical infrastructure owners beef up their defenses.
• The advisory comes from CISA, the FBI, the Department of Defense Cyber Crime Center and the National Security Agency and was released as a four-page fact sheet.
• Based on the current geopolitical environment, Iranian-affiliated cyber actors may target U.S. devices and networks for near-term cyber operations. Defense Industrial Base (DIB) companies are at increased risk.
• The authoring agencies urge critical infrastructure asset owners and operators to implement mitigations like: identifying and disconnecting OT and ICS assets from public internet; implementing phishing-resistance MFA for accessing OT networks from any other network; and applying the manufacturers latest software patches for internet-facing systems to ensure protection against known vulnerabilities.
• Additional mitigations include prioritizing monitoring of user access logs for remote access to the OT network and for implementation of any firmware of configuration changes.

JUN 27 – FDA: Cybersecurity in Medical Devices

• The Food and Drug Administration (FDA) announced the availability of a final guidance entitled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.”
• The guidance updates the previous version of the guidance, of the same title, issued on September 27, 2023, and finalizes the draft guidance entitled “Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act” issued on March 13, 2024.
• The guidance also provides FDA’s recommendations to industry regarding cybersecurity device design, labeling, and the documentation that FDA recommends be included in premarket submissions for cybersecurity risk.
• The guidance also includes information that the FDA generally considers to be necessary for cyber devices to support obligations under the new amendments to the Federal Food, Drug, and Cosmetic Act for ensuring cybersecurity of devices.  

JUN 23 – FCC: Protecting Our Communications Networks by Promoting Transparency Regarding Foreign Adversary Control

• The Federal Communications Commission (FCC) released a proposed rule to codify certain foreign ownership requirements and streamline its review processes for broadcast, common carrier, and aeronautical radio licenses under the Communications Act.
• The FCC proposed rule formalizes existing policies on identifying the controlling U.S. parent of a licensee, treating deemed voting interests for minority foreign investors, clarifying trust and trustee disclosures, and extending self-reporting and remedial procedures to privately held entities. 
• The proposed rule defines a foreign adversary as, “any foreign government or foreign non-government person determined by the Secretary [of Commerce] to have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons.”
• Other key definitions in the proposed rule include “controlling U.S. parent” as the U.S.-organized entity that wields direct or indirect control over the licensee, and “deemed voting interest,” a metric for attributing certain voting rights to foreign minority investors. The proposed rule also includes a new interpretation to the term “dominant minority” to mean a minimum of 10% interest and to include both voting and equity interests.
• Comments are due on or before July 21, 2025, and reply comments are due on or before August 19, 2025.