June 27th Daily Policy Monitoring

JUN 27 - GAO: Priority Recommendations: Department of Transportation

• The Government Accountability Office (GAO) has released a letter containing 21 open priority recommendations for the Department of Transportation (DOT) Secretary, Sean Duffy.
• The report highlights four focus areas the GAO feels warrants timely response, including managing cybersecurity risks and IT, improving transparency and communication, developing plans to address safety risks, and reducing fraud and abuse risks.
• The letter suggests that DOT should develop a comprehensive cybersecurity risk management strategy that includes how it intends to assess, respond to, and monitor risks in order to complete its IT workforce planning activities.
• GAO found that the Federal Aviation Administration (FAA), which is housed under DOT, has been slow to modernize its most critical and at-risk systems. GAO is currently evaluating the FAA's Cybersecurity Strategy against key practices and the extent to which FAA has implemented its strategy to mitigate cybersecurity risks to its systems and networks.
• In addition to the 21 priority recommendations enclosed in the letter, GAO will continue to work with DOT to address 177 other open recommendations.

JUN 25 - DHS: DHS S&T Launches Next Phase of Industry Competition to Develop Revolutionary Identity Verification Tech

• The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) has announced the second phase of the Remote Identity Validation Rally (RIVR), a series of challenges hosted by DHS S&T which invites private industry to test, refine, and improve its ID verification technology.
• The first phase of the RIVR established new benchmarks for remote identity verification technology and provided clear targets for improvements.
• The second phase challenges the private sector to deliver secure, accurate, and user-friendly technologies that can combat identity fraud when users apply for government services, open bank accounts, or verify social media accounts.
• The program was developed in partnership with the Transportation Security Administration (TSA), Homeland Security Investigations (HSI) Forensic Laboratory, and the National Institute of Standards and Technology (NIST).
• Applications for technology developers to participate in the program are due by July 18, 2025.

JUN 24 - DoD: DoD CIO RFI for Risk Management Framework (RMF) Revamp

• The Department of Defense (DoD) Chief Information Officer (CIO) issued a Request for Information (RFI) seeking input from industry to better understand current capabilities, innovative solutions, and business practices that can support revamping the Risk Management Framework (RMF) to streamline the approval process for operational capabilities.
• The DoD CIO oversees all matters related to information, IT, operational technology, Zero Trust, and the broader DoD information environment - encompassing command, control, and communications (C3), electromagnetic spectrum operations, network operations, IT portfolio management, cybersecurity, and positioning, navigation, and timing (PNT).
• The purpose of the industry input is to streamline the RMF while simultaneously enhancing the cybersecurity posture of DoD systems through a comprehensive RMF modernization effort.
• The RFI aims to identify emerging technologies, best practices, and operational methodologies that streamline cybersecurity risk assessment, reduce redundant compliance efforts, and improve reciprocity across DoD components.
• Industry responses will inform policy adjustments, optimize risk management strategies, and contribute to a more agile and resilient cybersecurity posture, ensuring the delivery of mission-critical capabilities to the warfighter.

June 26th Daily Policy Monitoring

JUN 26 — GAO: Report on Export Controls Information Sharing and BIS Workforce Planning

• The Government Accountability Office (GAO) published recommendations urging the Department of Commerce’s Bureau of Industry and Security (BIS) to enhance cybersecurity-related workforce planning and improve interagency information-sharing on export controls.
• BIS is responsible for controlling the export of sensitive dual-use technologies, including those in the information and communications technology (ICT) sector, to protect U.S. cyber and national security interests.
• BIS used recent funding increases to expand enforcement of export controls, and to establish a new office focused on securing the ICT and services supply chain. However, GAO has determined that BIS lacks a long-term cyber workforce plan and limits data access across classified and unclassified systems, impeding informed license decisions related to cybersecurity risks.
• The report states that BIS's failure to share full license application data with reviewing agencies like the Departments of Defense, Energy, and State reduces visibility into cyber-sensitive exports and the agencies' abilityto constult on license conditions. 
• BIS has not updated its agency-wide workforce strategy since 2016, leaving critical cybersecurity staffing and infrastructure planning reactive rather than strategic despite escalating digital threats.

JUN 20 — FDA: Release of White Paper on Medical Product Manufacturing Cybersecurity 

• The U.S. Food and Drug Administration (FDA) has published a white paper recommending the integration of cybersecurity into operational technologies (OT) used in medical product manufacturing.
• Modern manufacturing environments increasingly rely on internet-connected devices and smart technologies, which are vulnerable to cyber threats due to limited security features and legacy system designs.
• The FDA white paper outlines three cybersecurity focus areas: technical information exchange, compliance with recognized standards, and security by design. These areas catergorize the considerations of securing OT environments that manage production equipment, sensors, and industrial control systems (ICS). These systems often lack visibility and control, creating exploitable gaps in medical supply chains.
• From a regulatory perspective, the FDA recommends alignment with frameworks such as FIPS 140-2/3, NIST SP 800-82, and IEC 62443, and encourages using tools like security assessments, SBOMs, and the Authorization to Operate (ATO) process to identify and mitigate risks before systems become operational.
• By way of background, the FDA’s 2023 previous guidance on cyber devices set foundational cybersecurity expectations for premarket submissions, and the new OT-focused white paper builds on that effort by targeting manufacturing infrastructure to address growing cyber vulnerabilities in the medical product supply chain.

June 25th Daily Policy Monitoring

JUN 25 – GAO: Cybersecurity: NASA Needs to Fully Implement Risk Management

• The U.S. Government Accountability Office (GAO) published a report on cybersecurity risk management at the National Aeronautics and Space Administration (NASA) to assess the extent to which NASA implemented cybersecurity risk management for selected major projects.
• GAO reviewed NASA policies and guidance regarding cybersecurity risk management and selected a nongeneralizable sample of two major projects and two associated systems for each project.
• The National Institute of Standards and Technology (NIST) developed cybersecurity risk management guidelines for agencies such as the NASA, which include prepare, categorize systems, select controls, implement controls, assess control implementation, authorize the system, and continuously monitor security control effectiveness.
• The GAO found that NASA fully or partially implemented all steps for the cybersecurity risk management program for selected systems, but did not perform key activities within certain steps.
• In the prepare step, NASA did not have an approved organization-wide risk assessment. In the monitor step, NASA did not document system-level continuous monitoring strategies for selected systems due to the lack of guidance on how to do so.

JUN 25 – ENISA: EU Managed Security Services Certification to Drive the Cybersecurity Market

• The European Union Agency for Cybersecurity (ENISA) launched a call for expression of interest to participate in the relevant Ad Hoc Working Group (AHWG) in response to a request from the European Commission to prepare a candidate European cybersecurity certification scheme on Managed Security Services (MSS).
• The AHWG will include experts which knowledge and experience in areas of cybersecurity certification.
• The development will address the current diversity and fragmentation in the approach and requirements that apply to the delivery of MSS in EU Member States and support and align with provisions of the cybersecurity legislation.
• The EU MSS will address the delivery of MSS through a comprehensive and flexible model that wills et out service-oriented requirements. It will be comprised of two-dimension layers: on horizontal layer including minimum requirements for all MSS and various vertical layers that group specific technical requirements tailored for the different type of MSS.
• The call for expression of interest will remain open until July 20, 2025.

JUN 24 – CISA: Memory Safe Languages: Reducing Vulnerabilities in Modern Software Development

• The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) published a joint guide, Memory Safe Languages: Reducing Vulnerabilities in Modern Software Development, that identifies the main obstacles in adopting memory safe languages (MSLs), provides practical solutions to address these challenges, and emphasizes critical factors for organizations aiming to shift towards more secure software development methods. 
• The latest guide from CISA and the NSA explains memory vulnerabilities and provides examples of key features to address memory safety. CISA and NSA emphasize how memory safe languages have a “core strength” because they are proactively secure by design.
• The guide details strategic adoption options including the prioritization of new projects, incremental adoption for existing code and interlanguages integration and application programming interface considerations.
• CIS and NSA urge organizations to consider whether adopting MSLs is practical for their circumstances, and provides adoption approaches and engineering considerations to ensure effective implementation of MSLs into their software.

JUN 24 – DHS: President Trump Announces Appointments to the Homeland Security Advisory Council

• President Donald J. Trump and Secretary Noem appointed new members to the Homeland Security Council (HSAC) and announced the date of the council’s first meeting.
• The HSAC will hold its first meeting at DHS headquarters in Washington, DC on July 2, 2025.
• The HSAC was formed on March 19, 2002, and leverages the experience, expertise, and national and global connections of its membership to provide the Secretary of Homeland Security with real-time, real-world and independent advice on homeland security operations.
• The HSAC consists of leaders from state and local government, first responder communities, the private sector, and academia. The HSAC provides independent advice and recommendations to the Secretary of Homeland Security and supports decision-making across the spectrum of homeland security operations.

JUN 24 – House: Stakeholders Highlight Urgency to House Panel Moving Quickly with Implementing Post-Quantum Cryptography

• The House Committee on Oversight held a hearing on June 24 at which industry stakeholders provided details on the cyber threats from quantum computing and emphasized the need to move quickly on implementing post-quantum cryptography compared to the 2035 deadline set by former President Biden.
• Key witnesses included Dr. Scott Crowder, Vice President of IBM Quantum Adoption; Marisol Cruz Cain, Director of Information Technology and Cybersecurity at the Government Accountability Office (GAO); Denis Mandich, Chief Technology Officer of Qrypt; and Brenda Rubenstein, Associate Professor of Chemistry and Physics at Brown University.
• The hearing served as an opportunity for lawmakers to get an update on the current state of quantum computing, discuss progress at the federal level to implement PQC, and explore cyber threats that are posed by the looming advent of quantum computers that can break encryption quickly.
• Industry stakeholders testified that delaying the transition is “irrational because it assumes predictable progress in a field that has become very secretive in development and is prone to sudden breakthroughs.”

June 24th Daily Policy Monitoring

JUN 24 – GSA: GSA and Elastic Partner on IT Cost Savings Across the Federal Government

• The U.S. General Services Administration (GSA) and Elastic announced a new OneGov agreement offering up to a 60% discount on Elastic solutions through September 2027.
• Under the agreement, agencies purchasing Elastic’s self-managed solution can access discounts starting at 27.5%, increasing up to 60% based on governmentwide annual spend; for FedRAMP Moderate cloud deployments through GovCloud, discounts start at 15%, scaling to 32% at the highest volume tier; and the pricing is valid for orders executed on or before September 30, 2027.
• Elastic’s Search AI platform accelerates operational resilience, powers complex cyber threat detection, and delivers instantly searchable results, AI-driven relevance, and real-time analysis. The agreement leverages Elastic’s open source Search AI technology.
• As part of the agreement, Elastic will offer a Suite of Search AI solutions through GSA Advantage, including Elastic’s Security Incident Event Monitoring, Zero Trust Architecture, Observability, vector database for building GenAI applications, and search AI Lake.

JUN 23 – OSTP: Agency Guidance for Implementing Gold Standard Science in the Conduct and Management of Scientific Activities

• The Office of Science and Technology Policy (OSTP) released guidance to federal agencies on incorporating Gold Standard Science tenets into their research activities, as called for in President Trump’s recent Executive Order (EO) on Restoring Gold Standard Science.
• The EO directs federal research agencies to establish and strengthen practices related to nine key tenets.
• The key tenets require agencies to establish and strengthen practices related to reproducibility, transparency, falsifiability, interdisciplinary research, and merit-based peer review, as well as communicating uncertainties, recognizing negative or null results, and disclosing conflicts of interest.
• Within 60 days, agencies must submit a report outlining their implementation plans for Gold Standard Science to OSTP and post it to their agency’s website.  

JUN 18 – CRS: Congressional Research Service Weighs Policy Implications from Trump Cyber EO

• The Congressional Research Service (CRS) reviewed President Trump’s June 6 cyber Executive Order (EO) in a report detailing policy changes from the Biden administration and potential implications for the federal government and private sector.
• The report explains that the June 6 EO marks a shift from the previous administrations on cyber policy—and in particular, within the narrower area of cybersecurity policy. The EO seeks to redistribute responsibilities of cybersecurity requirements among industry participants or remove the responsibilities altogether.
• The report details how there are some initiatives from the Trump EO that are consistent with the January 16 EO, including an upcoming requirement for agencies to adopt the U.S. Cyber Trust Mark program for “attestations of security” directing agencies to continue to “manage cyber supply-chain risks pursuant to NIST guidance.”
• The report also explains that the confirmation of the National Cyber Director and the Director of the Cybersecurity and Infrastructure Security Agency (CISA) could influence the new national cybersecurity strategy and provide greater detail on how agencies may implement administration priorities.

June 23rd Daily Policy Monitoring

JUN 23 – DHS: Federal Emergency Management Agency Review Council Meeting

• The Department of Homeland Security (DHS) Office of Partnership and Engagement published a notice of meeting for the Federal Emergency Management Agency (FEMA) Review Council for July 9, 2025.
• The meeting will include remarks and updates from council leadership and an open panel discussion.
• The FEMA Review Council advises the President on the existing ability of FEMA to capably and impartially address disasters occurring within the United States and shall advise the President on all recommended changes related to FEMA. 
• The meeting will be open virtually to the public, and registration to attend the meeting is required by Tuesday, July 8 at 5 PM.

JUN 18 – Canada: Cyber Centre Releases Advice on Security Operating Technology Systems

• The Canadian Centre for Cyber Security (Cyber Centre) released guidance for Canadian organizations to defend their operational technology (OT) and industrial control systems (ICS) from malicious cyber actors.
• The Cyber Centre identified ongoing attempts by non-state malicious cyber actors to discover and compromise poorly secured, internet-connected OT and ICS that provide critical services to Canadians.
• The motivations of malicious cyber actors vary, including geopolitical reasons, financial gain, notoriety, or a combination.
• The Cyber Centre recommends Canadian critical infrastructure providers follow recent guidance released by the Cybersecurity and Infrastructure Security Agency, including: remove OT connections to the internet, change default passwords immediately, secure remote access to OT networks, segment IT and OT networks, and practice and maintain the ability to operate OT systems manually.
• Canadia organizations who may have been targeted can contact the Cyber Centre by email at contact@cyber.gc.ca or by phone at 1-833-CYBER-88.