May 16th Daily Policy Monitoring

MAY 16 - State: Notice of Shipping Coordinating Committee Meeting

• The Department of State will conduct a public meeting at 9:00 a.m. on Wednesday, June 11, both in person and via teleconference to prepare for the 110th session of the International Maritime Organization's (IMO) Maritime Safety Committee (MSC 11).
• The agenda items to be considered at the meeting include a range of topics including amendments to mandatory instruments, goal-based new ship construction standards, and revision of the Guidelines on Maritime Cyber Risk Management and identification of next steps to enhance maritime cybersecurity.
• Additional topics for consideration include development of a safety regulatory framework to support the reduction of emissions using new technologies, measures to enhance maritime security, and pollution prevention and response. 
• The meeting location will be the United States Coast Guard Headquarters, 5PS Conference Room and the teleconference line will be provided to those who RSVP.
• Additional information regarding this and other IMO public meetings may be found here.

MAY 15 - Commerce: UAE and US Presidents Attend the Unveiling of AI Campus in Abu Dhabi

• The Deparment of Commerce reported that a new 5GW United Arab Emirate and United States AI Campus in Abu Dhabi was unveiled at Qasr Al Watan in the presence of UAE President Nahyan and US President Trump.
• The new AI campus is the largest outside the US and will be home to hyperscalers and large enterprises that can leverage the capacity for regional compute with the ability to serve the Global South.
• The campus will include 5GW of capacity for AI data centers in Abu Dhabi, providing a regional platform from which US hyperscalers will be able to offer latency-friendly services to nearly half the population living within 2,000 miles of the UAE.
• The campus will be built by G42 and operated in partnership with several US companies, building on the "US-UAE AI Acceleration Partnership" to deepend coorperation and collaboration on AI and advanced technologies.
• The UAE and US will work together to enhance Know-Your-Customer protocols to regulate access to the compute resources, which are reserved for US hyperscalers and approved cloud service providers.

MAY 15 - CISA: CISA Releases Twenty-Two Industrial Control Systems Advisories

• CISA released twenty-two Industrial Control Systems (ICS) Advisories on May 15, 2025.
• These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
• Vendors for the advisories include Siemens, Schneider Electric, and Mitsubishi Electric.
• CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

MAY 15 - CISA: CISA Adds Three Known Exploited Vulnerabilities to Catalog

• CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
• The vulnerabilities include DrayTek Vigor Routers OS Command Injection Vulnerability, Google Chromium Loader Insufficient Policy Enforcement Vulnerability, and SAP NetWeaver Deserialization Vulnerability.
• These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
• Binding Operational Directive (BOD) 22-01 established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise.
• Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.

May 15th Daily Policy Monitoring

MAY 15 — CISA: RFI on Service Now and Vendor Engagement Extention

• The Cybersecurity and Infrastructure Security Agency (CISA), under the Department of Homeland Security (DHS), proposed a new information collection request titled "CISA Industry Engagement Registration & Account in ServiceNow."
• This proposal aims to streamline and automate the process through which private sector vendors register and create accounts to engage with CISA, enabling more efficient collaboration in support of CISA's operational needs.
• The collection instrument will gather information from vendors via ServiceNow to build an internal database of vendor capabilities. This database will help CISA identify and engage with companies offering innovative solutions aligned with its operational objectives. 
• Future comments are encouraged to remain within scope of the RFI, focusing on the process of vendor engagement and registration, and are due on June 16th. 
• CISA previously published this Information Collection Request (ICR) on June 24, 2024, for a 60-day public comment period.

MAY 15 — GAO: Report on Pay-as-you-go (PAYGO) Requirements and Federal Rulemaking

• The U.S. Government Accountability Office (GAO) published a report analyzing the effects of the administrative PAYGO provisions reinstated by the Fiscal Responsibility Act of 2023.
• Administrative PAYGO rules require federal agencies to identify offsets for regulatory actions that increase direct (mandatory) spending, and were reintroduced in June 2023 after being revoked in January of 2021.
• GAO examined rules published between January 2021 and June 2023 to look at how many would have been subject to PAYGO, analyzed estimated costs of 28 major rules issued in the first five months after the act’s enactment, and reviewed how the Office of Management and Budget (OMB) monitored agency compliance. GAO found that although some rules could have been subject to PAYGO, none triggered requirements due to exemptions or waivers.
• GAO reported that federal cost estimates for the 28 reviewed rules ranged from $0 to $156 billion, with half of them estimating no federal cost and none exceeding thresholds that would mandate offsets.
• GAO's evaluation included analysis of agency documentation, economic impact assessments, and interviews with OMB staff to understand how compliance determinations and exemptions were managed under the reinstated PAYGO framework.

MAY 14 — NIST: Workshop Summary Report for "Workshop on Foundational Cybersecurity Activities for IoT Device Manufacturers"

• The National Institute of Standards and Technology (NIST), through its Cybersecurity for the Internet of Things (IoT) program, organized a workshop to discuss planned updates to NIST Interagency Report (IR) 8259.
• NIST IR 8259 provides foundational cybersecurity guidance for IoT device manufacturers, and the agency seeks to update this guidance to better reflect evolving industry needs and cybersecurity practices across the IoT product lifecycle.
• The March 5, 2025 workshop focused on incorporating a product-centric approach into the guidance, with expanded content on risk analysis, application to industrial environments, and data management strategies that support privacy goals. These updates aim to improve IoT cybersecurity outcomes by aligning with real-world product development and operational challenges.
• From a technical perspective, the discussions highlighted the need for guidance that addresses diverse IoT use cases, ranging from consumer devices to industrial systems, and ensures cybersecurity practices are integrated throughout the product lifecycle.
• This workshop built on a previous NIST event held in December 2024, which first identified key areas for updating NIST IR 8259. 

MAY 13 — ENISA: Press Release on European Vulnerability Database

• The European Union Agency for Cybersecurity (ENISA) launched the European Vulnerability Database (EUVD) to centralize and enhance access to cybersecurity vulnerability information across the EU.
• ENISA developed the EUVD under the NIS2 Directive to improve situational awareness, support vulnerability coordination efforts, and strengthen cybersecurity risk management for both public and private stakeholders in the EU.
• The EUVD aggregates data from CSIRTs, vendors, and global databases like MITRE’s CVE and CISA’s Known Exploited Vulnerability Catalogue. It features dashboards on critical, exploited, and EU-coordinated vulnerabilities, offering actionable information such as severity, affected products, mitigation guidance, and patch availability.
• ENISA became a CVE Numbering Authority (CNA) in January 2024, enabling it to assign CVE IDs for vulnerabilities discovered by or reported to EU CSIRTs. This bolsters Europe's capacity to manage and disclose vulnerabilities within a coordinated framework.
• The EUVD is distinct from the forthcoming Cyber Resilience Act (CRA) Single Reporting Platform, which will be used by manufacturers to report actively exploited vulnerabilities starting in September 2026. The EUVD focuses on transparency, coordination, and public access rather than regulatory compliance.

May 14th Daily Policy Monitoring

MAY 13 – GAO: 2025 Annual Report

• The U.S. Government Accountability Office (GAO) released its annual report on federal programs that have fragmented, overlapping, or duplicative goals or actions.
• The GAO identified 148 new matters and recommendations in 43 new topic areas for Congress or federal agencies to improve efficiency and effectiveness of government.
• The report specifically focuses on the overlap, duplication, and fragmentation of IT project reviews, and estimates that implementing statutory requirements for those types of reviews could save the government more than $100 million.
• Other tech-related recommendations in this year’s report include the GAO’s estimate that the Space Development Agency could save “hundreds of millions of dollars over ten years” if it would “fully demonstrate its space-based laser communications technology in each iterative development phase before progressing.”
• The report also recommends that the White House’s Office of the National Cyber Director (ONCD) lead “the quantum computing cybersecurity strategy to better manage fragmentation and potential overlap of other agency efforts.

MAY 9 – DOJ: U.S. and Netherlands Seize Network Provides that Helped Hackers Mask Activities

• The U.S. Department of Justice (DOJ) and the Dutch National Police published a press release indicating that they have seized the website infrastructure of 5socks and Anyproxy, a pair of providers that for years offered location and identity-masking tools to cybercriminals.
• Three Russian nationals—Alexy Chertkov. Krill Morozov, and Aleksandr Shishkin—and Kazakhstani national Dmitriy Rubstov were charged for operating the proxy services, which were built on hijacked, older-model wireless routers around the world.
• The compromised routers formed a botnet that served as the backbone for the proxies, which were designed to hide the users’ locations.
• 5socks, which claimed to have been operation since 2004, said that users can purchase “elite anonymous proxies at an affordable price,” and access some 7,000 proxy service offerings with cryptocurrency payments, according to an archived version of the group’s homepage.

MAY 9 – FedRAMP: FedRAMP Continuous Reporting Standard

• The Federal Risk and Authorization Management Program (FedRAMP) issued a call for public comments on a proposed update to its continuous monitoring reporting rules that cloud service providers must follow to maintain FedRAMP authorization.
• The call for comment is part of the General Services Administration’s (GSA) larger FedRAMP “20x” re vamp that was unveiled in March that aims to speed the approval process for secure cloud services authorized by the program.
• The standard includes guidance on application, including requirements for how frequently Key Security Metrics should be reported.
• FedRAMP is particularly interested in comments regarding: whether the reporting requirements strike the balance between security oversight and operational efficiency; if the Continuous Monitoring reporting rules are a change in the right direction; what additional information agencies will need to maintain risk awareness; and the materials that should be prioritized to support this new standard.
• Comments are due by June 9.

MAY 1 – GAO: GAO Calls on ODNI to Address Personnel Vetting Data Shortfalls

• The U.S. Government Accountability Office (GAO) released a letter calling on Director of National Intelligence Tulsi Gabbard urging her office to confront critical data shortfalls undermining the Federal personnel security clearance process.
• The GAO also pointed to ongoing problems within the Office of the Director of National Intelligence’s (ODNI) oversight, especially in managing reciprocity and using performance metrics.
• In a 2024 survey, 22 of 31 federal agencies identified poor-quality and incomplete IT system data as the top challenge in processing reciprocal clearances. To address this, GAO recommended the ODNI adopt best practices for validating agency-submitted data and implement a clear plan to ensure IT systems can fully support clearance reciprocity.
• Improving the government-wide personnel security clearance process remains a priority, as the system has been on GAO’s High-Risk List for over six years due to persistent delays and inefficiencies.

APR 30 – DOD: Software Modernization Implementation Plan FY 25-26

• The Defense Department’s (DoD) chief information office (CIO) has released the Software Modernization Implementation Plan for Fiscal 2025-2026, which marks a call for the entire department to improve delivery of software-based capabilities.
• The document lists three goals for the next two years—focusing on software factories, enterprise cloud, and transforming processes—as well as specific tasks for each goal that aims to improve overall software modernization.
• The goals and tasks in the document build on the DoD CIO’s software modernization implementation plan for fiscal 2023 and 2024. According to the new roadmap, the Pentagon has completed 27 out of 41 tasks outlined in the previous plan, carried 12 tasks over to FY25 and FY26 and combined two tasks with others in the updated document.
• The updated DoD Software Modernization Implementation Plan outlines a path forward by building on progress achieved during FY23-24 and adding new focus areas to maintain a competitive edge in an increasingly software-defined battlespace.
• The DoD Software Modernization Strategy was first published in 2022, and the Software Modernization Implementation Plan was published in March 2023.

May 13th Daily Policy Monitoring

MAY 13 – DHS: Federal Emergency Management Agency Review Council Meeting

• The Federal Emergency Management Agency (FEMA) Review Council is holding an in-person meeting on Tuesday, May 20.
• The council will meet in an open session from 3:00 to 4:00 PM ET. The meeting will include the swearing in of new members, remarks from leadership, and a review of the council and its structure.
• The FEMA Review Council was established in January 2025 to advise the President, through the Assistant to the President for National Security Affairs, the Assistant to the President for Homeland Security, and the Director of the Office of Management and Budget on the existing ability of FEMA to capably and impartially address disasters occurring within the United States and will advise the President on all recommended changes related to FEMA.

MAY 12 – CISA: Update to How CISA Shares Cyber-Related Alerts and Notifications

• The Cybersecurity and Infrastructure Security Agency (CISA) has announced that it is changing how they announce cybersecurity updates.
• The announcements will only be shared through CISA social media platforms and emails and will no longer be listed on the Cybersecurity Alerts & Advisories webpage.
• The focus of the Cybersecurity Alerts & Advisories webpage will now be on urgent information tied to emerging threats or major cyber activity.
• CISA wants this critical information to be easier to find. And will continue to communicate releases and updates to stakeholders.
• To stay informed of alerts and advisories, stakeholders can subscribe to receive the email notifications at notifications on CISA.gov or stakeholders can follow CISA on X @CISACyber.

MAY 9 – OPM: OPM Cancels Solicitation for HR System Overhaul

• The Office of Personnel Management (OPM) has canceled its solicitation for a new cloud-based human capital system.
• According to the agency’s posting in the System for Award Management (SAM), OPM canceled the solicitation after disclosing that it had entered into a one-year contract on May 2 with Workday, Inc., for the new HR system.
• The OPM disclosed that the “sole-source award to Workday is necessary due to an urgent confluence of operational failures and binding federal mandates that require immediate action.”
• The OPM requires an integrated, cloud-based Human Capital Management (HCM) solution that can be rapidly deployed to meet urgent operational and regulatory needs and must provide end-to-end HR lifecycle support within OPM.
• The requirement stems from a need to replace OPM’s fragmented HR infrastructure, which is expected to lead to over 2,000 manual labor hours to develop RIF registers and must be in place as close as possible to July 15, 2025, the day the federal hiring freeze is expected to end to ensure OPM’s compliance with the Presidential Hiring Freeze Memorandum and Executive Order on Federal Hiring Reform.

MAY 1 – DOD: Pilot Program for Anything-as-a-Service Contracts or Agreements

• The Department of Defense (DoD) Defense Pricing, Contracting, and Acquisition Policy (DCPAP) directorate announced plans to launch the “Anything-as-a-Service” pilot program which will establish an initial set of product and service codes (PSCs) for Software-as-a-Service (SaaS), Data-as-a-Service (DaaS), and Space-as-a-Service.
• The program seeks to establish a flexible service delivery model in which DoD can obtain technology-enabled capabilities using a mix of software, hardware, data, and services. These offerings are intended to be scalable, on-demand, and more cost-effective than traditional procurement methods by shifting to fixed-price, usage-based billing.
• The “Anything-as-a-Service” pilot program was mandated by Congress in the fiscal year 2024 National Defense Authorization Act and is intended to test the viability of consumption-based solutions to meet a broad range of defense requirements like enabling real-time access to capabilities and rapid integration of new technologies.
• The memo details that the initial SaaS PSCs include areas such as business applications, compute services, help desk support, and cybersecurity. DaaS offerings include mobile device services, satellite communications, and scientific data analysis. Space-as-a-Service codes cover rentals of office buildings, conference spaces, and other administrative facilities.
• The memo further explains that accepted contracts may qualify for exemptions from certain certified cost or pricing data and full and open competition rules. Contracting officers must seek DCPAP approval, and if approved, are expected to enter into an agreement within 100 days’ notice.

May 12th Daily Policy Monitoring

MAY 12 – OMB: Federal Acquisition Regulation Introduction

• The Office of Management and Budget’s (OMB) Office of Federal Procurement Policy (OFPP), Department of Defense; General Services Administration (GSA); and the National Aeronautics and Space Administration (NASA) published a summary presentation of the final rules for the updated Federal Acquisition Regulation (FAR).
• The final rule amends the FAR to revise the list of domestically non available articles under the Buy American statute. Administrative changes and technical amendments are also made at FAR 1.401, 17.703, 33.105, 52.101, 52.102, 52.300, and 52.301.
• A companion document, the Small Entity Compliance Guide, which consists of a summary of rules appearing in the Federal Acquisition Circular (FAC) (2025-04) and amends the FAR was also released.
• The list of domestically non available articles and the technical amendments are effective by June 11, 2025

MAY 9 – White House: Executive Order Increasing Efficiency at the Office of the Federal Register

• The White House released an executive order directing the Office of the Federal Register to speed up its publishing time and decrease costs.
• The Federal Register plays a crucial role in the regulatory process by publishing proposed and final agency actions, including any actions that eliminate regulations.
• The order specifically directs the Archivist of the United States and Office of the Federal Register to review current practices and to modernize and streamline processes to reduce delays and ensure that costs at the Federal Register are limited to actual costs.
• This EO is part of several initiatives this administration has taken to improve and modernize how the federal government functions. 
• The EO aims to reduce red tape and increase efficiency to enable the Office of the Federal Register to catch up to the rest of the Administration and facilitate the President’s deregulatory agenda.

MAY 8 – NTIA: More Than 90 Applications Requesting Nearly $3 Billion Submitted for the Wireless Innovation Fund’s Third Round

• The National Telecommunications and Information Administration (NTIA) announced that it received 94 applications requesting nearly $3 billion in federal funding and proposing more than $1.3 billion in private investment to support innovation in wireless equipment.
• The third Notice of Funding Opportunity (NOFO) in the Public Supply Chain Innovation Fund makes up to $450 million available to invest in industry-specific use cases and integration of automated solutions for open and interoperable radio access network (Open RAN) equipment, aimed at accelerating the adoption of Open RAN technology.
• The $1.5 billion Public Wireless Supply Chain Innovation Fund is funded by the CHIPS and Science Act of 2022 and invests in American technology leadership in mobile communications networks aiming to drive wireless innovation, foster competition, and strengthen supply chain resilience.
• The third round of funding will invest in: software solutions that utilize data from Open RAN interfaces and/or leverage Open RAN-specific innovations; and software solutions that reduce the cost and complexity of multi-vendor integration through automation. 
• Applications for this round of funding were due by April 19, and the NTIA is evaluating applications to make awards later this year.