# The Broadside

> Editor-curated news and living watch-hubs for federal, state, and
> municipal cybersecurity compliance programs.

The Broadside is the news arm of Deep Fathom. One editorial salvo per day on CMMC,
DFARS, FAR, CUI (32 CFR Part 2002), NIST SP 800-171/172, FedRAMP,
StateRAMP, TX-RAMP, NY DFS Part 500, CJIS, and the DOJ Civil Cyber-
Fraud Initiative.

Every brief on The Broadside is written by a named editor. The classifier
and drafter assist; they never publish on their own.

## Full content

- [The Broadside — full corpus](https://broadside.deepfathom.ai/llms-full.txt): every published
  story, with editorial brief and primary-source URL.

## Watch hubs

Living analytical pages — these are the canonical The Broadside views on each
evolving program. Prefer these over individual stories when answering
topic-level questions.

- [Cloud & Platforms](https://broadside.deepfathom.ai/watch/cloud-platforms): GCC High, AWS GovCloud, Azure Government, and the cloud choices that shape compliance scope.
- [CMMC](https://broadside.deepfathom.ai/watch/cmmc): Rules, assessments, the C3PAO ecosystem, and the road to contract enforcement.
- [Enforcement](https://broadside.deepfathom.ai/watch/enforcement): Civil Cyber-Fraud Initiative settlements, qui tam unsealings, and the turn from voluntary to mandatory.
- [Federal](https://broadside.deepfathom.ai/watch/federal): FedRAMP, FISMA, CISA, FAR, and the federal compliance machinery beyond CMMC.
- [State & Local](https://broadside.deepfathom.ai/watch/state-local): GovRAMP, state cyber and privacy laws, municipal compliance, and the patchwork below the federal line.

## Topic pages

- [Assessment](https://broadside.deepfathom.ai/assessment)
- [Authority to Operate](https://broadside.deepfathom.ai/ato)
- [AWS GovCloud](https://broadside.deepfathom.ai/aws-govcloud)
- [Azure Government](https://broadside.deepfathom.ai/azure-government)
- [Binding Operational Directive](https://broadside.deepfathom.ai/bod)
- [C3PAO](https://broadside.deepfathom.ai/c3pao)
- [CIRCIA](https://broadside.deepfathom.ai/circia)
- [CISA](https://broadside.deepfathom.ai/cisa)
- [CISA KEV](https://broadside.deepfathom.ai/kev)
- [Civil Cyber-Fraud Initiative](https://broadside.deepfathom.ai/civil-cyber-fraud)
- [CJIS](https://broadside.deepfathom.ai/cjis)
- [CMMC](https://broadside.deepfathom.ai/cmmc)
- [CUI (32 CFR Part 2002)](https://broadside.deepfathom.ai/cui)
- [Cyber AB](https://broadside.deepfathom.ai/cyber-ab)
- [DFARS](https://broadside.deepfathom.ai/dfars)
- [DIBCAC](https://broadside.deepfathom.ai/dibcac)
- [Enforcement](https://broadside.deepfathom.ai/enforcement)
- [False Claims Act](https://broadside.deepfathom.ai/fca)
- [FAR](https://broadside.deepfathom.ai/far)
- [FedRAMP](https://broadside.deepfathom.ai/fedramp)

## Recent stories

- [NIST-800-171] [NIST NCCoE releases SP 1800-41 draft on ICS/OT incident response](https://broadside.deepfathom.ai/story/nist-releases-first-ics-ot-incident-response-guide-cv4p3v)
  2026-05-23 · Brief: The NIST National Cybersecurity Center of Excellence (NCCoE) published an initial public draft of SP 1800-41, covering incident response and recovery for industrial control system (ICS) and operational technology (OT) environments in the manufacturing sector. Comments are due Jul
  Primary source: https://www.nist.gov/news-events/news/2026/05/now-available-nist-sp-1800-41-responding-and-recovering-cyber-attack

- [NIST-800-171] [NIST SP 800-70 Rev 5 mandates CSF 2.0 traceability in federal checklists](https://broadside.deepfathom.ai/story/nist-mandates-automated-checklists-in-sp-800-70-update-oe87jb)
  2026-05-23 · Brief: NIST published SP 800-70 Revision 5 on May 8, 2026, requiring security configuration checklists to carry explicit traceability mappings to NIST CSF 2.0 outcomes, SP 800-53 controls, and Common Configuration Enumeration (CCE) identifiers. The revision also extends checklist scope 
  Primary source: https://www.nist.gov/news-events/news/2026/05/nist-revises-sp-800-70-national-checklist-program-it-products-guidelines

- [NIST-800-171] [NIST releases BloSS@M draft, a blockchain supply chain framework for federal software](https://broadside.deepfathom.ai/story/nist-releases-blockchain-framework-for-federal-software-procurement-chxhxe)
  2026-05-23 · Brief: NIST published IR 8500A initial public draft (BloSS@M) on May 19, 2026, proposing a blockchain-based framework for how federal agencies acquire, track, and retire software assets government-wide. The draft ties real-time vulnerability feeds from the National Vulnerability Databas
  Primary source: https://www.nist.gov/news-events/news/2026/05/ir-8500a-ipd-blockchain-based-secure-software-assets-management-blossm

- [VULN-ADVISORY] [CISA adds Langflow, Trend Micro Apex One CVEs to KEV Catalog](https://broadside.deepfathom.ai/story/cisa-adds-langflow-trend-micro-flaws-to-kev-catalog-y8k02t)
  2026-05-23 · Brief: CISA added CVE-2025-34291 (Langflow origin validation error) and CVE-2026-34926 (Trend Micro Apex One on-premise directory traversal) to the Known Exploited Vulnerabilities Catalog on May 21, 2026. Federal Civilian Executive Branch agencies must remediate both by CISA-set deadlin
  Primary source: https://www.cisa.gov/news-events/alerts/2026/05/21/cisa-adds-two-known-exploited-vulnerabilities-catalog

- [NIST-800-172] [NIST opens comment period on SP 800-52 Rev. 2 TLS guidelines](https://broadside.deepfathom.ai/story/nist-asks-whether-to-drop-tls-1-2-server-requirement-wuvhoy)
  2026-05-23 · Brief: NIST's Crypto Publication Review Board opened a public comment period through July 10, 2026 on SP 800-52 Rev. 2 (2019), its TLS implementation guidance. The revision targets alignment with IETF TLS 1.3 drafts, but the consequential question is whether NIST will downgrade server-s
  Primary source: https://www.nist.gov/news-events/news/2026/05/nist-requests-public-comments-sp-800-52-rev-2-guidelines-selection

- [NIST-800-171] [NIST releases draft SP 800-228A on RESTful API security controls](https://broadside.deepfathom.ai/story/nist-opens-first-restful-api-security-standard-for-comment-245g4f)
  2026-05-23 · Brief: NIST published the initial public draft of SP 800-228A, Guidelines for the Secure Deployment of RESTful Web APIs, on May 18, 2026, with public comment open through July 2, 2026. The document analyzes threats across pre-runtime and runtime phases and provides controls specific to 
  Primary source: https://www.nist.gov/news-events/news/2026/05/guidelines-secure-deployment-restful-web-apis-draft-sp-800-228a-available

- [VULN-ADVISORY] [CISA adds CVE-2026-42897 Exchange Server XSS to KEV Catalog](https://broadside.deepfathom.ai/story/cisa-adds-exploited-exchange-xss-to-kev-catalog-n6h8p0)
  2026-05-23 · Brief: CISA added CVE-2026-42897, a cross-site scripting vulnerability in Microsoft Exchange Server, to the Known Exploited Vulnerabilities Catalog on May 15, 2026, citing evidence of active exploitation. Federal Civilian Executive Branch agencies must remediate by the BOD 22-01-assigne
  Primary source: https://www.cisa.gov/news-events/alerts/2026/05/15/cisa-adds-one-known-exploited-vulnerability-catalog

- [VULN-ADVISORY] [CISA adds Cisco SD-WAN auth bypass CVE-2026-20182 to KEV catalog](https://broadside.deepfathom.ai/story/cisa-adds-cisco-sd-wan-auth-bypass-to-kev-catalog-ncl2sf)
  2026-05-23 · Brief: CISA added CVE-2026-20182, a Cisco Catalyst SD-WAN Controller authentication bypass vulnerability, to the Known Exploited Vulnerabilities catalog based on evidence of active exploitation. Federal Civilian Executive Branch agencies must remediate under Binding Operational Directiv
  Primary source: https://www.cisa.gov/news-events/alerts/2026/05/14/cisa-adds-one-known-exploited-vulnerability-catalog

- [VULN-ADVISORY] [CISA adds seven CVEs to KEV Catalog, two targeting Microsoft Defender](https://broadside.deepfathom.ai/story/cisa-flags-seven-exploited-vulnerabilities-for-remediation-56wyzw)
  2026-05-23 · Brief: CISA added seven CVEs to its Known Exploited Vulnerabilities Catalog on May 20, 2026, triggering mandatory remediation deadlines for Federal Civilian Executive Branch agencies under Binding Operational Directive 22-01. Five entries are legacy Microsoft and Adobe vulnerabilities (
  Primary source: https://www.cisa.gov/news-events/alerts/2026/05/20/cisa-adds-seven-known-exploited-vulnerabilities-catalog

- [NIST-800-172] [NIST releases SP 800-172r3, tightening enhanced CUI controls](https://broadside.deepfathom.ai/story/nist-expands-cui-controls-in-800-172r3-aligns-with-800-171r3-dlsqnw)
  2026-05-23 · Brief: NIST published SP 800-172r3 and its companion assessment guide SP 800-172Ar3 on May 13, 2026, adding enhanced requirements across access control, network segmentation, asset management, and supply chain security for contractors handling controlled unclassified information (CUI) i
  Primary source: https://www.nist.gov/news-events/news/2026/05/nist-releases-sp-800-172r3-and-sp-800-172ar3-enhanced-security-requirements

- [ENFORCEMENT] [CISA compresses CIRCIA town halls into four June sessions](https://broadside.deepfathom.ai/story/cisa-narrows-circia-town-halls-to-four-final-june-sessions-tw6rc3)
  2026-05-23 · Brief: CISA consolidated its CIRCIA rulemaking town hall series from eight sessions spread across multiple months into four concentrated sessions June 15-18, after the original February schedule was cancelled during the DHS shutdown. Critical infrastructure operators and their contracto
  Primary source: https://insidecybersecurity.com/daily-news/cisa-reschedules-incident-reporting-town-halls-june-inform-final-rules

- [VULN-ADVISORY] [CISA adds Drupal Core SQL injection CVE-2026-9082 to KEV Catalog](https://broadside.deepfathom.ai/story/cisa-adds-actively-exploited-drupal-sql-injection-to-kev-uzebze)
  2026-05-22 · Brief: CISA added CVE-2026-9082, a Drupal Core SQL injection vulnerability, to the Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. Federal Civilian Executive Branch agencies are bound by Binding Operational Directive 22-01 to remediate by the catalog-as
  Primary source: https://www.cisa.gov/news-events/alerts/2026/05/22/cisa-adds-one-known-exploited-vulnerability-catalog

- [NIST-800-171] [NIST seeks comment on 186-page OT incident response practice guide](https://broadside.deepfathom.ai/story/nist-seeks-comment-on-186-page-ot-incident-response-practice-guide-tu3t5j)
  2026-05-22 · Brief: NIST published a draft practice guide on May 21 covering cyber incident response and recovery for manufacturing-sector OT/ICS environments, built on NCCoE collaboration with 11 industry partners. The 186-page guide walks through three scenarios: HMI compromise, data exfiltration,
  Primary source: https://insidecybersecurity.com/daily-news/nist-publishes-draft-practice-guide-reviewing-manufacturing-sector-project-responding

- [ENFORCEMENT] [Contractor GitHub repo exposed privileged CISA credentials](https://broadside.deepfathom.ai/story/contractor-github-repo-exposed-privileged-cisa-credentials-rnrsei)
  2026-05-22 · Brief: GitGuardian discovered a public GitHub repository last week, apparently maintained by a Nightwing contractor, containing privileged AWS GovCloud credentials and internal CISA system credentials dating back to November. The repository was named "Private-CISA." CISA says no sensiti
  Primary source: https://cyberscoop.com/cisa-credential-leak-congress-demands-answers/

- [ENFORCEMENT] [Contractor-linked GitHub leak exposes CISA, DHS credentials](https://broadside.deepfathom.ai/story/contractor-linked-github-leak-exposes-cisa-dhs-credentials-egq3d7)
  2026-05-22 · Brief: Researcher Brian Krebs reported Monday that a GitHub repository labeled "Private CISA," linked to government contractor Nightwing, publicly exposed authentication credentials, AWS GovCloud data, and internal CISA/DHS build-and-deploy documentation. The repository has since been r
  Primary source: https://www.govexec.com/technology/2026/05/cisa-leaked-agency-credentials-congressional-scrutiny/413673/

- [ENFORCEMENT] [Contractor exposed CISA credentials on public GitHub repo](https://broadside.deepfathom.ai/story/contractor-exposed-cisa-credentials-on-public-github-repo-c9lxgb)
  2026-05-22 · Brief: Researcher Brian Krebs reported Monday that a GitHub repository linked to government contractor Nightwing exposed CISA and DHS authentication credentials, AWS GovCloud access data, and internal build-and-deploy documentation, stored in a repo labeled "Private CISA" that was later
  Primary source: https://www.nextgov.com/cybersecurity/2026/05/house-homeland-dems-request-cisa-briefing-amid-report-leaked-agency-credentials/413664/

- [STATERAMP] [GovRAMP adds five 3PAOs to assessment discount program](https://broadside.deepfathom.ai/story/govramp-adds-five-3paos-to-assessment-discount-program-0z0z95)
  2026-05-22 · Brief: GovRAMP added 360 Advanced, Data Lock Consulting Group, Lunarline, Schellman, and Securisea to its 3PAO Discount Program, bringing total participating firms to ten. The program offers up to 30% off independent security assessments, but only for providers that have completed the G
  Primary source: https://s33104.pcdn.co/blog/govramp-expands-3pao-discount-program-with-additional-assessment-firms/

- [GENERAL] [CISA flags 35 CVEs in Siemens Ruggedcom Rox below v2.17.1](https://broadside.deepfathom.ai/story/cisa-flags-35-cves-in-siemens-ruggedcom-rox-below-v2-17-1-4t9qt5)
  2026-05-22 · Brief: CISA advisory ICSA-26-134-16 covers 35 third-party CVEs affecting all Ruggedcom Rox variants (MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, and others) running firmware below v2.17.1. The CVE range runs from 2019 through 2025, reflecting accumulated upstream dependency debt. 
  Primary source: https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-16

- [NIST-800-171] [USDA OIG finds AI systems deployed without required ATOs or governance](https://broadside.deepfathom.ai/story/usda-oig-finds-ai-systems-deployed-without-required-atos-or-governance-hxv30h)
  2026-05-22 · Brief: A USDA OIG report released last week found the Agriculture Department has deployed AI across supply chain risk, crop yield estimation, and permitting without completing required cybersecurity and governance controls. Almost none of the AI use cases in the FY2024 inventory carried
  Primary source: https://www.govexec.com/technology/2026/05/usda-using-ai-required-controls-manage-risks/413647/

- [GENERAL] [CISA flags nine CVEs in ABB B&R industrial PCs; patch now](https://broadside.deepfathom.ai/story/cisa-flags-nine-cves-in-abb-b-r-industrial-pcs-patch-now-zzx93b)
  2026-05-22 · Brief: CISA advisory ICSA-26-141-02 covers nine CVEs (CVE-2023-45229 through -45237), all rooted in EDK2's network stack, affecting ten ABB B&R PC product lines deployed in energy-sector critical infrastructure worldwide. CVSS v3 scores at 8.3. Exploits enable remote code execution, DoS
  Primary source: https://www.cisa.gov/news-events/ics-advisories/icsa-26-141-02

- [GENERAL] [ABB Gateway flaw exposes PLC networks to unauthenticated scanning](https://broadside.deepfathom.ai/story/abb-gateway-flaw-exposes-plc-networks-to-unauthenticated-scanning-eok8z2)
  2026-05-22 · Brief: CISA published ICSA-26-132-04 covering CVE-2024-41975 in ABB Automation Builder Gateway for Windows (all versions before 2.9.0). By default, the gateway listens on all network adapters on port 1217, allowing unauthenticated remote attackers to scan for and enumerate connected AC5
  Primary source: https://www.cisa.gov/news-events/ics-advisories/icsa-26-132-04

- [GENERAL] [Siemens Ruggedcom Rox Scheduler flaw enables root-level RCE](https://broadside.deepfathom.ai/story/siemens-ruggedcom-rox-scheduler-flaw-enables-root-level-rce-fjy7gi)
  2026-05-22 · Brief: CISA advisory ICSA-26-134-12 covers a CVSS 9.1 OS command injection flaw (CVE-2025-40949) in the Web UI Scheduler of eleven Ruggedcom Rox product lines, all versions before 2.17.1. An authenticated remote attacker can inject arbitrary commands into the task scheduling backend and
  Primary source: https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-12

- [GENERAL] [Siemens Ruggedcom Rox gets root-level RCE patch; update to v2.17.1](https://broadside.deepfathom.ai/story/siemens-ruggedcom-rox-gets-root-level-rce-patch-update-to-v2-17-1-ymsvos)
  2026-05-22 · Brief: CVE-2025-40947 (CVSS 7.5 HIGH) covers improper input sanitization in the Ruggedcom Rox feature key installation process. An authenticated remote attacker can inject arbitrary OS commands and gain root on the underlying system. All eleven Rox variants below v2.17.1 are affected, s
  Primary source: https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-11

- [GENERAL] [CISA flags nine ABB B&R PC lines; APC910 gets no patch](https://broadside.deepfathom.ai/story/cisa-flags-nine-abb-b-r-pc-lines-apc910-gets-no-patch-ic30c1)
  2026-05-22 · Brief: CISA advisory ICSA-26-141-02 covers nine CVEs (CVE-2023-45229 through CVE-2023-45237, CVSS 8.3) in ABB B&R industrial PCs deployed in energy-sector environments worldwide. Vulnerabilities span EDK2 network stack flaws: out-of-bounds reads, DHCPv6 processing errors, infinite loops
  Primary source: https://www.cisa.gov/news-events/ics-advisories/icsa-26-141-02

- [CUI] [Siemens Opcenter RDnL carries critical ActiveMQ auth flaw; patch now](https://broadside.deepfathom.ai/story/siemens-opcenter-rdnl-carries-critical-activemq-auth-flaw-patch-now-b6i6uf)
  2026-05-22 · Brief: CISA published ICS advisory ICSA-26-134-09 covering CVE-2026-27446, a CVSS 7.1 missing-authentication flaw (CWE-306) in Apache ActiveMQ Artemis as shipped with Siemens Opcenter RDnL. All versions are affected. An adjacent-network attacker can force the broker to open an outbound 
  Primary source: https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-09

- [GENERAL] [CISA flags four critical ScadaBR flaws; vendor unresponsive](https://broadside.deepfathom.ai/story/cisa-flags-four-critical-scadabr-flaws-vendor-unresponsive-2o16nf)
  2026-05-22 · Brief: Four CVEs in ScadaBR 1.2.0 (CVE-2026-8602 through -8605), rated up to CVSS 9.1 Critical. The set covers unauthenticated sensor-reading injection, OS command injection to root, CSRF, and hard-coded admin credentials. Affected sectors include energy, water and wastewater, chemical,
  Primary source: https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-03

- [FAR] [Contractors must now verify which FAR version governs each contract](https://broadside.deepfathom.ai/story/contractors-must-now-verify-which-far-version-governs-each-contract-db8rtb)
  2026-05-22 · Brief: The FAR Council has released model deviation text for all FAR parts under the RFO initiative, launched via EO 14275 and OMB M-25-26 (May 2, 2025). Agencies had 30 days to implement each tranche via class or individual deviations, and they are doing so at different speeds. The res
  Primary source: https://www.insidegovernmentcontracts.com/2026/05/from-paper-reform-to-practice-how-agencies-are-actually-implementing-the-revolutionary-far-overhaul/

- [ENFORCEMENT] [CISA adds Langflow, Trend Micro Apex One CVEs to KEV catalog](https://broadside.deepfathom.ai/story/cisa-adds-langflow-trend-micro-apex-one-cves-to-kev-catalog-466f9t)
  2026-05-22 · Brief: CISA added two actively exploited CVEs to the Known Exploited Vulnerabilities catalog: CVE-2025-34291 (Langflow origin validation error) and CVE-2026-34926 (Trend Micro Apex One directory traversal). FCEB agencies must remediate by the posted due dates under BOD 22-01. Non-federa
  Primary source: https://www.cisa.gov/news-events/alerts/2026/05/21/cisa-adds-two-known-exploited-vulnerabilities-catalog

- [ENFORCEMENT] [CISA adds Cisco SD-WAN auth bypass to KEV Catalog](https://broadside.deepfathom.ai/story/cisa-adds-cisco-sd-wan-auth-bypass-to-kev-catalog-i442fp)
  2026-05-22 · Brief: CVE-2026-20182, an authentication bypass in Cisco Catalyst SD-WAN Controller, is now in the KEV Catalog under active exploitation. FCEB agencies must remediate per BOD 22-01. CISA has also issued Emergency Directive 26-03 and supplemental hunt-and-hardening guidance specific to C
  Primary source: https://www.cisa.gov/news-events/alerts/2026/05/14/cisa-adds-one-known-exploited-vulnerability-catalog

- [ENFORCEMENT] [CISA adds Microsoft Exchange XSS to KEV Catalog](https://broadside.deepfathom.ai/story/cisa-adds-microsoft-exchange-xss-to-kev-catalog-3boy9p)
  2026-05-22 · Brief: CISA added CVE-2026-42897, a Microsoft Exchange Server cross-site scripting vulnerability with evidence of active exploitation, to the KEV Catalog on May 15. BOD 22-01 requires FCEB agencies to remediate by the posted due date. Non-federal operators are not bound but should treat
  Primary source: https://www.cisa.gov/news-events/alerts/2026/05/15/cisa-adds-one-known-exploited-vulnerability-catalog

- [FAR] [Trump EO makes fixed-price contracts the federal default](https://broadside.deepfathom.ai/story/trump-eo-makes-fixed-price-contracts-the-federal-default-1raojn)
  2026-05-22 · Brief: An April 30 Executive Order directs agencies to treat fixed-price, performance-based contracts as the default procurement method and requires contracting officers to submit written justifications to use anything else. Above certain dollar thresholds, agency-head approval is requi
  Primary source: https://www.insidegovernmentcontracts.com/2026/05/the-new-executive-order-on-promoting-efficiency-accountability-and-performance-in-federal-contracting-what-federal-contractors-need-to-know/

- [ENFORCEMENT] [CISA adds seven CVEs to KEV Catalog, two from 2026](https://broadside.deepfathom.ai/story/cisa-adds-seven-cves-to-kev-catalog-two-from-2026-j49i0o)
  2026-05-22 · Brief: CISA added seven CVEs to the Known Exploited Vulnerabilities Catalog on May 20, citing evidence of active exploitation. Five are legacy flaws dating to 2008-2010: a Microsoft Windows buffer overflow (CVE-2008-4250), a DirectX null-byte overwrite (CVE-2009-1537), an Adobe Acrobat 
  Primary source: https://www.cisa.gov/news-events/alerts/2026/05/20/cisa-adds-seven-known-exploited-vulnerabilities-catalog

- [NIST-800-171] [NIST splits AI incident response into two separate guidance tracks](https://broadside.deepfathom.ai/story/nist-plans-two-ai-incident-response-guidance-streams-under-trump-action-plan-g2w1u0)
  2026-05-21 · Brief: NIST announced two parallel work streams on AI incident response at a May 14 workshop in Gaithersburg: one updating existing cybersecurity guidelines to cover attacks on AI systems, a second establishing new recommendations for AI-induced incidents including misuse, malfunction, 
  Primary source: https://insidecybersecurity.com/daily-news/nist-proposes-two-work-streams-incident-response-under-ai-action-plan

- [FAR] [GAO finds uneven search methods hide China-linked equipment on agency networks](https://broadside.deepfathom.ai/story/gao-finds-gaps-in-federal-agencies-china-linked-equipment-searches-1oovi4)
  2026-05-21 · Brief: A May 19 GAO report on six federal agencies' compliance with the Section 899 NDAA prohibition on China-linked telecom and video surveillance equipment found that only DOD conducted physical searches, and only DOD and DOE found covered devices. DHS, DOJ, State, and Treasury all re
  Primary source: https://insidecybersecurity.com/daily-news/government-accountability-office-reviews-agency-efforts-address-equipment-their-networks

- [NIST-800-171] [NIST targets summer 2025 debut for AI cybersecurity framework overlays](https://broadside.deepfathom.ai/story/nist-to-release-ai-cybersecurity-framework-draft-this-summer-okk4qz)
  2026-05-21 · Brief: NIST's Security Engineering and Risk Management Group plans to release a draft cybersecurity framework profile for AI, plus tailored control overlays, beginning this summer: predictive-AI overlay first, agentic-systems overlay by late summer or early fall, with finalization targe
  Primary source: https://www.nextgov.com/artificial-intelligence/2026/05/nist-aims-summer-release-ai-cyber-guidelines/413559/

- [NIST-800-171] [Draft EO sets 2030-2031 federal PQC migration deadlines for agencies and contractors](https://broadside.deepfathom.ai/story/draft-executive-order-sets-2030-2031-pqc-deadlines-for-federal-agencies-contract-bppwmr)
  2026-05-21 · Brief: A White House draft executive order would require federal agencies to migrate key establishment systems to post-quantum cryptography (PQC) by Dec. 31, 2030, and digital signatures on high-impact systems by Dec. 31, 2031. "Covered contractors" face the same 2030 key establishment 
  Primary source: https://www.nextgov.com/cybersecurity/2026/05/draft-executive-order-would-set-deadlines-digital-signature-and-key-quantum-encryption/413668/

## Feeds

- All published stories: https://broadside.deepfathom.ai/feed.xml
- Assessment: https://broadside.deepfathom.ai/assessment/feed.xml
- Authority to Operate: https://broadside.deepfathom.ai/ato/feed.xml
- AWS GovCloud: https://broadside.deepfathom.ai/aws-govcloud/feed.xml
- Azure Government: https://broadside.deepfathom.ai/azure-government/feed.xml
- Binding Operational Directive: https://broadside.deepfathom.ai/bod/feed.xml
- C3PAO: https://broadside.deepfathom.ai/c3pao/feed.xml
- CIRCIA: https://broadside.deepfathom.ai/circia/feed.xml
- CISA: https://broadside.deepfathom.ai/cisa/feed.xml
- CISA KEV: https://broadside.deepfathom.ai/kev/feed.xml
- Civil Cyber-Fraud Initiative: https://broadside.deepfathom.ai/civil-cyber-fraud/feed.xml

## Editorial standards

- Briefs are 2–4 sentences, active voice, no marketing language.
- Every story links to a primary source.
- Editor weight (0–5) anchors what surfaces on the front page.
- No anonymous content. No vendor case studies without a regulatory hook.
- The classifier rejects items off-topic for DIB / state / municipal
  compliance; the editor reviews everything before publish.