The Broadside
RSS →

Watch hub·enforcement · qui-tam · civil-cyber-fraud · fca

Enforcement

Civil Cyber-Fraud Initiative settlements, qui tam unsealings, and the turn from voluntary to mandatory.

Updated ·RSS ↗

Cyber-compliance enforcement has accelerated through the Department of Justice's Civil Cyber-Fraud Initiative. This hub tracks settled and pending False Claims Act actions, GAO bid-protest decisions touching cyber clauses, and DCMA/DIBCAC findings as they become public — cross-cutting CMMC, FedRAMP, and state programs.

What changed in the last 30 days

  • enforcement/trade-press

    CISA compresses CIRCIA town halls into four June sessions

    CISA consolidated its CIRCIA rulemaking town hall series from eight sessions spread across multiple months into four concentrated sessions June 15-18, after the original February schedule was cancelled during the DHS shutdown. Critical infrastructure operators and their contractors have until those sessions to weigh in on the four-day incident reporting window and 24-hour ransom payment notification requirements before the final rule publishes in May 2026. The compression from eight sessions to four, all in a single week, suggests CISA has narrowed its remaining decision surface rather than reopened the file.

  • enforcement/trade-press

    Contractor GitHub repo exposed privileged CISA credentials

    GitGuardian discovered a public GitHub repository last week, apparently maintained by a Nightwing contractor, containing privileged AWS GovCloud credentials and internal CISA system credentials dating back to November. The repository was named "Private-CISA." CISA says no sensitive data was confirmed compromised; the researcher who found it rated it among the worst leaks he has seen and cited state-actor persistence as the primary risk. House Homeland Security ranking members Thompson and Ramirez, plus Sen. Hassan, sent separate letters Tuesday demanding briefings on affected systems, forensic findings, and contractor accountability. Both Hill letters named CISA staffing and budget cuts as a potential contributing factor.

  • enforcement/trade-press

    Contractor-linked GitHub leak exposes CISA, DHS credentials

    Researcher Brian Krebs reported Monday that a GitHub repository labeled "Private CISA," linked to government contractor Nightwing, publicly exposed authentication credentials, AWS GovCloud data, and internal CISA/DHS build-and-deploy documentation. The repository has since been removed. House Homeland Security ranking member Rep. Bennie Thompson and cyber subcommittee ranking member Rep. Delia Ramirez sent a Tuesday letter to acting CISA Director Nick Andersen demanding a briefing on the breach's scope, remediation steps, and corrective actions against contractor personnel. A separate letter came from Sen. Maggie Hassan. Nightwing referred questions to CISA; CISA declined to comment on congressional correspondence. Thompson and Ramirez also flagged CISA's recent workforce reductions as a potential contributing factor. Government Executive and Nextgov/FCW have not independently verified the repository's contents.

  • enforcement/trade-press

    Contractor exposed CISA credentials on public GitHub repo

    Researcher Brian Krebs reported Monday that a GitHub repository linked to government contractor Nightwing exposed CISA and DHS authentication credentials, AWS GovCloud access data, and internal build-and-deploy documentation, stored in a repo labeled "Private CISA" that was later removed. Reps. Bennie Thompson and Delia Ramirez, the top Democrats on the House Homeland Security Committee and its cyber subcommittee, sent CISA acting Director Nick Andersen a letter Tuesday demanding a briefing on how the exposure occurred, what was accessed, and what corrective action is planned for the contractor personnel involved. Sen. Maggie Hassan sent a separate letter the same day. Nextgov has not independently verified the repository's contents; Nightwing referred inquiries to CISA, which declined to comment publicly.

  • nist-800-171/trade-press

    USDA OIG finds AI systems deployed without required ATOs or governance

    A USDA OIG report released last week found the Agriculture Department has deployed AI across supply chain risk, crop yield estimation, and permitting without completing required cybersecurity and governance controls. Almost none of the AI use cases in the FY2024 inventory carried an authority to operate. USDA has no generative AI policy, hasn't updated agency-level AI policies, and hasn't implemented minimum risk management practices for high-risk AI systems, as required by OMB guidance. The OIG also flagged shadow AI risk, noting the department relies solely on an annual employee self-report to track AI use. USDA agreed with all recommendations.

  • far/independent

    Contractors must now verify which FAR version governs each contract

    The FAR Council has released model deviation text for all FAR parts under the RFO initiative, launched via EO 14275 and OMB M-25-26 (May 2, 2025). Agencies had 30 days to implement each tranche via class or individual deviations, and they are doing so at different speeds. The result: which clauses govern a given contract now depends on the agency, bureau, and buying activity. Covington flags a compounding problem: procurement systems often lag the policy, meaning contract documents may not yet reflect adopted deviations. Contractors cannot treat the codified FAR as a reliable proxy for what is actually in their contracts.

  • enforcement/regulator

    CISA adds Langflow, Trend Micro Apex One CVEs to KEV catalog

    CISA added two actively exploited CVEs to the Known Exploited Vulnerabilities catalog: CVE-2025-34291 (Langflow origin validation error) and CVE-2026-34926 (Trend Micro Apex One directory traversal). FCEB agencies must remediate by the posted due dates under BOD 22-01. Non-federal organizations are not bound but CISA urges prioritized patching for both.

  • enforcement/regulator

    CISA adds Cisco SD-WAN auth bypass to KEV Catalog

    CVE-2026-20182, an authentication bypass in Cisco Catalyst SD-WAN Controller, is now in the KEV Catalog under active exploitation. FCEB agencies must remediate per BOD 22-01. CISA has also issued Emergency Directive 26-03 and supplemental hunt-and-hardening guidance specific to Cisco SD-WAN; follow both. If mitigations are unavailable, CISA says discontinue use.

  • enforcement/regulator

    CISA adds Microsoft Exchange XSS to KEV Catalog

    CISA added CVE-2026-42897, a Microsoft Exchange Server cross-site scripting vulnerability with evidence of active exploitation, to the KEV Catalog on May 15. BOD 22-01 requires FCEB agencies to remediate by the posted due date. Non-federal operators are not bound but should treat KEV listing as a prioritization signal in their vulnerability management programs.

  • far/independent

    Trump EO makes fixed-price contracts the federal default

    An April 30 Executive Order directs agencies to treat fixed-price, performance-based contracts as the default procurement method and requires contracting officers to submit written justifications to use anything else. Above certain dollar thresholds, agency-head approval is required. The 90-day clock is the immediate pressure point: each agency must review its 10 largest non-fixed-price contracts by value and seek to modify, restructure, or renegotiate them. Two categories are exempt: emergency or contingency operations, and R&D or pre-production development for major systems. OMB guidance is due within 45 days; proposed FAR amendments within 120. Cost-reimbursement-heavy primes should expect renegotiation outreach before late July.

  • enforcement/regulator

    CISA adds seven CVEs to KEV Catalog, two from 2026

    CISA added seven CVEs to the Known Exploited Vulnerabilities Catalog on May 20, citing evidence of active exploitation. Five are legacy flaws dating to 2008-2010: a Microsoft Windows buffer overflow (CVE-2008-4250), a DirectX null-byte overwrite (CVE-2009-1537), an Adobe Acrobat heap buffer overflow (CVE-2009-3459), and two Internet Explorer use-after-free vulnerabilities (CVE-2010-0249, CVE-2010-0806). The two current entries are a Microsoft Defender elevation-of-privilege (CVE-2026-41091) and a Defender denial-of-service (CVE-2026-45498). BOD 22-01 requires FCEB agencies to remediate by the posted due dates. All others: check your KEV posture now.

  • nist-800-171/trade-press

    NIST splits AI incident response into two separate guidance tracks

    NIST announced two parallel work streams on AI incident response at a May 14 workshop in Gaithersburg: one updating existing cybersecurity guidelines to cover attacks on AI systems, a second establishing new recommendations for AI-induced incidents including misuse, malfunction, and unintentional harms. Federal contractors and defense industrial base organizations deploying AI will eventually face more granular playbook requirements than traditional NIST 800-171 incident response controls demand. Who bears liability across the developer-deployer-user stack remains an open question NIST has not yet answered.

  • far/trade-press

    GAO finds uneven search methods hide China-linked equipment on agency networks

    A May 19 GAO report on six federal agencies' compliance with the Section 899 NDAA prohibition on China-linked telecom and video surveillance equipment found that only DOD conducted physical searches, and only DOD and DOE found covered devices. DHS, DOJ, State, and Treasury all reported zero findings, but none ran physical searches. GAO identified procurement record gaps, supply-chain opacity, and rebranding as structural limits on every agency's search approach. The divergence in methods makes the zero-finding results hard to read as actual risk clearance.

  • nist-800-171/trade-press

    Draft EO sets 2030-2031 federal PQC migration deadlines for agencies and contractors

    A White House draft executive order would require federal agencies to migrate key establishment systems to post-quantum cryptography (PQC) by Dec. 31, 2030, and digital signatures on high-impact systems by Dec. 31, 2031. "Covered contractors" face the same 2030 key establishment deadline under NIST PQC standards. The order tasks OMB with issuing implementation guidance. Critical open questions remain: whether "covered contractors" sweeps in all subcontractors or only primes above a threshold, and what enforcement mechanism OMB will specify, the same gap that made NSA's 2022 quantum-resistant guidance effectively optional for four years.

Open questions

  • 01How many CCFI cases reference NIST 800-171 compliance representations as the predicate?
  • 02Are settlements moving toward higher dollar figures over time?
  • 03When does the first criminal referral connected to CMMC or FedRAMP misrepresentation appear?

Sources we watch