March 14th Daily Policy Monitoring

March 13th Daily Policy Monitoring

MAR 13 - DHS: Notice of Termination of Discretionary Federal Advisory Committees

• DHS is ending the Critical Infrastructure Partnership Advisory Council (CIPAC) as part of Executive Order 14217, which aims to reduce federal bureaucracy.

• Along with CIPAC, several other advisory councils managed by DHS are also being discontinued, including the Homeland Security Academic Partnership Council and the Artificial Intelligence Safety and Security Board.

• A CISA official is quoted to have said that the discontinuation of CIPAC does not prohibit Sector Coordinating Councils from continuing to collaborate and coordinate amongst themselves. CISA, in coordination with the Department, is taking this opportunity to review ways to improve information sharing and collaboration between the USG and critical infrastructure owners and operators for better efficiency and effectiveness.

MAR 13 - FCC: Proposed Rule Reviewing of Submarine Cable Landing License Rules and Procedures 

• The FCC is conducting its first comprehensive review of submarine cable rules since 2001 to enhance national security, law enforcement protections, and facilitate cable deployment.

• The review includes proposals for a three-year periodic reporting requirement for submarine cable landing licenses, as well as potential changes to license terms or reporting schedules.

• The Commission proposes requiring applicants and licensees to include security controls in their risk management plans, aligning with cybersecurity best practices like CISA's Cross-Sector Cybersecurity Performance Goals (CPGs) or CIS Controls.

• The Commission also seeks input on whether applicants should submit submarine cable applications to CISA, noting that CISA offers free vulnerability scanning and CPG Assessment Training for critical infrastructure sectors, including communications providers.

• Comments are due May 12th. 

MAR 13 - DHS: Release on Disaster Response Powered by Data

• DHS S&T has developed a Community Lifeline Status System (CLSS) with G&H International to provide real-time data to emergency managers on critical services like water and power, using a color-coded system to track lifeline status.

• S&T, Maryland, and Virginia Departments of Emergency Management tested CLSS in a simulated disaster exercise, focusing on real-time impact assessments between states and agencies.

• The exercise confirmed CLSS improves situational awareness and response coordination, helping restore essential services and save lives during crises.

• CLSS will be launched nationwide in Spring 2025 and made available at no cost to federal, state, local, and tribal agencies for improved emergency response.

MAR 12 - CISA: Release of Cybersecurity Advisory on Medusa Ransomware

• CISA, in partnership with the Multi-State Information Sharing and Analysis Center and the FBI, issued an advisory on the "Medusa" ransomware variant, which has been targeting critical infrastructure since 2021, with over 300 victims as of December 2024.

• Medusa operates as a ransomware-as-a-service model, with affiliates conducting attacks while ransom negotiations remain controlled by the original developers.

• The ransomware uses common tactics like phishing and exploiting unpatched software vulnerabilities, and employs a double extortion model, threatening to release stolen data if the ransom is not paid.

• The advisory outlines how Medusa actors gain network access through cybercriminal forums and use "living off the land" techniques to evade detection and exfiltrate data.

• CISA recommends mitigations, including implementing a recovery plan, following password best practices, requiring multifactor authentication, updating systems, and using network monitoring tools.

March 12th Daily Policy Monitoring

MAR 11 – CISA: CISA Releases Two Industrial Control Systems Advisories

• The Cybersecurity and Infrastructure Security Agency (CISA) released two Industrial Control Systems (ICS) advisories on March 11, 2025.
• These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
• The advisories include ICSA-25070-01 Schneider Electric Uni-Telway Driver and ICSA-25-070-02 Optigo Networks Visual BACnet Capture Tool/Optigo Visual Networks Capture Tool.

MAR 11 – FCC: FCC Seeks Comment on Auction of AWS-3 Licenses

• The Federal Communications Commission (FCC) announced an auction of 200 licenses of 1695-1710 MHz, 1755-1780 MHz, and 2155-2180 MHz bands (collectively, the “AWS-3” bands), and seeks comment on the procedures to be used for the auction.
• The Commission is offering the licenses in Auction 113 pursuant to the Spectrum and Secure Technology Innovations Act of 2024. The Spectrum and Secure Technology and Innovation Act directs the FCC to initiate a system of competitive bidding to grant licenses for spectrum in its inventory as of December 23, 2024, in the AWS-3 spectrum bands.
• Auction proceeds will support the FCC’s Supply Chain Reimbursement Program, which implements the Secure and Trusted Communication Networks Act of 2019 by reimbursing eligible advanced communications service providers for their costs to remove, replace, and dispose of Huawei Technologies Company or ZTE Corporation equipment and services obtained on or before June 30, 2020.

MAR 11 – House: House Panel Weighs Options for Cyber Regulatory Harmonization Amid CISA Efforts to Finalize Incident Reporting Rule

• Lawmakers on the House Homeland Security Committee agreed on the need for cyber regulatory harmonization at a hearing focused on the Cybersecurity and Infrastructure Security Agency’s (CISA) incident reporting rulemaking and changes to meet stakeholder concerns.
• The hearing offered an opportunity to hear perspectives from different sectors on what changes should be made to CISA’s notice of proposed rulemaking published in April 2024.
• The witnesses were Robert Mayer of USTelecom, Cybersecurity Coalition coordinator Ari Schwartz, the Bank Policy Institute’s Heather Hogsett and Scott Aaronson of the Edison Electric Institute.
• CISA is required under CIRCIA to publish the final rule 18 months after the release of the NPRM, putting the publication date in early October.

MAR 11 – Senate: Commerce Committee Leaders Introduce Bipartisan Bill to Reinforce U.S. Space Leadership

• The U.S. Senate Commerce Committee introduced the National Aeronautics and Space Administration (NASA) Transition Act of 2025, which sets clear near-term priorities for NASA programs, advances American leadership and capability, and upholds scientific ingenuity.
• The bipartisan bill also equips NASA with support it needs to continue critical science and exploration missions that will lead to breakthrough discoveries across our solar system.
• The NASA Transition Authorization Act of 2025 would support NASA’s human spaceflight and exploration to return American astronauts to the Moon, prepare for future journeys to Mars, and develop the next generation of spacesuits.
• The Act would also harmonize research and development of hypersonic technology, unmanned aircraft systems, and advanced air mobility across the Federal Aviation Administration (FAA) and Department of Defense (DOD).

MAR 10 – House: Committee Legislation to Combat the CCP’s Malign Influence, Supply Chain Dominance Sent to the Senate

• The U.S. House of Representatives passed two pieces of legislation to counter the influence and supply chain dominance of the Chinese Communist Party (CCP) in the homeland, the “Decoupling from Foreign Adversarial Battery Dependence Act,” and the “SHIELD Against the CCP Act.”
• The Decoupling from Foreign Adversarial Battery Dependence Act prohibits the Department of Homeland Security (DHS) from using appropriated funds to procure a battery produced by certain Chinese entities starting on October 7, 2027.
• The SHIELD Against the CCP Act establishes a working group within DHS related to countering terrorist, cybersecurity, border and port security, and transportation security threats posed to the United States by the CCP.

MAR 6 – BSA: Business Software Alliance Urges Homeland Security Secretary Noem to refocus CISA’s Mission with Move Away from Developing Guidance

• The Business Software Alliance (BSA) is raising concerns to the Homeland Security Secretary Kristi Noem over guidance developed by the Cybersecurity and Infrastructure Security Agency (CISA), arguing that the agency should refocus its mission on “operational cybersecurity.”
• The BSA recommends that CISA should have “meaningfully engaged with industry cybersecurity experts or focused on its operational cybersecurity mission.”

March 11th Daily Policy Monitoring

MAR 11 – InsideCybersecurity: Trump Picks Forder DOE, NSC Official Plankey for CISA Director

• Sean Plankey is President Trump’s pick to become the next director of the Cybersecurity and Infrastructure Security Agency (CISA), according to a formal list of nominees sent to the Senate today to start the confirmation process.
• Plankey was Principal Deputy Assistant Secretary for the Office of Cybersecurity, Energy Security, and Emergency Response in Trump’s first term.
• If confirmed, Plankey will become CISA’s third Senate-confirmed director, building on the work of Jen Easterly, who served in the role under former President Biden, and Chris Krebs, who Trump selected to lead the agency when it was created in 2018.

MAR 11 – NIST: NIST Selects HQC as Fifth Algorithm for Post-Quantum Encryption

• The National Institute of Standards and Technology (NIST) has selected a new algorithm for post-quantum encryption called HQC, which will serve as a backup for ML-KEM, the main algorithm for general encryption.
• HQC is based on a different math than ML-KEM, which could be important if a weakness were discovered in ML-KEM.
• NIST plans to issue a draft standard incorporating the HQC algorithm in about a year, with a finalized standard expected in 2027.

MAR 11 – GAO: Mission Critical Information Technology: Agencies Are Monitoring Selected Acqusitions for Cybersecurity and Provacy Risks

• The U.S. Government Accountability Office (GAO) conducted a study on the acquisition of IT systems and the challenges presented to federal agencies.
• IT acquisitions and management has been identified as a high-risk area since 2015.
• GAO identified 16 IT acquisitions programs critical to agency missions—including national security, public health, and the economy—that are expected to cost at least $50 billion. Seven of the programs identified significant risks associated with cybersecurity and information privacy.

MAR 11 – ISA: Internet Security Alliance, Corporate Directors Release AI Supplement to Cyber Handbook

• The Interent Security Alliance (ISA) and the National Association of Corporate Directors (NACD) have issued a special artificial intelligence risk management supplement to their cyber handbook.
• The ISA and NACD handbook was last updated in 2023 and included a foreward from the former Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly.
• The 27-page AI Risk Management supplement includes two sections written by ISA president Larry Clinton and US Bank vice president Murray Kenyon, and a section with 20 questions on AI for board members to ask. Chapters are also written by leaders from the financial, health, and other sectors.

MAR 11 – Coalition: Cyber Insurance Provider Data Shows Compromised Credentials, Software Exploits Drove 2024 Ransomware Attacks

• According to a report from cyber insurance provider Coalition, compromised credentials and software exploits were the top two drivers of ransomware attacks in 2024, accounting for over 75 percent of successful breaches.
• The report highlights the challenges organizations, especially small businesses, face in identifying priorities among the thousands of vulnerabilities published in the MITRE-led Coordinated Vulnerabilities and Exposures library each month.

MAR 10 – NIST: NIST Finalizes Cyber Workforce Framework Update to Include Guidance on Operational Technology Roles

• The National Institute of Standards and Technology (NIST) is incorporating workforce needs for operational technology cybersecurity, as part of a companion resource to the agency’s widely used NICE Workforce Framework for Cybersecurity (NICE Framework).
• The NICE Framework establishes a standard approach and common language for describing cybersecurity work and learner capabilities.
• The NICE Framework was first published in March 2024, and serves as an online companion to the workforce framework that allows NIST to make changes to the work roles, competencies, and associated skills without needing to update the framework.

MAR 10 – DARPA: DARPA Seeks Innovators to Create Revolutionary Tech for National Security

• The Defense Advanced Research Projects Agency (DARPA) Defense Sciences Office (DSO) is hosting a Discover DSO Day (D3) in Chicago, April 23-24.
• The objective of the event is to connect DSO with the science and technology community in the Midwest to help generate world-leading technologies and capabilities for U.S. national security.
• DSO focuses on nascent and emergent technologies that could result in breakthrough capabilities for national security and seeks to demonstrate beyond-state-of-the-art technologies through targeted, high-risk/high-reward development efforts.

MAR 10 – Commerce: Advancing American AI Leadership

• Several organizations have signed a letter to the Secretary of Commerce regarding the shared interest in ensuring that the National Institute of Standards and Technology (NIST) continues to play a vital role in advancing American leadership in artificial intelligence (AI) innovation.
• The coalition has highlighted and encouraged a strategy that leverages NIST’s leadership and expertise on standards development, voluntary frameworks, public-private sector collaboration, and international harmonization.

MAR 10 – House: House Republicans Unveil CR Bill with Tech Wins, Losses

• House Republicans unveiled a spending bill on Saturday that would fund Federal agencies through September 30, setting up a vote on a bill to avoid a government shutdown.
• The six-month funding bill largely tracks with fiscal 2024 spending levels, with some notable exceptions that impact technology and cybersecurity.
• The continuing resolution legislation would increase defense spending by about $6 billlion above fiscal year 2024 levels while cutting non-defense spending by nearly $13 billion. Some of those cuts are related to technology and cybersecurity provisions.

MAR 10 – Fortinet: Fortinet Identified Malicious Packages in the Wild: Insights and Trends from November 2024 Onward

• FortiGuard Labs has analyzed malicious software packages detected from November 2024 to the present, identifying various techniques used to exploit system vulnerabilities.
• The analysis provides insights into the evolving threat landscape and emerging attack methods.
• Fortinet’s automated threat detection platform has identified multiple malicious software packages, revealing various attack techniques used to exploit system vulnerabilities. These analyses show that attackers are employing methods such as obfuscation and install scripts to bypass traditional security measures.

MAR 10 – NCSC: Swiss Critical Sector Faces New 24-Hour Cyberattack Reporting Rule

• Switzerland’s National Cybersecurity Centre (NCSC) has announced a new reporting obligation for critical infrastructure organizations in the country, requiring them to report cyberattacks to the agency within 24 hours of their discovery.
• This new requirement was introduced as a response to the increasing number of cybersecurity incidents and their impact on the country.
• The mandate was introduced via an amendment to the Information Security Act (ISA), which will go into effect on April 1, 2025. The law applies to critical service providers such as utilities, local government, and transportation organizations.

MAR 6 – Anthropic: Request for Infromation (RFI) on the Development of an Artifical Intelligence (AI) Action Plan

• Anthropic provided a response to the February 2025 Request for Information (RFI) on the Development of an Artificial Intelligence Action Plan.
• The recommendations encompass two categories: national security imperatives to strengthen U.S. security by safeguarding vital technological infrastructure and intellectual assets from foreign threats; and investments the U.S. government should make to cultivate a robust AI development and deployment ecosystem that fosters American prosperity and ensures that AI-driven economic benefits are widely shared across society.

March 10th Daily Policy Monitoring

MAR 7 – DOJ: New DOJ Proposal Still Calls for Google to Divest Chrome, but Allows for AI Investments

• The US Department of Justice (DOJ) is calling for Google to sell its web browser Chrome, according to a court filing.
• The DOJ first proposed that Google should sell Chrome last year, however, it is no longer calling for the company to divest all its investments in artificial intelligence.
• The proposal follows antitrust suits filed by the DOJ and 38 attorneys general to a rile that Google acted illegally to maintain a monopoly in online search.

MAR 6 – NIST: Guidelines for Evaluating ‘Differential Privacy’ Guarantees to De-Identify Data

• The National Institute of Standards and Technology (NIST) has finalized a publication aimed at helping organizations working with datasets containing personal information to protect the privacy of individuals using an advanced mathematical framework implemented through software.
• The finalized publication expands upon draft guidelines that NIST released last year.

MAR 6 – Center for Cybersecurity Policy and Law: Crosswalk Analysis for Artificial Intelligence Frameworks

• The Center for Cybersecurity Policy and Law has produced a crosswalk comparing artificial intelligence frameworks issued by governments and standards bodies, including the National Institute of Standards and Technology’s (NIST) AI risk management framework.
• The report compares macro-level governance frameworks and micro-level operational frameworks to provide an analysis and recommendations for additional or revised frameworks.

MAR 6 – DOD: Memorandum for Senior Pentagon Leadership Directing Modern Software Acquisition to Maximize Lethality

• All Defense Department components are directed to adopt the Software Acquisition Pathway (SWP) as the preferred pathway for all software development components of business and weapon system programs in the department.
• The SWP was set up during the first Trump administration as part of a broader push for an Adaptive Acquisition Framework that enables the department to procure software differently than it buys hardware.
• The instruction also requires government and contractor software teams to use modern iterative software development methods such as DevSecOps.

UPCOMING EVENTS

MAR 10 – Institute for Critical Infrastructure Technology: Strengthening U.S. Energy Infrastructure Cybersecurity

• The Institute for Critical Infrastructure Technology is hosting a webinar today at 11:00 AM to 12:00 PM.
• The webinar will focus on strengthening the energy sector against cyber risks.

MAR 10 – Billington: 2nd Annual State and Local Cybersecurity Summit

• Billington CyberSecurity is hosting a three-day summit from March 10-12 in Washington, DC.
• The summit will kick off with a cyber harmonization symposium. There are also sessions on the role of public-private partnerships and future harmonization efforts.

MAR 11 – House: Regulatory Harm of Harmonization? Examining the Opportunity to Improve the Cyber Regulatory Regime

• The House Homeland Security Cyber Subcommittee will hold a hearing on Tuesday, March 11 at 10:00 AM.
• The hearing will cover cyber regulatory harmonization this week featuring stakeholders from telecom, tech, financial, and electric sectors.

MAR 11 – GovExec: Zero Trust, AI Adoption, and Security of Critical Infrastructure Summit

• GovExec and the Merlin Group are hosting a summit on Tuesday, March 11.
• The event will cover zero trust the adoption of AI, and security of critical infrastructure.

MAR 13 – NIST: Cybersecurity Framework Profile for Semiconductor Manufacturing Public Workshop

• The National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence is hosting a workshop on Thursday, March 13 from 8:30 AM – 5:00 PM.
• The workshop will review a draft of a community profile for the NIST cybersecurity framework focused on the semiconductor manufacturing industry.
• The workshop will also gather feedback on the profile and discuss next steps.