July 30th Daily Policy Monitoring

JUL 30 — GAO: GAO Publishes Report Detailing Industry Perspectives on Cybersecurity Regulations

• The Government Accountability Office (GAO) published a report detailing industry perspectives on federal efforts to utilize more consistent cybersecurity regulations.
• The industry participants identified three main sources of negative impacts on their industries: (1) several agencies regulating a sector's cybersecurity causes overlapping and duplicative cybersecurity regulations; (2) cybersecurity definitions and requirements can be vague or fail to account for sector differences; and (3) duplicative audits requesting and assessing the same information.
• Harmonizing various cybersecurity regulations is critical for achieving more consistent standards that don't contradict each other, drain security resources, and fail to drive the behavioral changes needed for the safety of the nation's critical infrastructure.
• Industry participants noted the Cybersecurity Information Sharing Act of 2015 has successfully bolstered the Cybersecurity and Infrastructure Security Agency's (CISA)  efforts to collaborate and build trust across sectors.
• GAO convened two panel discussions to gather the perspectives of 12 industry experts.

JUL 29 — CISA: CISA and Partners Issue Joint Cybersecurity Advisory Regarding Scattered Spider Threat Actors

• The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Royal Canadian Mounted Police (RCMP), Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), Australian Federal Police (AFP), Canadian Centre for Cyber Security (CCCS), and United Kingdom’s National Cyber Security Centre (NCSC-UK) issued a joint advisory warning against recent malicious activity by Scattered Spider threat actors.
• The U.S. and international federal organizations identified new tactics, techniques, and procedures (TTPs) connected with the Scattered Spider cybercriminal group, including more complex social engineering techniques and new malware and ransomware variants used for data exfiltration and encryption.
• The Scattered Spider cybercriminal group engages in data theft for extortion by targeting companies and their information technology (IT) help desks.
• The authoring agencies recommend critical infrastructure organizations and commercial facilities implement mitigations such as application controls, remote access tool audits, remote access software execution log reviews, and inbound and outbound connection blocks. 
• These mitigations are in line with the Cross-Sector Cybersecurity Performance Goals developed by CISA in coordination with the National Institute of Standards and Technology (NIST).

JUL 29 — CISA: CISA Releases Publication on Part One of Microsegmentation in Zero Trust

• The Cybersecurity and Infrastructure Security Agency (CISA) released a new publication outlining the concepts, challenges and benefits of moving to microsegmentation and
  recommending high-level actions for its successful adoption.
• The publication stipulates that microsegmentation is a critical design philosophy for minimizing the size of network segments, thereby increasing the opportunities for discovering and limiting lateral movement from a compromised endpoint. 
• Perimeter-based security models are no longer sufficient for safeguarding enterprise assets against cyber intrusions and breaches. Microsegmentation enhances protection by securing smaller sets of resources, which minimizes the attack surface, restricts lateral movement, and improves visibility for more effective monitoring within the microsegmented environment.
• CISA updated its Trusted Internet Connections (TIC) program to support modern network architectures and defined microsegmentation as a TIC security capability in the network security group.
• The publication denotes four distinct phases in the transition to a microsegmentation approach, including identifying candidate resources for segmentation, identifying dependencies for selected candidate resources, determining appropriate segmentation policies, and deploying updated segmentation policies.

JUL 29 — NIST: NIST Proposes Changes to Special Publications on Key-Establishment Schemes

• The National Institute of Standards and Technology (NIST) proposed updating Special Publication (SP) 800-56Ar3, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography, and revising SP 800-56Cr2, Recommendation for Key-Derivation Methods in Key-Establishment Schemes.
• The main objectives for updating SP 800-56Ar3 are to improve its editorial quality, align it with the curve requirements in SP 800-186, and approve x-coordinate-only implementations of some Elliptic Curve Cryptography (ECC) key-agreement schemes.
• The revisions to SP 800-56Cr2 center around allowing greater flexibility in the formatting of hybrid shared secrets and allowing KECCAK Message Authentication Code (KMAC) as an option for the randomness extraction step in the two-step key derivation method.
• The NIST Crypto Publication Review Board first initiated a review of these two SPs in December 2024.
• The public comment period for this decision is open through September 15.

July 29th Daily Policy Monitoring

JUL 29 – GAO: GAO Publishes Report on Generative AI Use and Management at Federal Agencies

• The Government Accountability Office (GAO) published a report describing federal agencies' efforts to pursue generative AI, including their ongoing and planned uses of generative AI and the resulting benefits and challenges.
• The GAO found that of the 11 selected agencies it reviewed with AI inventories, the total number of reported AI use cases nearly doubled from 571 in 2023 to 1,110 in 2024.
• Generative AI offers benefits to federal agencies across a range of mission-support areas, such as written communications, efficient access of information, and program status tracking. 
• The GAO discovered that agencies face several challenges to using generative AI, including complying with existing federal policies and guidance, lacking adequate technical resources and budget, and maintaining up-to-date use requirements.
• Officials from 10 of the 12 selected agencies said existing federal policy could present obstacles to adoption.

JUL 28 – NIST: NIST Releases Second Draft of Ransomware Risk Management: A Cybersecurity Framework 2.0 Community Profile

• The National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) is seeking additional comments and feedback on its draft Interagency Report on Ransomware Risk Management, which was first released in January 2025. 
• The Cybersecurity Framework (CSF) 2.0 Community Profile identifies the security objectives from NIST CSF 2.0 that support the governance, identification, protection, detection, response, and recovery functions related to ransomware events, and can serve as a guide for managing ransomware risk.
• This Ransomware Community Profile is intended for any organization, including those in industry, government, or the nonprofit sector, regardless of size or sector, that may be vulnerable to ransomware attacks. By helping to prioritize security efforts, the Profile can be especially valuable to smaller or less resourced organizations.
• The public comment period for this publication is open through September 11.

JUL 28 – FTC: FTC Awarded Grant to Upgrade its Data Processing Capabilities Needed to Analyze Data Used in Investigations

• The Federal Trade Commission (FTC) received a $14.6 million Technology Modernization Fund (TMF) grant for enhancing its in-house data processing capabilities. 
• The FTC will use the grant to create a comprehensive cloud-based analytics platform that utilizes AI tools, as well as to train personnel to manage complex data analysis in-house.
• The grant's purpose is to reduce the amount of time and money it takes to sift through data by improving the way the FTC analyzes data used in its investigations.
• The TMF provides grants to federal agencies to modernize IT platforms that have a high likelihood of generating savings and other benefits for taxpayers.
• These new tools will enable the FTC to reduce the amount of time it takes to sift through data from weeks to hours.

JUL 22 – NY: New York Proposes Cyber Rules for Public Water Systems and Establishes Grant Program

• New York Governor Kathy Hochul (D) is proposing new cybersecurity policies and regulations for water and wastewater systems, including a grant program to help covered entities reach compliance.
• This proposed regulation establishes risk-based baseline cybersecurity requirements to address sector-specific concerns, mandating that community water systems serving more than 3,300 people conduct annual cybersecurity vulnerability analyses, implement a cybersecurity program, develop an incident response plan, and report certain vulnerabilities within 48 hours. Water systems serving over 50,000 people will also need to designate a qualified executive to oversee the cybersecurity program.
• The NY Department of State estimates that cybersecurity will cost $0-$150,000 per year for systems that serve populations from 3,300 to 50,000 people and $0-$5,000,000 per year for systems that serve more than 50,000 people.
• New York State has funding available for the water and wastewater sectors, including hundreds of millions of dollars in infrastructure grants for public health priorities and a new cybersecurity $2.5 million grant program that the Environmental Facilities Corporation will implement to support covered entities’ compliance with this regulation.
• There are 318 water systems serving more than 3,300 people that are owned and operated by local governments, with 37 of those water systems serving a combined population of greater than 50,000.

July 28th Daily Policy Monitoring

JUL 26 — GAO: GAO Releases Report Recommending Social Security Administration Better Oversee Its IT Investment Management

• The Government Accountability Office (GAO) released a report outlining the Social Security Administration's (SSA) failure to establish a process to oversee investments in IT operations, including those in operations and maintenance, infrastructure, and cybersecurity. 
• Without a process for the IT investment review board (IRB) to oversee these investments, SSA lacks an agency-wide perspective to make the most strategic IT investment decisions and is hindered in its ability to effectively manage the entire IT portfolio.
• SSA relies extensively on IT to deliver retirement, disability, survivor, and family benefits programs to millions of Americans.
• SSA's IT investments accounted for $2 billion, or about 90 percent, of SSA's IT budget in fiscal year 2024.

JUL 25 — FCC: FCC Updates Pole Attachment Rules to Accelerate Deployment of Broadband Facilities on Utility Poles

• The Federal Communications Commission (FCC) adopted updated rules regarding pole attachment regulations for accelerated broadband deployment. 
• Specifically, the FCC is adopting rules that foster stronger collaboration between utilities and attachers, establish clear timelines for large pole attachment requests, streamline the overall pole attachment process, and expedite the approval of contractors.
• The FCC is promoting fast and efficient deployment of broadband facilities on utility poles as part of its goal to accelerate the buildout of next generation infrastructure.
• Section 224(b)(1) of the Communications Act of 1934 requires the Commission to set the rates, terms, and conditions for pole attachments to ensure that rates, terms, and conditions are just and reasonable.
• Comments on the proposed rulemaking are due 30 days after Federal Register publication.

JUL 25 — FCC: FCC Proposes New Rule Eliminating Regulatory Filing Requirement to Encourage Broadband Deployment

• The Federal Communications Commission (FCC) launched a proposed rulemaking eliminating filing requirements to reduce regulatory barriers that prevent much-needed investment in and deployment of broadband.
• The FCC aims to eliminate all filing obligations under the FCC's network change disclosure rules, which would codify temporary filing relief recently granted by the Wireline Competition Bureau.
• The proposed rulemaking stems from the FCC's efforts to reduce regulatory burdens that tie up providers' resources, preventing them from deploying next-generation networks and advanced communications services.
• The FCC's proposed rulemaking also seeks comment on this and other deregulatory options that encourage providers to build, maintain, and upgrade their networks so all consumers and businesses can benefit from technological strides in broadband communications.
• Comments on the proposed rulemaking are due 30 days after publication in the Federal Register.

JUL 24 — DOE: DOE Announces the Site Selection for AI Data Center and Energy Infrastructure Development on Federal Lands

• The Department of Energy (DOE) announced its selection of four sites for AI data centers and energy infrastructure as a next step in the Trump administration's plan to accelerate the development of AI infrastructure.
• The four sites DOE selected include Idaho National Laboratory, Oak Ridge Reservation, Paducah Gaseous Diffusion Plant and Savannah River Site; they were selected based on how well-situated they are for large-scale data centers, new power generation, and other necessary infrastructure. 
• DOE will now invite private sector partners, such as data center developers and energy companies, to develop advanced AI data center and energy generation projects.
• DOE site selection decision aligns with the Trump administration’s goal of utilizing federal land to lower energy costs and help power the global AI race.