March 28th Daily Policy Monitoring

MAR 27 - FCC: FCC Proposes Action to Improve Next Generation 911

• The Federal Communications Commission (FCC) proposed rules to help ensure that emerging Next Generation 911 (NG911) networks are reliable and interoperable, which will help first responders save lives.
• The nation is transitioning from legacy 911 technology to NG911, which will use Internet Protocol (IP)-based infrastructure to support new 911 capabilities, including text, video, and data.
• The Commission has proposed rule changes to both facilitate the NG911 transition and ensure that the transition does not inadvertently create vulnerabilities in critical public safety networks.
• The Further Notice of Proposed Rulemaking adopted seeks comment on proposals to update existing 911 reliability rules, update reliability standards for providers of critical NG911 functions, establish NG911 interoperability requirements for the interstate transfer of 911 traffic, and modify the certification and oversight mechanisms in the current 911 reliability rules.

MAR 25 - GAO: Improving the Federal Approach to Disaster Assistance

• The GAO released a report highlighting the increasing frequency and cost of natural disasters, with 27 billion-dollar events in 2024 compared to 14 in 2018, straining federal resources and revealing inefficiencies in disaster assistance delivery.
• The report identifies fragmentation across over 30 federal entities as a key challenge, complicating recovery efforts for survivors and communities, and recommends reforms like a unified application system and an independent commission to streamline processes.
• Proposals include establishing an independent commission to oversee coordination, improving workforce capacity, and reforming FEMA programs to address equity issues and reduce delays in assistance distribution.
• The GAO emphasizes proactive investments in pre-disaster mitigation, such as infrastructure upgrades, to curb long-term costs, urging Congress to prioritize funding for resilience measures alongside reactive recovery efforts.

March 27th Daily Policy Monitoring

MAR 27 - Solarium Commission: Release of Reports on Cybersecurity Recommendations in the Transportation Sector

• A new report from the current iteration of the Cyberspace Solarium Commission dives into the security of the transportation sector and the intersection with the Defense Department, offering recommendations for policy proposals to bolster cybersecurity for maritime, railroad and aviation stakeholders. The report, released by the Foundation for Defense of Democracies, addresses cybersecurity gaps in U.S. transportation sectors critical for military mobility (maritime, aviation, and rail), urging immediate action to improve resilience.
• The report calls for harmonizing cybersecurity regulations across federal, state, and industry levels to reduce redundancy, focusing on reducing compliance burdens for infrastructure operators. It recommends Congress fund grant programs for the maritime, aviation, and rail sectors to improve cybersecurity, with a focus on military mobility, strategic ports, hubs, and railroads.
• The report advocates for revising the U.S. GPS governance strategy, transitioning to more secure GPS III architecture, and exploring terrestrial positioning options to address vulnerabilities.

MAR 27 - SEC: Notice of Filing of Proposed Rule Change Relating to a Participant System Disruption

• On March 14, 2025, The Depository Trust Company (DTC) filed a proposed rule change with the Securities and Exchange Commission (SEC) to amend Rule 38(A) regarding systems disconnects and threats to DTC’s systems.
• The rule changes are part of a broader effort involving DTC’s affiliate clearing agencies—FICC and NSCC—which will each file similar proposals to amend their respective disruption rules.
• Proposed amendments include updating definitions, refining the process for declaring a "Major System Event," and clarifying the notification requirements for participants in case of system disruptions.
• The changes also introduce new provisions for the "reconnection" process for participants disconnected from DTC systems, along with legal and governance requirements.
• The rule change seeks to improve the overall framework for mitigating the impact of major events and disruptions on clearing agencies and their participants.

MAR 27 - CISA: Release of Advisory on Industrial Control Systems

• CISA has released one Industrial Control Systems (ICS) advisory on March 27, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
• CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

MAR 21 - FCC: Release of Report on New Investigation into CCP-Aligned Entities

• The FCC announced the establishment of a new Council on National Security and revealed its first major initiative: an investigation into CCP-aligned businesses whose equipment or services were placed on the FCC’s Covered List due to national security risks.
• The investigation aims to assess whether these entities are still operating in the U.S. despite being placed on the Covered List, using Letters of Inquiry and subpoenas to gather information.
• The FCC has already taken steps to address threats posed by companies like Huawei, ZTE, and China Telecom, including revoking their operating authorizations.
• The report emphasizes that some of these entities may still be attempting to bypass FCC restrictions and continue operating in the U.S., and the FCC is working to close any loopholes.
• The investigation will collect information about these entities' operations in the U.S. and other companies supporting their activities, with the FCC planning further actions to safeguard national security.

March 26th Daily Policy Monitoring

MAR 25 – DOT: U.S. Transportation Secretary Sean P. Duffy Advocates for Enhancing Pipeline Safety in New Advisory

• The Department of Transportation (DOT) announced that the Pipeline Hazardous Materials Safety Administration (PHMSA) will be encouraging all regulated pipeline owners and operators to voluntarily adopt new safety management systems (SMS).
• The utilization of SMS will enhance pipeline safety and is supported by the National Transportation Safety Board (NTSB).
• PHMSA published an Advisory Bulletin in the Federal Register that advocates for the voluntary adoption of pipeline SMS by all regulated pipeline owners and operators.

MAR 25 – Google: Gemini 2.5: Our Most Intelligence AI Model

• Google has released Gemini 2.5 Pro Experimental, a thinking model, capable of reasoning before responding, which results in enhanced performance and improved accuracy.
• The AI essentially fact-checks itself along the way to generating an output, called “Simulated Reasoning.”
• Gemini 2.5 Pro is available now in Google AI Studio and in the Gemini app for Gemini Advanced users, and will be coming to Vertex AI soon.

MAR 25 – ODNI: Trump Administration Intelligence Officials Detail Worldwide Cyber Threats in Annual Report

• The Office of the Director of National Intelligence (ODNI) released an annual report that goes into the most pressing international threats facing the U.S., including the national security impacts of cyber capabilities posed by China, Russia, Iran, North Korea, and other criminal groups.
• The 2025 Threat Assessment report highlights that a wide range of foreign actors are targeting U.S. health and safety, critical infrastructure, industries, wealth, and government. It emphasizes that state adversaries and their proxies are also trying to weaken and displace U.S. economic and military power in their regions and across the globe.
• The ODNI 2025 Threat Assessment report detailed that financially motivated cyber criminals continue to prey on inadequately defended U.S. targets, such as healthcare systems and municipal governments, that could have a broad impact on the U.S. populace and economy.

MAR 25 – NIST: NIST Seeks Input on Draft Guide for Secure Integration of Cloud Applications

• The National Institute of Standards and Technology (NIST) has released a draft guide for public comment focused on identifying and mitigating vulnerabilities when integrating applications in enterprise cloud environments, including zero trust principles.
• The publication, titled, “Guidelines for API Protection for Cloud Native Systems,” outlines how a “lack of due diligence” in cloud application integration can result in vulnerabilities and open the door to malicious cyber actors.
• NIST is accepting comments through May 12.

MAR 24 – NIST: Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations

• The National Institute of Standards and Technology (NIST) released a report that provides a taxonomy of concepts and defined terminology in the field of adversarial machine learning (AML).
• The taxonomy is arranged in a conceptual hierarchy that includes key types of ML methods, life cycle stages or attack, and attacker goals, objectives, capabilities, and knowledge.
• The report also identifies current challenges in the life cycle of AI systems and describes corresponding methods for mitigating and managing the consequences of those attacks.

March 25th Daily Policy Monitoring

MAR 24 – GSA: GSA Announces FedRAMP 20x

• The U.S. General Services Administration (GSA) announced that the Federal Risk and Authorization Management Program (FedRAMP) will focus on working with industry to develop a new, cloud-native approach to authorizations.
• FedRAMP 20x will focus on innovating alternative approaches to make automated authorization simpler, easier, and cheaper while continuously improving security. The FedRAMP team will also continue to support traditional agency authorizations.
• FedRAMP 20x is built on these core principles: GSA will set the foundation for private sector innovation; Cutting red tape through automation; Faster, more secure cloud automation; and More flexibility and better collaboration.

MAR 24 – NIST: NIST Updates Cybersecurity Taxonomy Guide for Adversarial Machine Learning

• The National Institute of Standards and Technology (NIST) has published an updated taxonomy guide to help cyber defenders protect themselves and fend off cyber attacks against their artificial intelligence systems.
• NIST says the publication is “primarily intended for those who design, develop, deploy, evaluate, and govern, AI systems.” It was first published in January 2024 and “has a number of revisions that may interest AI developers and users.”
• The guide identifies attack vendors explaining how those challenges “span different phases of ML operations such as the potential for adversarial manipulation of training data; the provision of adversarial inputs to adversely affect the performance of the AI system; and even malicious manipulations, modifications, or interactions with models to exfiltrate sensitive information from the model’s training data or to which the model has access.”

MAR 24 – CISA: CISA Adds One Known Exploited Vulnerability to Catalog

• The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-30154 reviewdog action-setup GitHub Action Embedded Malicious Code Vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
• These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
• Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise.

MAR 18 – NVIDIA: NVIDIA to Build Accelerated Quantum Computing Research Center

• NVIDIA announced it is building a Boston-based research center to provide cutting-edge technologies to advance quantum computing.
• The NVIDIA Accelerated Quantum Research Center, or NVAQC, will integrate leading quantum hardware with AI supercomputers, enabling what is known as accelerated quantum supercomputing.
• The NVAQC will help solve quantum computing’s most challenging problems, ranging from qubit noise to transforming experimental quantum processors into practical devices.

MAR 14 – CRI: Cyber Risk Institute to Develop Tailored AI Risk Management Framework Profile for Financial Sector

• The Cyber Risk Institute (CRI) is working on a profile of the National Institute of Standards and Technology’s (NIST) artificial intelligence risk management framework to meet the needs of their financial sector members, according to a filing to NIST on the intersection of AI and cybersecurity.
• NIST has launched an effort to develop an AI profile of its cybersecurity framework and released a concept paper on February 14 to get feedback from stakeholders. The comment period closed on March 14.
• NIST will use the feedback to inform an April 3rd workshop on the Cyber AI profile at NIST’s National Cybersecurity Center of Excellence.

March 24th Daily Policy Monitoring

MAR 24 – GAO: Cloud Computing: Private Sector Leading Practices in Acquisition, Cybersecurity, and Workforce Development

• The U.S. Government Accountability Office (GAO) conducted a study to determine the adoption of cloud computing solutions across both the private and the public sectors.
• The report identifies leading practices in the private and public sectors for adopting cloud solutions, and approaches to address challenges in the private sector regarding the adoption of cloud solutions.
• Eighteen private sector companies surveyed by GAO reported using the majority of 19 leading practices across three management areas—acquisition, cybersecurity, and workforce development—when adopting and implementing cloud computing solutions. Subject matter experts from academia agreed these are leading practices for cloud adoption, and the majority of companies found them very or extremely important for an effective cloud adoption strategy.

MAR 24 – GSA: GSA to Rightsize Multiple Award Schedule Program

• The U.S. General Services Administration announced a new initiative to improve the effectiveness of the Multiple Award Schedule Program by allowing contracts that fail to meet sales thresholds to expire, addressing contractor noncompliance, reducing redundancies with other procurement channels and eliminating low-demand items that fail to deliver meaningful procurement benefits.
• The MAS Program is widely recognized as the largest government commercial acquisition program in the world, with sales exceeding $51.5 billion in FY 2024.
• The program plays a critical role in helping government customers purchase commercial products and services at pre-negotiated prices, with competition at the order level to secure additional savings.

MAR 20 – IST: Think Tank Offers Strategies for Mitigating Artificial Intelligence Risk Against ‘Future Failures’

• The Institute for Security and Technology (IST) published a new report in which it details artificial intelligence risk mitigation strategies to help organizations act against threats in both the technical and policy realms.
• The report presents 39 risk mitigations strategies for avoiding institutional, procedural, and performance failures of AI systems.
• The report is the second in a two-part series set on “Navigating AI Compliance,” following the release of “Tracing Failure Patterns in History” in December.

MAR 20 – ENISA: Cybersecurity Standardization Conference 2025: Paving the Way for a Safer Digital Europe

• The European Union Agency for Cybersecurity (ENISA) co-hosted the 9th Cybersecurity Stadardization Conference on March 20th in Brussels.
• The event brought together policymakers, industry leaders, researchers, and experts to discuss the evolving landscape of EU cybersecurity legislation and its implications for standardization.
• The conference addressed topics such as the state of play of European standardization, the interplay of cybersecurity legislation, and overarching cybersecurity standards.
• The event aimed to foster dialogue and collaboration among stakeholders to ensure effective implementation of EU cybersecurity legislation.

UPCOMING EVENTS

MAR 24 – ADI: FedRAMP 2025 Discussion With FedRAMP Director Pete Waterman to Be Hosted by ADI

• The Alliance for Digital Innovation (ADI) is hosting a discussion today at 3:30 PM with FedRAMP Director Pete Waterman.
• The discussion will be focused on the General Services Administration (GSA) overhaul of the cloud security program, known as FedRAMP.

MAR 24 – Zscaler: Public Sector Summit 2025

• Zscaler is hosting a Public Sector Summit on March 24 and March 25.
• Government IT leaders and industry experts will provide use cases and actionable insights for each stage of the transformation journey—from initial assessments and strategy building to implementation and ongoing optimization.

MAR 25 – IDGA: Homeland Security Week 2025

• The Institute for Defense and Government Advancement (IDGA) is hosting a two-day event from March 25-26.
• The event will bring together leading experts and key decision-makers from DHS, DOJ, local law enforcement, and industry to tackle the most pressing security challenges facing the U.S. Homeland.
• This year’s event will focus on advancing AI, cloud and cybersecurity efforts, adopting new biometric technologies, optimizing border security strategies, maximizing counter-UAS capabilities, enhancing infrastructure resilience, and supporting security strategies for local law enforcement.

MAR 25 – Senate: Hearing on Harnessing Artificial Intelligence Cyber Capabilities

• The Senate Armed Services cyber subcommittee is holding a hearing on Tuesday, March 25 at 3:30 PM.
• The hearing will focus on using AI to enhance cyber efforts.
• The witnesses are Scale AI’s Dan Tadross, Cohere’s David Ferris, and RAND Corporation’s Jim Mitre.

MAR 25 – Georgetown: What’s Next for AI Red-Teaming?

• Georgetown University’s Center for Security and Emerging Technology is hosting a virtual event on Tuesday March 25 at 12:00 on the limitations of AI red teaming and opportunities to improve AI security.
• Microsoft’s Tori Westerhoff, MITRE’s Christina Liaghati and Marius Hobbhahn of Apollo Research will discuss AI red-teaming and other security testing options with CSET’s Jessica Ji and Colin Shea-Blymer.