April 30th Daily Policy Monitoring

APR 30 – CISA: CISA Adds One Known Exploited Vulnerability to Catalog

• The Cybersecurity and Infrastructure Security Agency (CISA) has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
• The Known Exploited Vulnerability is CVE-2025-31324 SAP NetWeaver Unrestricted File Upload.
• These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

APR 29 – GSA: GSA Unveils OneGov Strategy to Transform How the Government Buys Goods and Services

• The U.S. General Services Administration (GSA) has launched its OneGov Strategy, which is an initiative aimed at modernizing how the federal government purchases goods and services.
• In the first phase, agencies will gain access to IT tools with standardized terms and pricing.
• This strategy calls for deeper engagement with Original Equipment Manufacturers (OEM’s) to ensure more transparent pricing, streamlined acquisition, and improved cybersecurity protections.
• This initiative supports President Trump’s April 2025 Executive Order on ensuring commercial, cost-effective solutions in federal contracts.

APR 29 – DHS S&T: S&T Modernizing Threat Alerts Using Artificial Intelligence

• The Department of Homeland Security (DHS) Science and Technology (S&T) Directorate currently has several research and development efforts underway to modernize threat alerts using artificial intelligence.
• One of these projects is Kestrel, a cloud-based analytics system that augments existing systems by leveraging AI.
• Kestrel identifies and integrates sensor data and applies AI and existing machine learning analytics and predictive threat modeling to allow operators to evaluate all air and maritime tracks and make more timely predictions.
• Other research and development efforts have been able to identify and flag suspicious activity on land, air, and sea. Other projects have focused on augmenting human-based sensory abilities to enable DHS and other agencies and first responders to avert danger and respond to threats.

APR 29 – House: Mace Opens Hearing on Unlocking Government Efficiency Through IT Modernization

• Nancy Mace, the Chairwoman for the House Subcommittee on Cybersecurity, Information Technology, and Government Innovation delivered opening remarks on a hearing on “Unlocking Government Efficiency Through IT Modernization.”
• In her remarks, she emphasized how the Trump administration and DOGE are taking action to modernize obsolete, legacy IT to ensure government efficiency and effectiveness.
• She also highlighted the Modernizing Government Technology Reform Act, which reforms and reauthorizes the Technology Modernization Fund so that it can continue to be used to assist with IT modernization initiatives moving forward.

APR 29 – FS-ISAC: New Cyberfraud Prevention Framework to Target Rising Financial Crime Threats

• Earlier this month, the FS-ISAC introduced the Cyberfraud Prevention Framework, which was designed to unify cybersecurity and fraud prevention teams to more effectively protect customers and secure the enterprise.
• The Cyberfraud Prevention Framework created a common structure and lexicon, which allows cyber fraud teams to better identify knowledge gaps and synchronize response gaps.
• The Cyberfraud Prevention Framework consists of five phases of a cyber-enabled attack, which include: 1) reconnaissance in which threat actors gather intelligence prepare infrastructure; 2) attackers establish a foothold through phishing, credential stuffing, or exploiting third-party vulnerabilities; 3) positioning, in which criminals manipulate account details or create unauthorized access; 4) execution and initiation of unauthorized transactions; and 5) monetization in which stolen funds are transferred.

APR 29 – Canada: Canadian Centre for Cybersecurity Welcomes Round 2 of NIST’s Digital Signature Scheme Standardization Process

• The first round of the National Institute of Standards and Technology (NIST), with the publication of 40 candidates. For this second round, NIST has reduced the number of candidates to 14 allowing researchers worldwide, including those from the Canadian Centre for Cyber Security, to dedicate more time to examining the remaining schemes.
• Following the release of NIST’s standards for 2 post-quantum digital schemes, the Canadian Centre for Cyber Security released an announcement on the new post-quantum standards.
• The Canadian Centre for Cyber Security also recommends that Canadian organizations review the following publications to make sure they are ready to transition to PQC, once the algorithms are available: Preparing your organization for the quantum threat to cryptography (ITSAP.00.017);  Guidance on becoming cryptographically agile (ITSAP.40.018); Guidance on securely configuring network protocols (ITSP.40.062); and Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information (ITSP.40.111)

APR 28 – NTIA: NTIA Comments in Response to FCC Notice of Inquiry on Promoting the Development of Positioning, Navigation, and Timing Technologies and Solutions

• The National Telecommunications and Information Administration (NTIA) has responded to a Notice of Inquiry (NOI) from the Federal Communications Commission (FCC) that sought input on the development of alternative Positioning, Navigation, and Timing (PNT) technologies to complement GPS.
• In the letter, the NTIA agrees with the FCC’s emphasis on incentivizing complements or augmentations to GPS and will work with Federal agencies on how to best accomplish this.
• The NTIA recommends that the FCC adopts a “system of systems” approach to this inquiry to ensure that the Commission can examine a diversity of technologies.

April 29th Daily Policy Monitoring

APR 29 – NSF: Request for Information on the Development of a 2025 National Artificial Intelligence (AI) Research and Development Strategic Plan

• The National Science Foundation (NSF) has published a Request for Information (RFI) on the development of a National Artificial Intelligence (AI) Research and Development (R&D) Strategic Plan.
• The RFI requests input on how the previous administration’s National AI R&D Strategic Plan can be revised so that the United States can secure its position as a leader in AI R&D over the next 3-5 years.
• Through the RFI, the Networking and Information Technology Research and Development (NITRD) National Coordination Office (NCO) encourages the contribution of ideas from the public, AI researchers, industry leaders, and other stakeholders directly engaged in or affected by AI R&D.
• Comments are due on or before 11:59 PM ET on May 29, 2025.

APR 29 – GAO: DHS Implemented a Grant Program to Enable State, Local, Tribal, and Territorial Governments to Improve Security

• The U.S. Government Accountability Office (GAO) released a report on a grant program from the Department of Homeland Security (DHS), which provides funding to state, local, tribal, and territorial (SLTT) governments to address cybersecurity risks.
• The GAO looked at how the SLTT governments plan to use portions of the $172 million in grant money, which included upgrading computer equipment, engaging in cybersecurity contractors, upgrading equipment, and implementing multi-factor authentication. 
• GAO also analyzed requirements for the Federal Emergency Management Agency (FEMA) and the Cybersecurity and Infrastructure Security Agency (CISA) in administering the grant program.

APR 29 – OCC: Acting Comptroller of the Currency Discusses Artificial Intelligence

• The Acting Comptroller of the Currency discussed the role of artificial intelligence in financial services at the National Fair Housing Alliance’s Responsible AI Symposium.
• In his remarks, he highlighted the Office of the Comptroller of the Currency’s (OCC) work to ensure AI and other technologies are used ethically and responsibly in the banking industry.

APR 29 – NERC: NERC’s ITCS Canadian Analysis Finds Grid Increasingly Vulnerable

• The North American Electric Reliability Council (NERC) has published its Interregional Transfer Capability Study (ITCS) Canadian Analysis of transfer capability between transmission planning regions and the reliability benefits of enhancing cross-provincial and cross-border transmission.
• The analysis reflects the crucial role that Canadian systems play in the interconnected North American bulk power system and is an unprecedented assessment conducted using a common approach and a consistent set of assumptions.
• The study, which complements NERC’s ITCS published last year, found that Canadian systems are increasingly vulnerable to extreme weather and transmission limitations.

APR 29 – BPI: Testimony on Regulatory Overreach

• Sarah Flowers, Senior Vice President and Senior Associate General Counsel of Regulatory Affairs at the Banking Policy Institute (BPI) testified before the U.S. House Subcommittee on Financial Institutions and Monetary Policy.
• In her testimony, she cautioned against one-size-fits-all regulations that treat all banks as equally risky, regardless of the size and complexity of their business models.
• Flowers also highlights the threat posed by cybersecurity, and highlights that cyber teams focus on compliance-related activities rather than implementing strategic program improvements in the financial sector.

APR 28 – EFF: Chris Krebs Support Letter

• The Electronic Frontier Foundation (EFF) has released a public statement signed by more than 30 prominent cybersecurity professionals and academics in which they condemn what they describe as political retaliation against Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency (CISA) and his employer, SentinelOne.
• The letter, released Monday, comes following an executive order by President Donald Trump that revoked the security clearances for all SentinelOne employees and ordered a Department of Justice investigation into Krebs’ role during and after his government services.
• The open letter, addressed to the White House and copied to CISA Executive Director Bridget Bean, frames the executive order as retaliatory.
• The group calls for two actions: the reinstatement of security clearances for all SentinelOne employees and the withdrawal of the Justice Department investigation targeting Krebs.

APR 28 – DHS: President Trump Appoints New Members to the Federal Emergency Management Agency Review Council

• President Trump has appointed several new members to the Federal Emergency Management Agency (FEMA) Review Council.
• This FEMA Review Council is a bipartisan group tasked with reforming and streamlining the nation’s emergency management and disaster response system.
• The FEMA Review Council will be co-chaired by Secretary Kristi Noem and Secretary of Defense Pete Hegseth.

APR 28 – CISA: CISA Adds Three Known Exploited Vulnerabilities to Catalog

• The Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
• The vulnerabilities include: CVE-2025-1976 Broadcom Brocade Fabric OS Code Injection Vulnerability, CVE-2025-24599 Qualitia Active! Mail Stack-Based Buffer Overflow Vulnerability, CVE-2025-3928 Commvault Web Server Unspecified Vulnerability.
• These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

April 28th Daily Policy Monitoring

APR 28 – GAO: Broadband Programs: Agencies Need to Further Improve Their Data Quality and Coordination Efforts

• The U.S. Government Accountability Office (GAO) has published a report on federal broadband efforts.
• The report examines agencies’ use of broadband availability information and the extent to which FCC ensures the quality of data in its National Broadband Map and the extent to which agencies’ coordination of broadband funding programs aligns with GAO’s leading practices for interagency collaboration.
• GAO reviewed documents and interviewed officials from FCC and other broadband funding agencies. GAO compared FCC’s practices for ensuring the quality of information in its National Broadband Map against relevant federal internal control standards and interagency coordination efforts with leading practices for interagency coordination.
• GAO made 14 recommendations, including that FCC document and evaluate the effectiveness of its processes for ensuring the quality of the National Broadband Map’s data, and that FCC, NTIA, USDA, and Treasury clearly define and document certain aspects of their coordination. FCC, NTIA, and Treasury agreed with GAO’s recommendations.

APR 28 – DARPA: DARPA, State of Maryland Sign Agreement to Propel Quantum Research

• The Defense Advanced Research Projects Agency (DARPA) and the State of Maryland have established a cooperative effort, the Capital Quantum Benchmarking Hub.
• The Capital Quantum Benchmarking Hub will test and evaluate quantum computing prototypes and systems for national security and commercial applications.
• The Capital Quantum Benchmarking Hub is part of DARPA’s Quantum Benchmarking Initiative (QBI), and will be based in the University of Maryland’s Applied Research Laboratory for Intelligence and Security (ARLIS), a university-affiliated research center.
• This effort will help inform DARPA’s benchmarking efforts by providing unbiased assessments of participating commercial companies.

APR 28 – FCC: FCC Begins Review of Decades-Old Spectrum Sharing Rules to Unleash the Power of Space Innovation

• The Federal Communications Commission (FCC) initiated a review of the decades-old spectrum sharing regime between different types of satellite systems.
• The Notice of Proposed Rulemaking adopted today begins a formal proceeding to enable greater and more intensive use of spectrum for space activities in the U.S.
• In this proceeding, the FCC will look to update power restrictions for the use of the workhorse satellite frequencies that support the next generation of satellite broadband constellations in Low-Earth Orbit.

APR 28 – SentinelOne: Report on What it Takes to Defend a Cybersecurity Company from Today’s Adversaries

• SentinelOne’s SentinelLabs has released a report which examines some of the biggest threats that cybersecurity companies are facing.
• According to the report, some of the biggest threats to cybersecurity companies include ransomware and Chinese government-sponsored hackers and North Korean IT workers posing as job applicants.
• SentinelOne reported to have observed and defended against a spectrum of attacks including North Korean IT workers posing as job applicants; ransomware operators probing for ways to access/abuse the SentinelOne platform; and Chinese state-sponsored actors targeting organizations aligned with our business and customer base.

APR 28 – NextGov: The Army has Rolled Out a Generative AI Workspace to Improve Daily Operations

• The Army has rolled out a new generative-AI workspace that enables users to apply large language models to daily tasks to boost productivity.
• The service takes a lot of compute power and storage, so the service has also been working to streamline how it handles cloud services and contracts.
• With the service, the Army was able to formulate about 300,000 personnel descriptions in a week using LLMs, which take a human about ten minutes to review each description. This would amount to about 50,000 hours or 5.7 years of working around the clock.
• The Army previewed plans for a generative AI pilot program last year.

APR 23 – Verizon: 2025 Data Breach Report

• Small and large organizations were the most commonly hacked using stolen credentials, according to Verizon’s annual data breach report, but ransomware is still impacting small businesses at a much higher rate.
• The latest iteration of Verizon’s annual data breach report capitalizes on the company’s significant visibility into the threat landscape, specifically analyzing incidents that took place between November 1, 2023, and October 31, 2024.
• The report dives into takeaways from over 22,000 security incidents, “of which 12,195 were confirmed data breaches that occurred inside organizations of all sizes and types,” compiled from the Verizon Threat Research Advisory Center’s file, contributing organizations from around the globe, and publicly disclosed events.

UPCOMING EVENTS

APR 28 – RSA: RSA Conference 2025

• The RSA Conference kicks off today, April 28 and runs through Thursday, May 1.
• The agenda includes keynotes from Homeland Security Secretary Noem and National Security Council senior director Alexei Bulazel to National Cyber Director to Chris Inglis, former acting NCD Kemba Walden and former CISA directors Jen Easterly and Chris Krebs.
• Noem speaks on Tuesday in a keynote session on “Making America Safe Again through Cyber Defense,” with Jose-Marie Griffiths, president of South Dakota State University.

APR 29 – House: Hearing on Shaping the Future of Cyber Diplomacy: Review for State Department Reauthorization

• The House Foreign Affairs Subcommittee on Europe is holding a hearing on Tuesday, April 29 at 2:00 PM.
• The meeting will cover the future of cyber diplomacy in the context of State Department reauthorization.
• Witnesses include Annie Fixlet of the Foundation for Defense of Democracies, Latesha Love-Grayer of the Government Accountability Office and Theodore Nemeroff, a former policy planning staffer at State.

APR 29 – House: Hearing on Unlocking Government Efficiency Through IT Modernization

• The House Oversight Cyber Subcommittee is holding a hearing on Tuesday, April 29 at 2:00 PM. 
• The hearing will cover federal IT modernization, following subcommittee Chairwoman Nacy Mace’s April 24 reintroduction of a bill to reauthorize and reform the Technology Modernization Fund.
• The witnesses are former federal Chief Information officer Suzette Kent and former deputy federal CIOs Margie Graves and Maria Roat.

APR 29 – House: Full Committee Markup of H.R. 2984, H.R. 2600, H.R. 2313, H.R. 2313, H.R. 2613, H.R. 1223

• The House Science Committee is meeting on Tuesday, April 29 at 10:00 AM for a markup on six bills.
• These bills include “Accelerating Networking, Cyberinfrastructure, and Hardware for Oceanic Research (ANCHOR) Act,” which would require the National Science Foundation to plan improvements for cybersecurity capabilities of the U.S. Academic Research Fleet of oceanographic vessels.

APR 30 – House: Hearing on The Need for an Authorized State Department Hearing

• The full House Foreign Affairs committee is convening for a hearing on Wednesday, April 30 at 10:00 AM.
• The hearing will cover broader considerations for State Department reauthorization.
• Lawmakers on the panel will hear from former State officials James Jeffrey and David Hale, as well as Uzra Zeya of Human Rights First.

APR 30 – House: Hearing on Global Networks at Risk and Securing the Future of Telecommunications Infrastructure

• The House Energy and Commerce Communications and Technology Subcommittee is holding a hearing on Wednesday, April 30 at 10:00 AM.
• The hearing will cover telecom cybersecurity and will include industry witnesses addressing national security in the context of network resilience.

APR 30 – Atlantic Council: Microsoft’s Brad Smith on Digital Resilience During Geopolitical Volatility

• The Atlantic Council is hosting an event on Wednesday, April 30.
• The event will cover the intersection of digital resilience and geopolitics with Microsoft vice chair and President Brad Smith.