April 18th Daily Policy Monitoring

APR 17 - Space Force: Release of the Space Force's First Warfighting Framework

• The U.S. Space Force released its first Space Warfighting framework on April 17, 2025, outlining its strategy for achieving and maintaining space superiority.
• General Chance Saltzman emphasized the Space Force's role in ensuring freedom of movement in space while denying adversaries the same, through both offensive and defensive capabilities.
• The framework introduces a standardized approach to counterspace operations, which include orbital warfare, electromagnetic warfare, and cyberspace warfare.
• Guardians, under combatant commander direction, may carry out actions like orbital and terrestrial strikes, space link interdiction, and space defense.
• This framework reinforces the Space Force's position as a core military service, supporting joint operations and enhancing national security through space control.

APR 17 - White House: Extension of Hiring Freeze

• The President extended the federal civilian hiring freeze through July 15, 2025, continuing restrictions originally set on January 20, 2025.
• The freeze applies to all executive agencies, regardless of funding sources, but excludes military personnel, national security, immigration enforcement, public safety roles, and the Executive Office of the President.
• Hiring may resume only in accordance with a merit hiring plan established under Executive Order 14170 and is subject to exemptions granted or maintained by the Office of Personnel Management.
• Agencies are directed to use existing staff and resources efficiently and are allowed to reassign personnel to meet critical needs without violating the freeze.
• The freeze does not apply to certain political appointments or hiring actions required by law and remains in effect for the IRS until the Secretary of the Treasury determines otherwise.

APR 17 - NASCEM: Proposed Cybercrime Classification Framework to Improve DOJ Reporting Metrics

• The National Academies of Sciences, Engineering, and Medicine (NASEM) released a report proposing a cybercrime classification framework to help the Justice Department improve cyber incident reporting metrics.
• The report was developed in response to the 2022 Better Cybercrime Metrics Act and the reauthorization of the Violence Against Women Act, both of which require better tracking of cyber and cyber-enabled crimes.
• Sponsored by the FBI, the National Academies convened a panel to develop a taxonomy for categorizing cybercrimes for inclusion in the National Incident-Based Reporting System (NIBRS).
• The proposed taxonomy divides cybercrimes into six categories based on targets and the role of technology, including attacks on machines, fraud, group-targeted acts, and incidental tech-related offenses. 
• The framework is designed to be compatible with current crime classification systems and aims to improve the accuracy and consistency of cybercrime data collection.

APR 16 - NIST: Release of Draft White Paper on Incorporating Automation into Security of Internet of Things Devices

• The National Institute of Standards and Technology (NIST) released a draft white paper on automating the secure onboarding of Internet of Things (IoT) devices to enterprise networks.
• The paper, developed by NIST’s National Cybersecurity Center of Excellence, outlines trusted network-layer onboarding to provide per-device credentials and reduce security risks.
• It supports secure, scalable alternatives to manual or shared credential provisioning, highlighting two protocols: Wi-Fi Easy Connect and Bootstrapping Remote Secure Key Infrastructure (BRSKI). The draft emphasizes the need for manufacturer and user cooperation—devices must support a protocol, and networks must be equipped with compatible components.
• Public comments are open through May 29, ahead of a related workshop focused on feedback and next steps, including an upcoming application-layer onboarding resource.

April 17th Daily Policy Monitoring

APR 17 – IBM: IBM Report Finds Increased Risk of Operational Disruption from Cyber Attacks

• A new report from IB’s X-Force threat intelligence team identified a shift in cyber attacks over the past two years to focus on disrupting the operations of victim organizations, while seeing a decrease in the volume of ransomware attacks.
• The report analyzes data and observations collected in 2024 by IBM X-Force through managed security services, incident response and partnerships.
• Malicious cyber actors are “becoming more proficient at hiding illicit activity,” according to the report, and “massively increasing their use of compromised credentials to log in to networks, precluding the need to hack in.”
• IBM X-Force points to the high-profile Salt Typhoon campaign as an example of recent sophisticated activity. The report explains, “In 2024, this threat actor group compromised virtually every major US telecommunications provider – in addition to targets in dozens of other countries – impacting supply chains, energy infrastructure, transportation, healthcare, and other critical services, including breaches of highly sensitive government systems.  
   

APR 16 – House: House Investigation into DeepSeek Teases Out Funding, Security Realities Around Chinese AI Tool

• The House Select Committee on the Chinese Communist Party has released a report in which it details the financial and technological resources that went into building DeepSeek’s R1 reasoning model, as well as its potential risks to U.S. economic and national security.
• The report indicates that the U.S. government should double down on export controls and other tools to slow down the progress of Chinese AI companies like DeepSeek, while also preparing for a future where those efforts fail.
• The report also endorses several other claims that have surfaced around DeepSeek’s cyber and data security in recent months, namely that the app illegally distilled data from U.S. models, circumvented export controls around computer chips and funnels detailed user data to China.
   

APR 16 – GSA: GSA, OMB Launch Deregulation Recommendations Initiative

• The General Services Administration (GSA) and the White House Office of Management and Budget (OMB) announced a first of its kind initiative to allow the public to submit ideas for ending existing rules and regulations through an online form on regulations.gov.
• A submission should focus on explaining the rule’s original purpose, and context and reasons why the rule should be rescinded.
• The objective of this effort is to provide clear, constructive feedback about why existing rules or regulations should be rescinded.
   

APR 16 – Microsoft: Azure OpenAI Service Now Authorized for all U.S. Government Data Classification Levels

• Microsoft announced that its OpenAI-enabled Azure offerings will be available to more of the federal workforce through a new Defense Information Systems Agency (DISA) authorization that marks the service as approved across all government classification levels.
• The DISA cleared Azure Open AI Service for workloads at the Impact Level 6, bringing its capabilities to all U.S. government data classification levels.
• Some of the tools now available for that high-security work include Open AI’s large language models, as well as Microsoft’s speech recognition, translation, text classification, entity extraction capabilities and more.
• The complete government cloud permissions granted to Microsoft Azure’s products now include FedRAMP High, DOD IL2-6, and top-secret work at the ICD503. These authorizations allow federal workers and their partners to deploy Microsoft’s AI tools for a diverse range of mission needs.

April 16th Daily Policy Monitoring

APR 16 – White House: Ensuring Commercial Cost-Effective Solutions in Federal Contracts

• The Trump Administration has signed an Executive Order to enforce an existing law requiring the Federal Government to utilize the competitive marketplace and the innovations of private enterprise to provide better, more cost-effective services to the taxpayer.
• The Order directs the administration to prioritize the procurement of commercially available products and services, as required by the Federal Acquisition Streamlining Act of 1994 (FASA), rather than non-commercial, custom products or services.
• It also calls for agency contracting officers to review all pending contracts for non-commercial products or services within 60 days and submit proposed waivers justifying their necessity. The waivers must include market research and price analysis to demonstrate why commercial solutions cannot meet the government needs.
• It directs agencies to submit reports to the Office of Management and Budget (OMB) within 120 days and annually thereafter detailing compliance with FASA and progress on implementing the Order’s policies.
• The Order establishes that waivers for non-commercial procurements must be reviewed and approved or denied in writing.

APR 16 – NextGov: CISA Extends CVE Program Contract

• The Cybersecurity and Infrastructure Security Agency (CISA) has extended its contract for the agency’s Common Vulnerabilities and Exposures (CVE) Program.
• MITRE, the organization that operates the program, alerted stakeholders to a looming cutoff of the Federal Funding for the program.
• The CVE Program provides a standardized system for identifying and cataloging publicly known cybersecurity vulnerabilities. Each vulnerability is assigned a unique identifier, designed to help security researchers, vendors, and officials communicate consistently about the same issue.

APR 15 – White House: Restoring Common Sense to Federal Procurement

• The Trump Administration has signed an Executive Order that aims to simplify and streamline the Federal Acquisition Regulation (FAR), which governs Federal procurement, to ensure it contains only provisions required by statute or essential to efficient, secure, and cost-effective procurement.
• Agencies exercising procurement authority must ensure agency-specific regulations align with the streamlined FAR.
• The Order mandates the issuance of interim guidance, as needed, to support reform until the final rules reforming the FAR are published.
• A regulatory sunset provision will be considered that would result in non-statutory FAR provisions expiring after four years unless renewed.

APR 11 – DOJ: Justice Department Provides Implementation Guidance for Final Rule on Sharing Sensitive U.S. Bulk Data

• The Trump administration is doubling down on a Biden-era final rule to create a Justice Department national security program on the sharing of sensitive U.S. bulk data, with new guidance on compliance and an enforcement policy.
• The Data Security Program under DOJ’s National Security Division “comprehensively and proactively addresses the continued efforts of foreign adversaries to use commercial activities to access, exploit, and weaponize U.S. Government-related data and Americans’ bulk sensitive personal data,” according to an April 11 FAQ on the initiative.
• As part of the suite of resources, DOH on April 11 published an implementation and enforcement policy for the program which delays full enforcement for an additional 90 days to July 8.

APR 9 – White House: Modernizing Defense Acquisitions and Spurring Innovation in the Defense Industrial Base

• The Trump Administration has signed an Executive Order aimed to modernize defense acquisitions and spur innovation in the defense industrial base.
• The Order directs the Secretary of Defense to submit a plan to reform our acquisition process by: (1) using existing authorities to expedite acquisitions, such as a first preference for commercial solutions; (2) cutting unnecessary tasks, reducing duplicative approvals, and centralizing decision-making; and (3) managing risk while encouraging innovation.
• The Secretary of Defense will review internal Department of Defense (DoD) regulations with the intent to eliminate any unnecessary supplemental regulations and promote expedited and streamlined acquisitions.
• The Secretary of Defense will also submit a plan to reform, right-size, and train the acquisition workforce by focusing performance evaluations on how well the employee uses efficient procurement methods and takes calculated risks in order to innovate.
• All Major Defense Acquisitions Programs (MDAPs) will be reviewed to determine consistency with this new policy based on speed, flexibility, and execution.

APR 8 – NSCEB: National Security Commission Sees Opportunity to Address Cyber Needs for Biotech Through CISA Efforts

• According to a congressionally mandated report from the National Security Commission on Emerging Biotechnology (NSCEB), the Cybersecurity and Infrastructure Security Agency (CISA) should expand its critical infrastructure work to protect the biotechnology sector against cyber-attacks.
• The report says that threat actors have already “carried out numerous attempted and successful cyberattacks on critical infrastructure in biotechnology, including against hospitals and agricultural facilities,” and argues CISA has a role to play in protecting biotech as a cross-cutting priority across critical infrastructure domains.
• The report highlights a need for the Department of Homeland Security (DHS) and CISA to scale up their cyber risk management efforts for biotechnology sector as part of their mandate to protect critical infrastructure.
• The report proposes passing legislation to require DHS to “submit a work plan within 45 days” for ensuring “biotechnology is covered under the existing sectors, rather than adding a new one.”

MAR 27 – R Street: R Street Encourages House Group to Prioritize Data Security as Part of Comprehensive Privacy Legislation

• The R Street Institute is calling on GOP-led house privacy working group to incorporate data security as a core component of its approach to enacting a comprehensive federal privacy law, in response to a request for information.
• The think tank offers seven data security proposals for the House working group to consider as they craft an approach to standing up a national data privacy framework.
• First, the think tank calls on lawmakers to protect “the use of data for security-enhancing and security-related purposes.”
• R Street also asks lawmakers to explore ways to incentivize improvements in data security stating that, “Entities should be encouraged to act on data security and cybersecurity practices, even those that might exceed those required by a data privacy law.”
• Another recommendation focuses on building “flexible security requirements” for data protections to account for differences in data sensitivity and resources. R Street emphasizes the importance of taking a “non-prescriptive approach” to provide options for a wide range of entities that would be required to comply.

April 15th Daily Policy Monitoring

APR 15 – CISA: CISA Releases Nine Industrial Control System Advisories

• The Cybersecurity and Infrastructure Security Agency (CISA) has released nine Industrial Control Systems (ICS) advisories.
• These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
• These ICS advisories include: ICSA-25-105-01 Siemens Mendix Reuntime; ICSA-25-105-02 Siemens Industrial Edge Device Kit; ICSA-25-105-03 Siemens SIMOCODE, SIMATIC, SIPLUS, SIDOOR, SIWAREX; ICSA-25-105-04 Growatt Cloud Applications; ICSA-25-105-05 Lantronix Xport; ICSA-25-105-06 National Instruments LabVIEW; ICSA-25-105-07 Delta Electronics COMMGR; ICSA-25-105-08 ABB M2M Gateway; and ICSA-25-105-09 Mitsubishi Electric Europe B.V. smartRTU.

APR 11 – ISA: Industry Groups Urge OMB to Launch Deregulation Initiative for Cutting Duplicative Cyber Regulations

• A coalition of industry groups led by the Industry Security Alliance (ISA) is calling for the Office of Management and Budget (OMB) to start an initiative directing agencies to identify duplicative cyber regulations, amid the Trump administration’s plan to push for deregulation.
• The letter comes as a follow-up to an April 7 request from House Homeland Security Chairman Mark Green and Oversight Chairman James Comer asking OMB to conduct a review of current and upcoming federal cyber regulations and determine areas for harmonization.
• The coalition wants OMB to “use OMB’s authority to eliminate the waste generated by duplicative cybersecurity regulations.” The letter also notes that “Doing so will immediately strengthen our national defense against nation-state and criminal cyber-attacks.”
• The letter is signed by the ISA, the Information Technology Industry Council, the Business Software Alliance, ACT- The App Association, and the Global Resilience Federation Business Resilience Council.

APR 11 – FCC: Telecom Groups Push Against FCC Cyber Declaratory Ruling in Response to Salt Typhoon

• Two major telecom groups identified a January declaratory ruling directing carriers to secure their networks as a broad interpretation of the Federal Regulatory Commission’s (FCC) regulatory authorities, in response to a request from Chairman Brendan Carr to get input on identifying regulations imposing “unnecessary burdens” that could be eliminated.
• In comments from April 11, the CTIA wrote that “The Declaratory Ruling adopts an ‘uncoordinated and counterproductive’ policy based on an expansive reading of the Communications Assistance for Law Enforcement Act (CALEA) that imposes onerous network-wide duties on covered entities. This interpretation is wholly inconsistent with CALEA’s text, structure, and purpose.”
• CTIA also opposes a notice of proposed rulemaking issued along with the declaratory ruling to put in place an annual requirement for telecom carriers to provide an annual attestation of their cyber risk management plans.

April 14th Daily Policy Monitoring

APR 14 – NIST: NIST Updates Privacy Framework, Tying it to recent Cybersecurity Guidelines

• The National Institute of Standards and Technology (NIST) has published a draft update to the NIST Privacy Framework (PFW), which is intended to help organizations manage the privacy risks that arise from personal data flowing through complex information technology systems.
• Targeted changes to content and structure respond to stakeholder needs and make the document easier to use. NIST is soliciting feedback on the draft until June 13, 2025.
• Changes to the PFW are needed in part because of its relationship to the widely used NIST Cybersecurity Framework, which was updated in February 2024
• The PFW contains a new section on AI and privacy risk management, which briefly outlines ways that AI and privacy risks relate to one another and how PFW 1.1 can be used to manage AI privacy risks.

APR 14 – ITI: ITI Publishes Guide to Help Governments and Companies Advance Quantum Technologies

• The Information Technology Industry Council (ITI) has published a new Quantum Technology Policy guide, outlining strategic principles and recommendations that address the opportunities and risks posed by quantum computing, quantum communications, and quantum sensing.
• The report recommends policy principles that support coordinated and innovation-friendly approaches.
• ITI’s guide highlights use cases which include accelerated drug discovery, financial modeling, supply chain optimization, and secure communications.
• The guide also explores the convergence of quantum computing, artificial intelligence (AI), and high-performance computing (HPC).

APR 14 – White House: NVIDIA to Manufacture American-Made AI Supercomputers for the First Time

• NVIDIA announced that it will begin manufacturing its AI supercomputers entirely in the US as part of its pledge to produce $500 billion of AI infrastructure in the US over the next four years.
• The company will build and test its advanced chips in Arizona and its AI supercomputers in Texas and has commissioned more than a million square feed of manufacturing space to build and test the chips.
• Within the next four years, NCIDIA plans to produce up to half a trillion dollars of AI infrastructure in the US through partnerships with TSMC, Foxconn, Wistron, Amkor, and SPIL.

APR 14 – BPI: Blog Post on the Model Risk Management Guidance

• The Bank Policy Institute (BPI) is calling for the rescission and revision of the Model Risk Management Guidance (MRMG) to reduce outdated, burdensome, and inconsistently enforced regulations that stifle innovation, especially in areas like AI and cybersecurity, and to align oversight with legal requirements and modern banking practices.
• The MRMG is being enforced as binding regulation despite a 2019 Government Accountability Office ruling that it qualifies as a rule under the Congressional Review Act and is thus invalid due to lack of proper submission to Congress.
• The guidance is outdated, issued in 2011 and not revised to reflect modern developments like generative AI; its rigidity delays or deters innovation and tool adoption in banks, often causing operational and competitive disadvantages.
• Immediate rescission and re-proposal of the MRMG are recommended under Executive Order 14219 to ensure legality, limit scope to materially impactful models, and foster more agile, risk-based, and innovation-friendly regulatory practices.

APR 14 – GSA: Blog Post on the Model Risk Management Guidance

• The General Services Administration (GSA) reached a landmark agreement with Google to lower the costs of Google products and services for the federal government.
• Through this strategic partnership, Google will offer the Workspace to every federal agency at a temporary price reduction of 71% off the current Multiple Award Schedules Program (MAS IT) pricing, regardless of transaction size.
• The agreement establishes pricing based on the volume of the entire government rather than the lower discounts previously available through separate agreements on an agency-by-agency or transactional basis.
• Google is introducing these enhanced federal acquisition options through its authorized distribution partners, ensuring agencies can access secure, innovative solutions with a focus on cybersecurity, compliance, and cost efficiency. These offerings include integrated, advanced AI-powered capabilities such as Gemini, NotebookLM, and Advanced Gemini 2.0 designed to elevate productivity, collaboration, and data security beyond traditional office tools and productivity solutions.

APR 10 — NIST: NIST Releases Draft Update to Domain Name System Guide with New Cyber Functionalities

• The National Institute of Standards and Technology (NIST) has released a draft update to guidance on implementing secure solutions for directing network and internet traffic, with new details on security functions that can be achieved through the Domain Name System (DNS).
• The draft guide describes DNS as a standardized way of translating machine-readable IP addresses to human-readable ones.
• The guide describes the different roles of DNS and gives recommendations for protecting the integrity, availability, and confidentiality of DNS services, including the role DNS plays in supporting zero trust architecture.
• The guide also covers the role of hosting DNS information, including guidance on protecting the integrity and authenticity of DNS information using DNSSEC.

APR 7 — DOJ: Memorandum on Cryptocurrency Regulation

• The Department of Justice (DOJ) will end the practice of "regulation by prosecution" in the digital assets space, shifting its focus to prosecuting individuals who commit fraud, theft, or use digital assets to further criminal activities like terrorism, narcotics, and human trafficking.
• Prosecutors are directed by DOJ to not pursue regulatory violations (e.g., unlicensed money transmitting, securities violations) unless there is clear evidence of willful misconduct, in light of uncertainty created under the previous administration, the memo states.
• The DOJ will no longer assess digital asset platforms (exchanges, mixers, wallets) for their users' actions unless those actions align with priority areas such as scams or criminal misuse.
• To better support victims of digital asset fraud, the DOJ will propose legislative and regulatory reforms to improve compensation efforts, especially where asset values have changed post-fraud.
• The DOJ is disbanding the National Cryptocurrency Enforcement Team and reallocating resources to other priorities; it will also participate in the Administration's Working Group on Digital Asset Markets to help shape future regulatory policy.

DPM Spotlight on Incident Reporting: This edition tracks the latest developments in federal cybersecurity regulations, highlighting the OCC's recent breach and the challenges of meeting FISMA requirements, the SEC's controversial cyber incident disclosure rule, and the growing calls to streamline the federal regulatory landscape. As agencies and industry leaders navigate these complexities, there is increasing concern over the balance between transparency and security, with experts urging a more coordinated and effective approach to incident reporting and compliance.

APR 8 - OCC: OCC Notifies Congress of Incident Involving Email System

• On April 8th, the Office of the Comptroller of the Currency (OCC) disclosed a significant cybersecurity breach to congress involving unauthorized access to sensitive emails, potentially compromising confidential data on federally regulated financial institutions.
• In response to the breach, OCC activated its incident response protocols, disabled the compromised administrative accounts, and promptly reported the incident to the Cybersecurity and Infrastructure Security Agency (CISA) as required by federal law.
• An independent third-party investigation is ongoing to assess the full scope of the breach, with efforts focusing on analyzing the contents of the compromised emails to determine the potential exposure of highly sensitive information.

APR 8 — BPI: Editorial on the SEC’s Cyber Incident Disclosure Rule

• The Baking Policy Institute (BPI) states that SEC’s requirement for public companies to disclose material cybersecurity incidents within four days of discovery has sparked significant debate, with critics arguing that the rule could increase the vulnerability of affected organizations by forcing premature public disclosure.
• The short timeframe for disclosure could hinder companies’ ability to resolve cyber incidents before they are made public, potentially providing malicious actors with additional opportunities to exploit the situation.
• Commissioners Hester Peirce and Mark Uyeda voiced concerns over the rule, suggesting it might prioritize investor transparency over cybersecurity, potentially putting companies at greater risk by exposing them to further attacks.
• A real-world example of ransomware groups leveraging the SEC’s rule highlights how cybercriminals can use the disclosure requirement to escalate their attacks, further demonstrating the rule's unintended consequences.

APR 8 — House: Congressional Letter to OMB on Cybersecurity Reporting Regulations

• On April 7th, members of the House Committee on Homeland Security and House Committee on Oversight and Government Reform sent a letter to Office of Management and Budget (OMB) Director Russell Vought, urging OMB to streamline unnecessarily duplicative and resource-intensive cybersecurity regulations, which force critical infrastructure owners and operators to devote resources to complying with burdensome compliance standards instead of defending their networks. 
• The letter paints the U.S. cybersecurity regulatory environment as burdensome and conflicting , citing over three dozen federal mandates for cyber incident reporting alone, adding significant compliance costs and operational challenges for businesses.
• In the letter, members ask OMB to reduce compliance burdens by reviewing existing and future cyber regulations, identifying opportunities for harmonization within and across agencies, and thoroughly examining the existing cyber regulatory landscape for redundancy in coordination with the Office of the National Cyber Director (ONCD) and CISA. The letter also requests a briefing on OMB’s plans to streamline cyber regulations by April 28, 2025. 

UPCOMING EVENTS

APR 16 – Atlantic Council: Navigating the US-PRC Tech Competition in the Global South

• The Atlantic Council is hosting a report launch event on Wednesday at 2:00 PM to discuss the launch of a new report on “Navigating the US-PRC tech competition in the Global South."
• The report outlines the current dynamics of competition in emerging technology between the US and China and explores the implications for the Global South.
• Using artificial intelligence as a case study, the report examines China’s strategic approach to AI expansion in the Global South, highlighting its competitive advantages and challenges.
• The panel will provide recommendations to enhance the United states’ technological engagement and competitiveness in the Global South.  

APR 17 – FDD: Persistent Access, Persistent Threat: Ensuring Military Mobility Against Malicious Cyber Actors

• The Foundation for the Defense of Democracies (FDD) is hosting an event on Thursday, April 17.
• The event is tied to a March 27 report form the Cyberspace Solarium Commission on the intersection of the transportation sector cybersecurity and Defense Department operations.
• The event features a discussion with retired Gen. Mike Minihan, former chief of Air Mobility Command, and FDD’s retired Rear Adm. Mark Montgomery and Annie Fixler.

APR 17 – NIST: IoT Open House: Implementing SP 1800-36 and the Road Ahead

• The National Institute of Standards and Technology (NIST) is hosting an open house on Thursday, April 17 at the National Cybersecurity Center of Excellence (NCCoE) on trusted IoT device onboarding.
• The agenda includes sessions on example builds developed by NIST and industry partners through a trusted IoT onboarding project at NCCoE.

APR 17 – NIST: Two-Day Cryptographic Agility Workshop

• The National Institute of Standards and Technology (NIST) is holding a two-day cryptographic agility workshop on Thursday and Friday.
• The agenda is focused on building encryption tools with flexibility for using different encryption schemes in hardware and software.