June 13th Daily Policy Monitoring

JUN 12 - Commerce: President Trump Secures $200B Investment from Micron Technology for Memory Chip Manufacturing in the United States

• The Department of Commerce announced that Micron Technology, Inc., the leading American semiconductor memory company, plans to invest $200 billion in semiconductor manufacturing and R&D to dramatically expand American memory chip production.
• Micron's Dynamic Random Access Memory (DRAM) technology powers artificial intelligence, high-performance computing, automotive, and next-generation wireless devices.
• Currently all DRAM production occurs overseas, primarily in East Asia, and Micron is planning to build new chip fabrication facilities in the U.S. to improve supply chain resiliency for automotive markets, industrial markets, and the defense industrial base.
• The Department of Commerce previously awarded up to $6.165 billion in CHIPS Act direct funding on December 10, 2024, as part of Micron's commitment to build three fabrication facilities in Idaho and New York.
• The expanded investment of $200 billion is accompanied by up to $275 million in incremental CHIPS Act direct funding and is projected to create 90,000 jobs.

JUN 12 - House Homeland Security Cyber Subcommittee: Hearing on Securing AI to Strengthen Cybersecurity

• The House Homeland Security Cyber Subcommittee heard testimony on June 12 regarding the importance of securing AI models in order to protect America's national and economic security.
• Subcommittee leaders highlighted chained legacy and AI-powered systems which present a vulnerability that allows threat actors to achieve persistent, stealthy access to systems.
• Research on critical weaknesses has shown that as AI models become more capable, their attack surface grows and they become more exploitable.
• Leaders note that securing AI models is foundational to national cybersecurity and that urgent, enforceable guardrails are needed now.
• Leaders reported on the fourfold increase in DDoS attacks from 2023 to 2024 with Microsoft mitigating 1.25 million DDoS attacks in 2024.

JUN 11 - NIST: NIST and Partners Use Quantum Mechanics to Make a Factory for Random Numbers

• The National Institute of Standards and Technology (NIST) and its partners at the University of Colorado Boulder built the first random number generator that uses quantum entanglement to produce verifiable random numbers.
• The work has applications in deploying truly random numbers to produce secure keys in cryptographic systems.
• Classical computer algorithms can only create pseudo-random numbers and it is possible for someone to predict the next number with enough knowledge of the algorithm or system.
• The new technology utilizes pairs of "entangled" photons whose properties are correlated even when separated by vast distances, allowing researchers to measure the random outcomes of individual particles and use their correlation to verify the randomness.
• In the first 40 days of operating the system, the protocol produced random numbers 7,434 times out of 7,454 attempts, a 99.7% success rate.

June 12th Daily Policy Monitoring

JUN 12 - GAO: IT Systems Annual Assessment: DOD Needs to Improve Performance Reporting and Cybersecurity Planning

• The Government Accountability Office (GAO) assessed the Department of Defense (DOD) plans to spend $10.9 billion to maintain its IT business programs in FYs 2023-2025.
• GAO reviewed 24 of the DOD IT business plans, finding that DOD didn't report required performance measures on all of them, 2 programs didn't have a strategy in place to reduce cybersecurity threats, and that 4 programs hadn't developed plans to implement a more rigorous cybersecurity approach (zero trust architecture) by the 2027 deadline.
• GAO found that of the 19 programs that identified metrics, one program met all performance targets, 17 programs met at least one target, and one program met no targets.
• GAO is recommending that DOD address the five recommendations previously made that have not yet been implemented from prior annual assessment reviews and is making one new recommendation to ensure IT business programs identify and report results data on the minimum required number of categories of performance metrics.
• DOD officials reported cost and schedule changes to 14 IT business programs, including 12 programs that reported cost increases of $6.1 million to $815.5 million and 7 programs that reported a schedule delay ranging from 3 months to 48 months.

JUN 12 - SEC: Notice of No Objection to Advance Notices To Host Certain Core Clearance and Settlement Systems in a Public Cloud

• The Securities and Exchange Commission (SEC) is announcing that there are no objections to hosting a specified set of core clearance, settlement, and risk applications on an on-demand network of configurable IT resources running on a public cloud infrastructure hosted by a single, third-party service provider.
• The SEC published notice of the Advance Notices in the Federal Register on September 4, 2024 to solicit public comment and received no comments regarding the Advanced Notices.
• The SEC requested on December 5, 2024 that the Clearing Agencies provide it with additional information regarding the Advance Notices, which tolled the Commission's period of review of the Advance Notices until 120 days from the date the requested information was received from the Commission.
• The Clearing Agencies, which are the only entities providing central counterparty or central securities depository services in the U.S. equity and government security markets, currently operate their core systems within private, on-premises data centers.
• The Clearing Agencies now propose to host a specified set of systems on an on-demand network of configurable information technology resources running on the Cloud hosted by a single, third-party Cloud Service Provider.

JUN 11 - NIST: NIST Offers 19 Ways to Build Zero Trust Architectures

• The National Institute of Standards and Technology (NIST) published guidance on implementing Zero Trust Architecture (ZTA), describing 19 example implementations of ZTAs built using commercial, off-the-shelf technologies.
• The traditional approach to cybersecurity, built around the idea of soley securing a perimeter, has given way to the zero trust approach of continously evaluating and verifying requests for access.
• This guidance provides organizations with examples of how to deploy ZTAs and emphasizes the different technologies needed to implement them, serving as a foundational starting point for any organization constructing its own ZTA.
• The publication is a comprehensive document that details the problem and solutions to it, referencing how the documented solutions map to various cybersecurity frameworks, chiefly those in the NIST Cybersecurity Framework and NIST SP 800-53.
• The NIST National Cybersecurity Center of Excellence (NCCoE) partnered with 24 industry collaborators, including several major tech companies, and spent 4 years installing, configuring, and troubleshooting the example implementations.

JUN 10 - FCC: FCC Announces Hurricane Season Resiliency Roundtable

• The Federal Communications Commission (FCC) announced that it will host a Hurricane Season Resiliency Roundtable, led by the Public Safety and Homeland Security Bureau, on Monday, July 7 from 9:30 a.m. to 12:30 p.m. ET.
• The roundtable will include three panel sessions and will focus on collaboration between communications providers, electric utilities, and emergency management officials.
• Panel 1, Challenges to Response and Recover of Power and Communications Outages in the Aftermath of a Hurricane, will discuss the most common and pressing on-the-ground challenges for communications providers and electric utilities in coordinating and restoring service after a hurricane.
• Panel 2, Current Government, Intra-Industry, and Cross-Industry Partnerships, will focus on existing collaboration between power and communications stakeholders to respond to threats to power and communications infrastructure posed by hurricanes and what opportunities may exist for further collaboration.
• Panel 3, The Advance Preparation Frameworks for Power and Communications Outages, will examine best practices and established preparatory frameworks that have demonstrated effectiveness in speeding up recovery or minimizing damage to power and communications infrastructure after a hurricane.

MAY 30 - OMB: Technical Supplement to the 2026 Budget

• The Office of Management and Budget (OMB) released the Technical Supplement to the 2026 Budget, which serves as an appendix to the May 2 release of the President's recommendations on discretionary funding levels for the Fiscal Year 2026 Budget ("Skinny Budget").
• The Technical Supplement to the 2026 Budget includes various tables and schedules that support the budget, detailing the work to be performed and the financial resources required for each program and agency, and includes cybersecurity as a major cross-cut issue.
• The Technical Supplement to the 2026 Budget detailed a projected workforce decrease for the Cybersecurity and Infrastructure Security Agency (CISA) from 3,292 employees to 2,324 for the 2026 fiscal year, and a budget decrease from $2.38 billion to $1.96 billion as reflected in the CISA budget justification document.
• Beyond CISA, the Department of Energy's Office of Cybersecurity, Energy Security and Emergency Response, will have a budget decrease from $222 million to $179 million; the General Services Administration (GSA) funding for Information Technology will decline from $225 million to $217 million; and the White House's Office of the National Cyber Director (ONCD) will lose $2 million in funding.
• The Administration's FY2026 Budget puts civilian cybersecurity spending $400 million above FY2023 and in line with the original FY2024 budget. 

June 11th Daily Policy Monitoring

JUN 11 – GAO: Cybersecurity: Network Monitoring Program Needs Further Guidance and Actions

• The U.S. Government Accountability Office (GAO) released a report analyzing the effectiveness of the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program, which gives agencies cybersecurity tools to strengthen the networks and systems they use to meet their missions.
• The CDM program aims to reduce exposure to insecure configurations or known vulnerabilities, improve federal cybersecurity response capabilities, increase visibility into the federal cybersecurity posture, and streamline the Federal Security Modernization Act of 2014 (FISMA) reporting.
• The GAO highlighted that the CDM program has met two of its goals by reducing exposure to insecure configurations and known vulnerabilities and providing incident response capabilities, but the program currently lacks plans for how agencies can fully implement CDM tools for network security management.
• The GAO recommends that DHS and CISA issue guidance on implementing network security and data protection capabilities, address data quality issues, implement an endpoint solution, and issue updated guidance on cloud asset management.
• The GAO identified that nearly 22 of 23 agencies reported that the CDM program was helpful in reducing exposure to insecure configurations and known vulnerabilities, and 21 of 23 agencies reported that they had not fully implemented network security and data protection capabilities citing lack of guidance as contributing to the slow implementation.

JUN 10 – FS-ISAC: DDOS Attackers Increase Targeting of Global Financial Sector, According to FS-ISAC and Akamai Report

• The FS-ISAC and Akamai Technologies Inc released a joint annual report analyzing the strategic threat posed by the escalating number and sophistication of distributed denial-of-service (DDoS) attacks and their impact on customer trust, operations, and profitability in financial services.
• The report identified that DDoS attacks in the financial sector are increasingly attributed to more sophisticated, precise attackers that are focused on financial firms' infrastructure. 
• The report identified the widespread use of DDoS-for-Hire services targeting the financial sector disguises attackers, making it difficult to identify cyber criminals’ motivation and develop mitigation plans.
• The FS-ISAC and Akamai developed a five-level DDoS Maturity Model detailing DDoS-relevant characteristics, defensive capabilities, and risks to help financial institutions assess their ability to withstand DDoS attacks.
• DDoS attacks against the financial sector increased 23% between 2023 and 2024, with DDoS attacks on the financial services sector increasing significantly in the Asia Pacific region, accounting for 38% of all volumetric attacks, up from 11% in 2023.

JUN 6 – NTIA: Broadband Equity, Access, and Deployment Program Policy Notice

• The National Telecommunications and Information Administration (NTIA) released a Policy Notice regarding the Broadband Equity, Access, and Deployment (BEAD) Program, a program providing $42.45 billion of funding to achieve high-speed broadband access throughout the United States.
• The Policy Notice modifies and replaces certain requirements outlined in the BEAD Notice of Funding Opportunity (NOFO), which NTIA originally released under the previous administration in May 2022.
• The Policy Notice specifically eliminates non-statutory requirements related to affordability, labor and workforce, and climate resiliency; but maintains cybersecurity requirements as well as efforts to improve investments in broadband technologies.
• The Policy Notice adopts a technology-neutral approach, eliminating the NOFO’s three-tier structure for prioritizing technology.
• Congress adopted the Infrastructure Investment and Jobs Act (IIJA), which provides funding for robust investment in American infrastructure projects and establishes the BEAD program, allocating $42.45 billion to the program. 

June 10th Daily Policy Monitoring

JUN 9 – GSA: GSA Expands Transactional Data Reporting for Smarter Purchasing

• The U.S. General Services Administration (GSA) announced the expansion of Transactional Data Reporting (TDR), which increases transparency around what the government is buying and how much its paying for goods and services.
• TDR is how GSA gathers data on prices paid for products and services sold through the Multiple Award Schedule. It also removes the burden of traditional sales reporting and tracking prices while enhancing data capabilities to improve service and reduce costs to the government.
• The expansion begins with 62 new product and cloud services Special Item Numbers at the end of June 2025.
• The expansion will expand to all Special Item Numbers beginning in FY 2026.

JUN 4 – House: Systemic Risk Authority Transparency Act

• The Systemic Risk Authority Transparency Act, introduced in the House on June 14, 2023, requires banking regulators to report to Congress after the failure of an insured depository institution that triggers a systemic risk determination.
• The bill requires banking regulators to submit a report to Congress in the event of the failure of an insured depository institution that leads to a systemic risk determination by the Department of the Treasury.
• Regulators must report confidential supervisory information relating to the institution, any institutional mismanagement by executives and the board, any shortcomings by the regulator, and recommendations to improve the safety and soundness of similarly situated institutions.
• The bill also requires the Federal Deposit Insurance Corporation (FDIC), Federal Reserve, Government Accountability Office (GAO), and the Office of the Comptroller of the Currency (OCC) to submit information about bank supervision regulation, management, and recommendations to improve the safety and soundness of the industry.
• This bill aims to ensure transparency by requiring detailed reports to Congress within 60 days and again at 180 days after a systemic risk determination, outlining mismanagement, regulatory failures, and recommended improvements.

June 9th Daily Policy Monitoring

JUN 9 – NIST: Information Security and Privacy Advisory Board Meeting

• The National Institute of Standards and Technology (NIST) announced an open meeting of the Information Security and Privacy Advisory Board (ISPAB) on Wednesday, July 16 from 10:00 AM until 4:30 PM, and Thursday, July 17 from 10:00 AM until 4:30 PM.
• The ISPAB reports directly to the Director of NIST and reports annually to the Secretary of Commerce, the Secretary of Homeland Security, the Director of the Office of Management and Budget, the Director of the National Security Agency, and committees of Congress.
• The ISPAB identifies emerging managerial, technical, administrative, and physical safeguard issues relative to information security and privacy.
• The final agenda, posted on the NIST website, includes the following items: an update from NIST’s Information Technology Laboratory (ITL) Director on ITL activities, a briefing on NIST’s Work in Digital Ledger Technologies, an update on NSIT post quantum cryptographic guidance, a briefing on the Department of Defense’s Software Fast Track Initiative (SWFT), and an update from NIST’s Computer Security Division.

JUN 6 – White House: Executive Order on Strengthening the National Cybersecurity and Amending Executive Orders

• The White House released an Executive Order (EO) titled; Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144.
• The EO eliminates proposed contract requirements from the Biden Administration for self-attestation and developing contract language but leaves in requirements for NIST to develop guidance.
• The EO will establish a consortium to develop guidance on the implementation of secure software development, security, and operations practices based on NIST Special Publication 800-218 Secure Software Development Framework (SSDF).
• The EO also requires NIST to publish a preliminary update to the SSDF by December 1.
• The EO also eliminates a section from the Biden Administration’s directive on “Promoting Security with Artificial Intelligence,” that had directed agencies to explore using AI to enhance the cyber defense of critical infrastructure and establish a program for using advanced models for cyber defense, while also researching secure AI systems.

JUN 4 – NIST: Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems

• The National Institute of Standards and Technology (NIST) published a draft update to supply chain guidance on developing security plans for systems using common elements to promote consistency across an organization or mission set.
• The system security plan, system privacy plan, and cybersecurity supply chain risk management plan—collectively referred to as the system plans—consolidate information about the assets and individuals being protected within an authorization boundary and its interconnected systems.
• The revision includes insights into the development of a consolidated system plan that encompasses security, privacy, and cybersecurity supply chain risk management plan elements; considerations for automating the development and maintenance of systems plans using information management tools.
• The public comment period is open through July 30, 2025.