The Broadside
RSS →

Watch hub·fedramp · fedramp-20x · fisma · far

Federal

FedRAMP, FISMA, CISA, FAR, and the federal compliance machinery beyond CMMC.

Updated ·RSS ↗

Federal cybersecurity policy moves through FedRAMP authorizations, FISMA reporting, CISA directives, OMB memos, and FAR rulemaking. This hub tracks federal compliance activity that isn't CMMC-specific — including FedRAMP 20x progress, KEV-driven Binding Operational Directives, and NIST publications that shape ATO decisions.

What changed in the last 30 days

  • nist-800-171/standards

    NIST NCCoE releases SP 1800-41 draft on ICS/OT incident response

    The NIST National Cybersecurity Center of Excellence (NCCoE) published an initial public draft of SP 1800-41, covering incident response and recovery for industrial control system (ICS) and operational technology (OT) environments in the manufacturing sector. Comments are due July 8, 2026. Defense industrial base suppliers and manufacturing contractors running ICS/OT systems should track this: if SP 1800-41 gets folded into CMMC or federal procurement mandates (still an open question) it will add operational resilience requirements on top of the existing NIST SP 800-171 preventive control baseline.

  • nist-800-171/standards

    NIST SP 800-70 Rev 5 mandates CSF 2.0 traceability in federal checklists

    NIST published SP 800-70 Revision 5 on May 8, 2026, requiring security configuration checklists to carry explicit traceability mappings to NIST CSF 2.0 outcomes, SP 800-53 controls, and Common Configuration Enumeration (CCE) identifiers. The revision also extends checklist scope to cloud, IoT, and AI systems and adds explicit support for automated checklist formats. Contractors, primes, C3PAOs, and assessors relying on National Checklist Program (NCP) checklists for audit evidence will need to verify that any checklist they cite maps to Rev 5 structure. NIST has not specified when non-compliant legacy checklists will be deprecated from the NCP repository.

  • nist-800-171/standards

    NIST releases BloSS@M draft, a blockchain supply chain framework for federal software

    NIST published IR 8500A initial public draft (BloSS@M) on May 19, 2026, proposing a blockchain-based framework for how federal agencies acquire, track, and retire software assets government-wide. The draft ties real-time vulnerability feeds from the National Vulnerability Database (NVD) and OSCAL-based compliance automation into a shared procurement infrastructure intended to consolidate purchasing and eliminate redundant spending. Comments are due June 26, 2026, to blossom@nist.gov. Whether BloSS@M will become mandatory for federal software procurement or remain advisory is not answered in the draft.

  • vuln-advisory/regulator

    CISA adds Langflow, Trend Micro Apex One CVEs to KEV Catalog

    CISA added CVE-2025-34291 (Langflow origin validation error) and CVE-2026-34926 (Trend Micro Apex One on-premise directory traversal) to the Known Exploited Vulnerabilities Catalog on May 21, 2026. Federal Civilian Executive Branch agencies must remediate both by CISA-set deadlines under Binding Operational Directive 22-01. Specific due dates were not published in the alert. Contractors and MSPs supporting FCEB systems should add both CVEs to their active vulnerability management queues; the Trend Micro entry's on-premise scope may exclude cloud or SaaS deployments.

  • nist-800-172/standards

    NIST opens comment period on SP 800-52 Rev. 2 TLS guidelines

    NIST's Crypto Publication Review Board opened a public comment period through July 10, 2026 on SP 800-52 Rev. 2 (2019), its TLS implementation guidance. The revision targets alignment with IETF TLS 1.3 drafts, but the consequential question is whether NIST will downgrade server-side TLS 1.2 support from "should" to "may." Contractors, primes, MSPs, and C3PAOs with federal TLS configurations should comment now, the outcome will shape compatibility windows across 800-172 and CMMC controls.

  • nist-800-171/standards

    NIST releases draft SP 800-228A on RESTful API security controls

    NIST published the initial public draft of SP 800-228A, Guidelines for the Secure Deployment of RESTful Web APIs, on May 18, 2026, with public comment open through July 2, 2026. The document analyzes threats across pre-runtime and runtime phases and provides controls specific to the RESTful architectural style, complementing the broader SP 800-228 control set. Contractors, C3PAOs, and assessors building or auditing systems that use RESTful APIs should review the draft now: once finalized, gaps against these controls are likely to surface in CMMC and related assessments.

  • vuln-advisory/regulator

    CISA adds CVE-2026-42897 Exchange Server XSS to KEV Catalog

    CISA added CVE-2026-42897, a cross-site scripting vulnerability in Microsoft Exchange Server, to the Known Exploited Vulnerabilities Catalog on May 15, 2026, citing evidence of active exploitation. Federal Civilian Executive Branch agencies must remediate by the BOD 22-01-assigned due date, which CISA has not yet published. Contractors supporting federal systems face audit exposure if affected Exchange deployments remain unpatched. Patch availability has not been confirmed in the advisory.

  • vuln-advisory/regulator

    CISA adds Cisco SD-WAN auth bypass CVE-2026-20182 to KEV catalog

    CISA added CVE-2026-20182, a Cisco Catalyst SD-WAN Controller authentication bypass vulnerability, to the Known Exploited Vulnerabilities catalog based on evidence of active exploitation. Federal Civilian Executive Branch agencies must remediate under Binding Operational Directive 22-01 or discontinue use; Emergency Directive 26-03 and its supplemental hunt-and-hardening guidance govern the specific mitigation path. Non-federal organizations with SD-WAN infrastructure in remote access or branch connectivity roles should treat this as a prioritized patch.

  • vuln-advisory/regulator

    CISA adds seven CVEs to KEV Catalog, two targeting Microsoft Defender

    CISA added seven CVEs to its Known Exploited Vulnerabilities Catalog on May 20, 2026, triggering mandatory remediation deadlines for Federal Civilian Executive Branch agencies under Binding Operational Directive 22-01. Five entries are legacy Microsoft and Adobe vulnerabilities (2008-2010); two are 2026 Microsoft Defender flaws, CVE-2026-41091, an elevation of privilege, and CVE-2026-45498, a denial of service. The Defender inclusions are notable: KEV additions typically target OS or browser attack surface, not defensive tooling itself. CISA urges all organizations to prioritize remediation regardless of BOD 22-01 applicability.

  • nist-800-172/standards

    NIST releases SP 800-172r3, tightening enhanced CUI controls

    NIST published SP 800-172r3 and its companion assessment guide SP 800-172Ar3 on May 13, 2026, adding enhanced requirements across access control, network segmentation, asset management, and supply chain security for contractors handling controlled unclassified information (CUI) in nonfederal systems. Assessors must update evaluation procedures to match r3 or their assessments will be considered non-compliant. NIST has not announced a compliance deadline for contractors currently operating under r2, nor whether existing r2 assessments remain valid during any transition period.

  • vuln-advisory/regulator

    CISA adds Drupal Core SQL injection CVE-2026-9082 to KEV Catalog

    CISA added CVE-2026-9082, a Drupal Core SQL injection vulnerability, to the Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. Federal Civilian Executive Branch agencies are bound by Binding Operational Directive 22-01 to remediate by the catalog-assigned due date. The source advisory does not specify that deadline or confirm patch availability from Drupal maintainers. Contractors supporting federal networks should patch or mitigate without waiting for agency direction.

  • SIGNAL/regulator

    CISA flags 35 CVEs in Siemens Ruggedcom Rox below v2.17.1

    CISA advisory ICSA-26-134-16 covers 35 third-party CVEs affecting all Ruggedcom Rox variants (MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, and others) running firmware below v2.17.1. The CVE range runs from 2019 through 2025, reflecting accumulated upstream dependency debt. Siemens has released v2.17.1 and recommends immediate upgrade. These devices deploy in critical infrastructure environments; update to v2.17.1 now.

  • SIGNAL/regulator

    CISA flags nine CVEs in ABB B&R industrial PCs; patch now

    CISA advisory ICSA-26-141-02 covers nine CVEs (CVE-2023-45229 through -45237), all rooted in EDK2's network stack, affecting ten ABB B&R PC product lines deployed in energy-sector critical infrastructure worldwide. CVSS v3 scores at 8.3. Exploits enable remote code execution, DoS, DNS cache poisoning, and sensitive data extraction over the network. Patches are available for nine of the ten affected lines; APC910 will not receive a firmware fix, operators running that model must apply ABB's mitigation measures instead. All others: update to the versions listed in the advisory.

  • SIGNAL/regulator

    ABB Gateway flaw exposes PLC networks to unauthenticated scanning

    CISA published ICSA-26-132-04 covering CVE-2024-41975 in ABB Automation Builder Gateway for Windows (all versions before 2.9.0). By default, the gateway listens on all network adapters on port 1217, allowing unauthenticated remote attackers to scan for and enumerate connected AC500 PLCs. Actual PLC control requires defeating PLC-level user management separately. ABB scores this CVSS 3.1 Medium (5.3). Fix: upgrade to Automation Builder 2.9.0, which defaults the gateway to local-only access, or manually set LocalAddress=127.0.0.1 in the gateway config file. Sectors affected include Chemical, Critical Manufacturing, Energy, and Water and Wastewater.

  • SIGNAL/regulator

    Siemens Ruggedcom Rox Scheduler flaw enables root-level RCE

    CISA advisory ICSA-26-134-12 covers a CVSS 9.1 OS command injection flaw (CVE-2025-40949) in the Web UI Scheduler of eleven Ruggedcom Rox product lines, all versions before 2.17.1. An authenticated remote attacker can inject arbitrary commands into the task scheduling backend and execute them with root privileges on the underlying OS. Operators running any Ruggedcom ROX MX5000, MX5000RE, or RX-series device in critical manufacturing environments should update to V2.17.1 now.

  • SIGNAL/regulator

    Siemens Ruggedcom Rox gets root-level RCE patch; update to v2.17.1

    CVE-2025-40947 (CVSS 7.5 HIGH) covers improper input sanitization in the Ruggedcom Rox feature key installation process. An authenticated remote attacker can inject arbitrary OS commands and gain root on the underlying system. All eleven Rox variants below v2.17.1 are affected, spanning MX5000, MX5000RE, RX1400 through RX1536, and RX5000. Siemens has released v2.17.1; update now.

  • SIGNAL/regulator

    CISA flags nine ABB B&R PC lines; APC910 gets no patch

    CISA advisory ICSA-26-141-02 covers nine CVEs (CVE-2023-45229 through CVE-2023-45237, CVSS 8.3) in ABB B&R industrial PCs deployed in energy-sector environments worldwide. Vulnerabilities span EDK2 network stack flaws: out-of-bounds reads, DHCPv6 processing errors, infinite loops, and weak PRNG use, all exploitable by a network-adjacent attacker for RCE, DoS, DNS cache poisoning, or data extraction. Patches are available for nine of the ten affected product lines. APC910 (firmware 1.25 and below) receives no patch; operators running that hardware should apply ABB's stated mitigations instead.

  • cui/regulator

    Siemens Opcenter RDnL carries critical ActiveMQ auth flaw; patch now

    CISA published ICS advisory ICSA-26-134-09 covering CVE-2026-27446, a CVSS 7.1 missing-authentication flaw (CWE-306) in Apache ActiveMQ Artemis as shipped with Siemens Opcenter RDnL. All versions are affected. An adjacent-network attacker can force the broker to open an outbound Core federation connection to an attacker-controlled host, enabling message injection or exfiltration on any queue. Siemens recommends updating to Apache Artemis 2.52.0 or later; three interim mitigations cover Core interceptors, acceptor protocol restriction, and two-way SSL. Opcenter RDnL sits in critical manufacturing environments worldwide.

  • SIGNAL/regulator

    CISA flags four critical ScadaBR flaws; vendor unresponsive

    Four CVEs in ScadaBR 1.2.0 (CVE-2026-8602 through -8605), rated up to CVSS 9.1 Critical. The set covers unauthenticated sensor-reading injection, OS command injection to root, CSRF, and hard-coded admin credentials. Affected sectors include energy, water and wastewater, chemical, and critical manufacturing worldwide. ScadaBR has not responded to CISA's remediation requests; no vendor patch exists. Operators should contact ScadaBR support via GitHub and apply network-isolation and access controls in the interim.

  • far/independent

    Contractors must now verify which FAR version governs each contract

    The FAR Council has released model deviation text for all FAR parts under the RFO initiative, launched via EO 14275 and OMB M-25-26 (May 2, 2025). Agencies had 30 days to implement each tranche via class or individual deviations, and they are doing so at different speeds. The result: which clauses govern a given contract now depends on the agency, bureau, and buying activity. Covington flags a compounding problem: procurement systems often lag the policy, meaning contract documents may not yet reflect adopted deviations. Contractors cannot treat the codified FAR as a reliable proxy for what is actually in their contracts.

  • enforcement/regulator

    CISA adds Langflow, Trend Micro Apex One CVEs to KEV catalog

    CISA added two actively exploited CVEs to the Known Exploited Vulnerabilities catalog: CVE-2025-34291 (Langflow origin validation error) and CVE-2026-34926 (Trend Micro Apex One directory traversal). FCEB agencies must remediate by the posted due dates under BOD 22-01. Non-federal organizations are not bound but CISA urges prioritized patching for both.

  • enforcement/regulator

    CISA adds Cisco SD-WAN auth bypass to KEV Catalog

    CVE-2026-20182, an authentication bypass in Cisco Catalyst SD-WAN Controller, is now in the KEV Catalog under active exploitation. FCEB agencies must remediate per BOD 22-01. CISA has also issued Emergency Directive 26-03 and supplemental hunt-and-hardening guidance specific to Cisco SD-WAN; follow both. If mitigations are unavailable, CISA says discontinue use.

  • enforcement/regulator

    CISA adds Microsoft Exchange XSS to KEV Catalog

    CISA added CVE-2026-42897, a Microsoft Exchange Server cross-site scripting vulnerability with evidence of active exploitation, to the KEV Catalog on May 15. BOD 22-01 requires FCEB agencies to remediate by the posted due date. Non-federal operators are not bound but should treat KEV listing as a prioritization signal in their vulnerability management programs.

  • far/independent

    Trump EO makes fixed-price contracts the federal default

    An April 30 Executive Order directs agencies to treat fixed-price, performance-based contracts as the default procurement method and requires contracting officers to submit written justifications to use anything else. Above certain dollar thresholds, agency-head approval is required. The 90-day clock is the immediate pressure point: each agency must review its 10 largest non-fixed-price contracts by value and seek to modify, restructure, or renegotiate them. Two categories are exempt: emergency or contingency operations, and R&D or pre-production development for major systems. OMB guidance is due within 45 days; proposed FAR amendments within 120. Cost-reimbursement-heavy primes should expect renegotiation outreach before late July.

  • enforcement/regulator

    CISA adds seven CVEs to KEV Catalog, two from 2026

    CISA added seven CVEs to the Known Exploited Vulnerabilities Catalog on May 20, citing evidence of active exploitation. Five are legacy flaws dating to 2008-2010: a Microsoft Windows buffer overflow (CVE-2008-4250), a DirectX null-byte overwrite (CVE-2009-1537), an Adobe Acrobat heap buffer overflow (CVE-2009-3459), and two Internet Explorer use-after-free vulnerabilities (CVE-2010-0249, CVE-2010-0806). The two current entries are a Microsoft Defender elevation-of-privilege (CVE-2026-41091) and a Defender denial-of-service (CVE-2026-45498). BOD 22-01 requires FCEB agencies to remediate by the posted due dates. All others: check your KEV posture now.

  • far/trade-press

    GAO finds uneven search methods hide China-linked equipment on agency networks

    A May 19 GAO report on six federal agencies' compliance with the Section 899 NDAA prohibition on China-linked telecom and video surveillance equipment found that only DOD conducted physical searches, and only DOD and DOE found covered devices. DHS, DOJ, State, and Treasury all reported zero findings, but none ran physical searches. GAO identified procurement record gaps, supply-chain opacity, and rebranding as structural limits on every agency's search approach. The divergence in methods makes the zero-finding results hard to read as actual risk clearance.

Open questions

  • 01How does FedRAMP 20x change the authorization path for cloud service providers?
  • 02What's the trajectory of CISA directives binding civilian executive-branch agencies?
  • 03How is OMB shaping cyber posture through M-series memoranda?

Sources we watch

Related from Deep Fathom