Folgen

  • The Exchange Daily – Friday, January 9, 2026

    The Exchange Daily – Friday, January 9, 2026
    Jan 9 2026
    NIST Opens Public Input Window on AI Agent SecurityThe National Institute of Standards and Technology’s Center for AI Standards and Innovation (CAISI) has issued a request for information (RFI) seeking public input on securing artificial intelligence agents. The sixty-day comment window allows stakeholders—developers, deployers, security researchers, and federal agencies—to shape NIST’s guidance on agentic AI security, evaluation methods, and best practices.AI agents are autonomous systems capable of taking independent actions to complete tasks without constant human intervention. Unlike chatbots designed for interactive dialogue, agents can access systems, make decisions, and execute workflows autonomously. NIST is specifically seeking input on security threats and vulnerabilities unique to agents, security best practices for agent development and deployment, methods for assessing agent security, and approaches to monitoring or constraining agent environments to mitigate risk.This RFI represents an early opportunity to influence federal procurement standards, compliance requirements, and validation methodologies for agentic AI. Federal CIOs and system integrators planning agent deployments should review the RFI and submit comments aligned with their operational and security requirements.2026-01-07: https://fedscoop.com/nist-input-agentic-ai-security-best-practices-caisi/Google Vertex AI Agent Engine Billing Changes Effective January 28Google Cloud announced pricing changes to its Vertex AI Agent Engine, effective January 28, 2026. Three core agent capabilities—Sessions, Memory Bank, and Code Execution—will transition from free to metered billing. Runtime pricing will be lowered to offset some cost increases, but organizations piloting agents in production will experience cost changes as they scale.Agent memory is a critical capability for maintaining context across multi-turn interactions. As this capability moves to metered billing, organizations should review their pilot architectures, cost projections, and production scaling plans. FinOps teams should assess whether agent memory is essential to their use cases or whether alternative architectures can reduce costs.This change signals Google’s transition of agent capabilities from experimental to production-grade services. Organizations should validate their cost models and architecture decisions before January 28 to avoid surprises in production billing.2026-01: https://docs.cloud.google.com/agent-builder/release-notesNIST Updates Cryptographic Key-Establishment Standards for Hybrid SecretsThe National Institute of Standards and Technology is revising its foundational cryptographic standards for key establishment (SP 800-56A and SP 800-56C) to support hybrid secrets and new key-encapsulation mechanisms. These updates modernize federal cryptographic guidance to address emerging threats, including quantum computing risks.The revisions allow shared secrets to incorporate approved key-encapsulation mechanisms and expand hybrid formatting options. This guidance will cascade into product roadmaps, cryptographic library updates, and long-term security compliance planning for federal agencies and contractors.Organizations managing cryptographic infrastructure, evaluating cryptographic vendors, or planning multi-year security roadmaps should align their choices with NIST’s updated direction. This is particularly important for agencies subject to FIPS 140-3, CMMC, or other federal cryptographic compliance requirements.2026-01: https://csrc.nist.gov/News/2026/nist-to-revise-key-establishment-recommendationsGAO Report Identifies Gaps in DOD Telework and Remote Work EvaluationThe Government Accountability Office (GAO) released a report identifying significant gaps in how the Department of Defense evaluates its telework and remote work programs. GAO found that DOD has not formally evaluated telework and remote work against agency goals, lacks consistent data quality, and has not established clear evaluation requirements.The report calls for DOD to improve data collection, establish clearer evaluation metrics, and align telework policies with workforce and IT objectives. From an IT perspective, telework policies directly impact collaboration tooling, endpoint security, identity and access management, and information-sharing workflows. Organizations rethinking telework or remote work should establish solid IT and security baselines before finalizing policy decisions.This GAO finding signals that federal agencies will face increased scrutiny on telework governance, data quality, and alignment with IT and security objectives.2026-01-08: https://www.gao.gov/products/gao-26-107601Federal AI Initiatives Ramping for 2026Multiple federal AI initiatives are launching or expanding in 2026, signaling increased investment and adoption across agencies. Key initiatives include the Genesis Mission, new OMB guidance on AI governance, HHS AI strategy updates, and ...
    Mehr anzeigen Weniger anzeigen
    5 Min.
  • The Exchange Daily - January 8, 2026

    The Exchange Daily - January 8, 2026
    Jan 8 2026
    Build data analytics agents faster with BigQuery’s fully managed, remote MCP serverGoogle is pushing a practical pattern for agentic analytics by standardizing how AI applications connect to BigQuery through a managed remote MCP server. The value for enterprises is faster build cycles plus clearer governance controls, because the model-to-data connection becomes a managed interface instead of bespoke glue code. For IT leaders, the decision point is whether to treat MCP connectivity as a platform standard with consistent identity, logging, and guardrails. If you’re already building agents, this is a good moment to formalize an internal reference architecture before experimentation becomes production sprawl.Sources: https://cloud.google.com/blog/products/data-analytics/using-the-fully-managed-remote-bigquery-mcp-server-to-build-data-ai-agents/ https://docs.cloud.google.com/bigquery/docs/use-bigquery-mcpFedRAMP 20x Phase 2 Pilot milestones and Cohort 2 application windowFedRAMP 20x Phase 2 is still a pilot, but the milestones are real and the dates are explicit. That matters to agencies and cloud providers because it turns modernization and authorization planning into a calendar exercise with competitive constraints. The Cohort 2 window is narrow, so organizations that want to participate or align internal requirements need to be ready before the window closes. The practical takeaway is to treat FedRAMP 20x as a pipeline event and to tighten internal documentation, evidence collection, and partner coordination.Sources: https://www.fedramp.gov/20x/phase-two/OpenAI API deprecation: Realtime API Beta removal dateIf you have anything in production tied to OpenAI’s realtime beta capabilities, the critical point is the removal date. Deprecations are rarely just a developer inconvenience, because they touch contracts, SLAs, incident response plans, and customer commitments when an interface changes. The practical move is to inventory dependencies now and schedule a managed migration rather than a late-stage scramble. This is also a reminder to make deprecation review a routine part of AI platform governance.Sources: https://platform.openai.com/docs/deprecationsNIST SP 800-57 Part 1 Revision 6 initial public draft open for commentKey management guidance is foundational, and NIST’s draft update is a signal that crypto agility requirements are continuing to evolve. For CISOs and compliance leaders, this is an opportunity to review what the updated guidance implies for PKI, certificate lifecycles, and policy language. For engineering teams, it’s a prompt to map where key material lives and where modernization will be expensive. The comment window is also a practical moment to raise real-world constraints back to NIST.Sources: https://csrc.nist.gov/News/2025/comment-on-sp-800-57pt1r6-initial-public-draft https://csrc.nist.gov/pubs/sp/800/57/pt1/r6/ipdGitHub Actions hosted runner price reductionsGitHub Actions pricing changes are a rare chance to revisit CI strategy with real budget impact. If you have teams running fragmented pipelines, a lower hosted runner price point can support consolidation and standardization. The risk is that lower unit costs can mask growing consumption, so visibility and guardrails still matter. This is a good time to re-benchmark expensive workflows and update chargeback or budgeting assumptions.Sources: https://github.blog/changelog/2026-01-01-github-actions-hosted-runner-price-reductions/CISA Known Exploited Vulnerabilities Catalog adds PowerPoint and HPE OneView issuesCISA’s KEV catalog is designed to keep patch priorities grounded in real exploitation, and new additions should move quickly to the top of the queue. The dataset shows fresh entries that span both end-user software and infrastructure management, reinforcing that exploitation targets whatever provides leverage. For IT operations, the key is rapid confirmation of exposure, fast remediation where possible, and clear leadership reporting when patching is constrained. KEV is also a reminder that asset inventory is the prerequisite for speed.Sources: https://raw.githubusercontent.com/cisagov/kev-data/develop/known_exploited_vulnerabilities.csvTopics We’re Tracking (But Didn’t Make the Cut)Dropped Topic: Additional NIST draft publications beyond SP 800-57* Why It Didn’t Make the Cut: Useful, but we prioritized one high-impact crypto governance draft to avoid overloading the show with standards updates.* Why It Caught Our Eye: Several comment windows are open and can influence long-term compliance and architecture decisions.Quick Disclaimer and Sources Note: The author used AI in part to create this newscast. Our goal is to be transparent and show you how we sourced the info we used.This newscast was developed using only public sources of information.The Exchange Daily is a production of Metora Solutions. For more information about how to participate in this daily newscast, contact us at podcasts@...
    Mehr anzeigen Weniger anzeigen
    7 Min.
  • The Exchange Daily - January 6, 2026

    The Exchange Daily - January 6, 2026
    Jan 6 2026
    Microsoft’s Fabric move signals autonomous data engineering as the new defaultMicrosoft’s acquisition of Osmos is a clear signal that AI-driven automation is becoming a default feature in enterprise data platforms. The upside is speed and scale, especially for teams drowning in pipeline operations and repetitive engineering work. The risk is governance drift, because autonomous behavior without tight guardrails can create integrity and lineage issues fast. Leaders should define approval points and audit expectations now, before autonomy becomes the normal way the platform runs.Sources:https://blogs.microsoft.com/blog/2026/01/05/microsoft-announces-acquisition-of-osmos-to-accelerate-autonomous-data-engineering-in-fabric/AWS is turning agentic AI into an enablement pipeline with deadlinesAWS is treating agentic AI like a pipeline, with a cohort program and a competition that pushes teams to build and ship quickly. That matters because vendor-led reference patterns often become the templates buyers adopt. Organizations should standardize agent governance, including tool scope limits, identity controls, and audit logging before pilots touch sensitive systems. The goal is to move fast without creating invisible security debt.Sources:https://aws.amazon.com/blogs/aws/happy-new-year-aws-weekly-roundup-10000-aideas-competition-amazon-ec2-amazon-ecs-managed-instances-and-more-january-5-2026/FedRAMP Security Inbox enforcement becomes an operational readiness testFedRAMP’s Security Inbox expectations are moving into enforcement, which shifts this from policy talk to day-to-day readiness. Providers need clear ownership, monitoring, and response workflows so they can meet communication expectations under stress. Agencies should ask providers for proof of readiness and escalation processes, not just documentation. This is a change that can surface quickly during an incident.Sources:https://fedramp.gov/docs/rev5/balance/fedramp-security-inbox/FedRAMP Minimum Assessment Scope widens, but it is still a change-managed moveThe Minimum Assessment Scope optional wide release can reduce friction over time, but it isn’t a shortcut. Providers must follow significant change processes and align with assessors to avoid schedule slips. For teams already stretched thin, the best approach is to model the boundary early and validate the story with stakeholders before committing. Done well, it can help focus assessment effort on what truly impacts risk.Sources:https://fedramp.gov/docs/rev5/balance/minimum-assessment-scope/OpenAI changes Voice behavior on macOS desktopsThe Voice experience retiring in the ChatGPT macOS app is a small change that can still create confusion and help-desk load. Organizations should communicate where Voice still works and what the approved alternatives are for voice-enabled workflows. This is also a reminder that endpoint behavior can differ across platforms, and policy guidance needs to match reality. A short internal note can prevent a lot of friction.Sources:https://help.openai.com/en/articles/6825453-chatgpt-release-notesOpenAI Realtime API Beta deprecation creates a hard migration deadlineRealtime AI experiences tend to become business-critical quickly, especially for voice, call handling, and interactive apps. OpenAI’s deprecation notice means teams using the beta interface need a firm migration plan to the generally available Realtime API. This should be treated as a calendar risk with testing, rollback, and cost planning. Leaders should require an inventory and a migration owner, not a vague “we’ll get to it.”Sources:https://platform.openai.com/docs/deprecationsNIST checklist guidance is a quiet lever for automated securityNIST’s draft update to SP 800-70 matters because checklists are how many organizations operationalize secure configuration at scale. When checklists become more automation-friendly, it gets easier to standardize hardening, evidence, and compliance workflows across teams. Security leaders should evaluate whether the draft supports the reality of cloud-native and frequently changing systems. If it doesn’t, this comment window is your opportunity to say so.Sources:https://csrc.nist.gov/News/2025/draft-sp-800-70-rev-5-is-available-for-commentGAO spotlights oversight gaps in major award programsGAO’s findings are a reminder that oversight and fraud prevention depend on systems, controls, and analytics, not just policy. Agencies and partners should expect stronger requirements for documentation, monitoring, and evidence of controls as the response to these gaps matures. Tech leaders can help by modernizing award workflows, strengthening identity and payment controls, and making auditability a built-in feature. This is one of the clearest places where modernization directly reduces risk.Sources:https://www.gao.gov/products/gao-26-107444Topics We’re Tracking (But Didn’t Make the Cut)Dropped Topic: Google Cloud joins Auto-ISAC as an Innovator Partner.* Why It ...
    Mehr anzeigen Weniger anzeigen
    8 Min.
  • The Exchange Daily - January 5, 2026

    The Exchange Daily - January 5, 2026
    Jan 5 2026
    Monday AI Market Maker: Vibranium Labs raises $4.6M seed for Vibe AIVibranium Labs is positioning Vibe AI as a 24/7 “AI incident engineer,” which signals that the market is aiming AI directly at operational toil and on-call fatigue. For CIOs and engineering leaders, the core question is how safely these systems integrate into paging, ticketing, and runbook execution without introducing new failure modes. Treat this category as production software that touches privileged workflows, not as an experimental chatbot, and insist on auditability and human override controls.Key actions:* Require clear escalation logic, human approval gates, and traceable audit logs.* Validate data boundaries, retention policies, and whether the tool can access sensitive incident artifacts.* Align procurement, SRE, and security on acceptable integration patterns and controls.Sources: https://www.prnewswire.com/news-releases/vibranium-labs-raises-4-6m-seed-round-for-vibe-ai-a-24-7-ai-incident-engineer-302467219.htmlManus joins Meta for next era of innovationManus says it is joining Meta and frames the move as a step toward scaling general AI agents as an execution layer for real-world work. For enterprise leaders, the strategic implication is that agentic AI is becoming a distribution and reliability game, and consolidation will accelerate roadmap shifts across the ecosystem. Mergers and acquisitions also raise continuity and governance questions, so treat this as a trigger to revisit third-party risk language for agentic platforms that execute tasks and touch operational systems.Key actions:* Re-check vendor continuity statements, data handling commitments, and support posture.* Update third-party risk notes for agentic tools that can take actions in your environment.* Track consolidation as a signal that feature velocity and pricing models may change quickly.Sources: https://manus.im/blog/manus-joins-meta-for-next-era-of-innovationFedRAMP 20x Phase 2 Cohort 2 proposal window opens January 5–9, 2026FedRAMP 20x continues to push toward faster authorization pathways, and Cohort 2 is open this week. Even if you are not submitting, the direction matters because it affects how quickly agencies can adopt new services and what evidence they will expect from vendors. For agencies, this is a good moment to align acquisition, security, and engineering on how to validate evidence quickly without trading speed for risk.Key actions:* Agencies: align on what evidence is required, and how it will be validated and monitored.* Vendors: prioritize verifiable security evidence over narrative, and prepare for faster review cycles.* Security leaders: define what “acceptable evidence” means in your authorization workflow.Sources: https://www.fedramp.gov/20x/NIST draft Tokens and Assertions (NIST IR 8587) open for public commentNIST has an initial public draft out on tokens and assertions, which is foundational to modern identity, federation, and API security. This matters for zero trust programs because token handling mistakes can become systemic vulnerabilities across multi-cloud and SaaS chains. Draft guidance often shapes vendor and audit expectations early, so the comment window is a practical chance to influence what becomes standard practice.Key actions:* Assign IAM and AppSec owners to read the draft and submit implementability feedback.* Identify areas where the draft could reduce real-world risk through clearer requirements.* Track the draft as an input into identity roadmap decisions for 2026 planning.Sources: https://csrc.nist.gov/pubs/ir/8587/ipdMicrosoft Teams turns on messaging safety protections by default starting January 12, 2026Microsoft Teams will enable messaging safety protections by default for tenants that have not customized the policy settings. The security value is reduced exposure to malicious links and weaponized attachments in a platform that is central to daily collaboration. The operational risk is user disruption and ticket volume if protections begin blocking content unexpectedly, which means change management matters as much as configuration.Key actions:* Check your current Teams policy state and decide whether to keep defaults or customize.* Communicate the change to end users before the default flip creates meeting disruption.* Ensure the helpdesk and security team have a workflow for reporting incorrect detections.Sources: https://365admincenter.com/mc/MC1200576 https://learn.microsoft.com/en-us/defender-office-365/weaponizable-file-attachments https://www.techradar.com/pro/security/microsoft-teams-to-offer-automatic-protection-against-suspicious-links-or-filesAzure Resource Manager Custom Resource Providers deprecation and retirement timelineMicrosoft’s Azure documentation details a deprecation path for Azure Resource Manager Custom Resource Providers, including a planned scream test on February 24, 2026, and a retirement date of October 31, 2026. This is relevant to platform engineering because ...
    Mehr anzeigen Weniger anzeigen
    9 Min.
  • The Exchange Daily - Friday, January 2, 2026

    The Exchange Daily - Friday, January 2, 2026
    Jan 2 2026

    Consolidated Cyber Risk Stack: KEV Deadlines + OSCAL Draft + NICE Workforce Update

    Today’s cyber segment is about execution, not anxiety. When exploited vulnerabilities come with a due date, your job becomes simple: reduce exposure fast and document exceptions clearly. NIST’s OSCAL draft work is a reminder that compliance evidence is moving toward machine-readable structures and automation. The NICE framework resources matter too, because shared role and skills language makes it easier to hire, train, and run repeatable security operations.

    Sources:

    2025-12-12 | https://raw.githubusercontent.com/cisagov/kev-data/develop/known_exploited_vulnerabilities.csv

    2025-12-02 | https://csrc.nist.gov/News/2025/draft-charting-the-course-for-nist-oscal

    2025-12-23 | https://www.nist.gov/itl/applied-cybersecurity/nice/nice-framework-resource-center/nice-framework-and-workforce-framework-cybersecurity

    News Date: 2025-12-23

    AWS SDK for JavaScript v3 Aligns With the Node.js Release Schedule

    AWS is aligning the AWS SDK for JavaScript v3 with the Node.js release schedule for ending support, starting in January 2026. Platform teams should treat this as a lifecycle governance moment, because a vendor dependency is now tied to runtime currency. Map apps to supported Node long-term support versions and make upgrade testing routine. This avoids surprise breakage, security gaps, and deprecation-driven fire drills.

    Sources:

    2025-12-08 | https://aws.amazon.com/blogs/developer/aws-sdk-for-javascript-aligns-with-node-js-release-schedule/

    News Date: 2025-12-08

    READ AI Models Act Introduced (H.R. 6461)

    Federal AI governance is still taking shape, but the direction is becoming clearer. The READ AI Models Act is a signal that AI inventories and reporting expectations may grow, especially for agencies and vendors. Standardize your internal model records now, including ownership, purpose, data sensitivity, evaluation notes, and operational guardrails. Good documentation today becomes speed and credibility later.

    Sources:

    2025-12-04 | https://www.congress.gov/bill/119th-congress/house-bill/6461

    News Date: 2025-12-04

    AI Training for National Security Act Introduced (H.R. 6530)

    AI strategy is quickly becoming workforce strategy, especially where national security is involved. Bills like this are reminders that training pipelines can migrate into program requirements and contract expectations. Define role-based AI competencies across engineering, security, legal, and operations, then map them to training content and measurable outcomes. That’s how you move faster with less risk.

    Sources:

    2025-12-09 | https://www.congress.gov/bill/119th-congress/house-bill/6530

    News Date: 2025-12-09

    NIST Launches AI Economic Security Centers for Manufacturing and Critical Infrastructure

    NIST is tying AI to two concrete national priorities: manufacturing productivity and critical infrastructure security. That framing often leads to evaluation methods and measurement practices that later appear in procurement language. Watch for collaboration opportunities and emerging frameworks that reduce deployment risk, especially where AI touches operational technology and essential services. This is applied AI, not hype.

    Sources:

    2025-12-22 | https://www.nist.gov/news-events/news/2025/12/nist-launches-centers-ai-manufacturing-and-critical-infrastructure

    News Date: 2025-12-22

    This update was assembled using a mix of human editorial judgment, public records, and reputable national and sector-specific news sources, with help from artificial intelligence tools to summarize and organize information. All information is drawn from publicly available sources listed above. Every effort is made to keep details accurate as of publication time, but readers should always confirm time-sensitive items such as policy changes, budget figures, and timelines with official documents and briefings.

    All original content, formatting, and presentation are copyright 2026 Metora Solutions LLC, all rights reserved. For more information about our work and other projects, drop us a note at info@metorasolutions.com.



    Get full access to The Exchange at tie.metora.solutions/subscribe
    Mehr anzeigen Weniger anzeigen
    5 Min.
  • The Exchange Daily - January 1, 2026

    The Exchange Daily - January 1, 2026
    Jan 1 2026
    Just a quick reminder, The Exchange Daily is still free but will require you to subscribe at tie.metora.solutions. If you want more than Daily updates, the Exchange Weekly is your deep dive but requires a paid subscription. The end of year sale has been extended through the end of next week. So, if you enjoy both the Exchange Daily newscast and the Exchange Weekly Indepth Newsletter, trade a single cup of coffee for a subscription each month at https://go.metora.solutions/New-Years-Special. OpenAI updates ChatGPT Enterprise and Edu release notes (GPT-5.2 early access and custom GPT transition date)OpenAI updated its ChatGPT Enterprise and Edu release notes with changes you should treat like a platform release, not casual product news. The update highlights GPT-5.2 early access for eligible workspaces and sets a dated transition that affects how teams create and manage custom GPTs. If your organization runs internal GPT catalogs or relies on GPT-based workflows, this is a good moment to tighten publishing controls, confirm ownership, and run a quick regression test plan against your highest-value use cases. The practical takeaway is simple: put the transition on your change calendar, communicate it to stakeholders, and make sure your governance and audit posture is ready before behavior changes land in production.Sources:* 2025-12-11 | https://help.openai.com/en/articles/10128477-chatgpt-enterprise-edu-release-notesGoogle Vertex AI grounding with Google Search clarifies billing and audit implications for Gemini 3Google’s documentation on grounding with Google Search in Vertex AI is a reminder that higher quality, search-grounded answers also introduce metered external dependencies. That matters because it changes how teams forecast cost, set policy, and control what data is permitted to reach external search systems. For enterprise deployments, grounding should be treated as both a quality feature and a governance feature, with clear guardrails on prompts, query volume, and acceptable use. Teams that measure and cap usage will be better positioned to scale grounded experiences without surprise spend or compliance friction.Sources:* 2025-12-30 | https://docs.cloud.google.com/vertex-ai/generative-ai/docs/grounding/grounding-with-google-searchVertex AI Agent Engine pricing change (Sessions, Memory Bank, Code Execution billing begins Jan 28, 2026)Google’s Vertex AI release notes include a pricing change for Agent Engine that creates a concrete cost milestone. Starting January 28, 2026, Sessions, Memory Bank, and Code Execution will begin charging for usage, which impacts teams prototyping agentic workflows that rely on persistent memory and tool execution. This is the moment to shift pilots into a controlled cost model by separating test and production environments, adding usage alerts, and defining explicit retention and access rules for agent memory. Organizations that treat memory and code execution as premium capabilities, not defaults, will avoid runaway usage and keep unit economics predictable.Sources:* 2025-12-16 | https://docs.cloud.google.com/vertex-ai/docs/release-notesFedRAMP 20x Phase 2 Cohort 2 proposal window (Jan 5 to Jan 9, 2026)FedRAMP 20x Phase 2 continues, and the Cohort 2 proposal window runs from January 5 through January 9, 2026. For cloud vendors selling into government, this is a practical scheduling issue: evidence readiness, documentation quality, and staffing for continuous monitoring will determine whether participation is realistic. For agencies, it signals an effort to increase authorization throughput and reduce time-to-value for secure cloud capabilities. The smart move is to use the window to align internal resourcing, confirm boundary clarity, and make sure the security narrative is consistent across technical controls, documentation, and operational monitoring.Sources:* 2025-12-10 | https://www.fedramp.gov/blog/fedramp-20x-phase-2-is-here/AI Talent Act (H.R. 6573) aims to create AI talent teams inside federal agenciesA bill introduced in the House, H.R. 6573, signals continued federal focus on building internal AI capability rather than outsourcing the entire operating model. The proposal centers on establishing AI talent teams to help agencies recruit and retain AI skills and support agency adoption. For federal IT leaders, it is a reminder to formalize AI roles, define career paths, and reduce single points of failure in AI programs. For industry partners, it suggests future procurements will increasingly favor vendors that can enable internal capability and knowledge transfer, not just deliver tools.Sources:* 2025-12-10 | https://www.congress.gov/bill/119th-congress/house-bill/6573Microsoft Incident Response warns of “imposter for hire” remote worker fraud as an access vectorMicrosoft Incident Response published a case study describing how fake remote hires can become a direct path into enterprise environments. In this pattern, the attacker’s first step is ...
    Mehr anzeigen Weniger anzeigen
    10 Min.
  • The Exchange Daily - December 31, 2025

    The Exchange Daily - December 31, 2025
    Dec 31 2025
    CISA KEV adds MongoDB CVE-2025-14847, and the deadline forces real patch governance.CISA’s Known Exploited Vulnerabilities process is a forcing function because it translates “this is exploited” into a date-driven executive expectation. In this case, the CVE is tied to MongoDB, which many organizations treat as core infrastructure and sometimes forget to treat as part of the externally abused attack surface.If you want a clean year-end posture, treat this as a governance test, not just a patch ticket. Confirm you know where MongoDB is running, which versions are in play, and which instances are internet reachable. Then prove your change process can hit a tight remediation window without breaking production.Sources:https://nvd.nist.gov/vuln/detail/CVE-2025-14847NIST releases the Cyber AI Profile preliminary draft, giving security leaders a usable AI governance anchor.Nist’s preliminary draft Nist I R eight five nine six is positioned as a practical way to help organizations adopt AI while prioritizing the cybersecurity risks introduced by AI systems. It also sets clear next steps, including a workshop date and a public comment window that can be used to shape the final guidance.For CIOs and CISOs, the value is the structure. Instead of debating AI risk in the abstract, you can map your program to defined focus areas and then translate that into policy, controls, and investment decisions that are consistent across teams. This is a good time to run a gap review and turn the results into a real AI security roadmap for twenty twenty-six.Sources:https://csrc.nist.gov/News/2025/nist-releases-prelim-draft-cyber-ai-profileGAO says VA’s EHR modernization still has critical actions outstanding, and most recommendations are not fully implemented.GAO’s latest update reinforces a lesson every modernization leader has learned the hard way: scale and complexity punish wishful thinking. The report frames VA’s EHR modernization as a multi-attempt effort with persistent challenges across cost, schedule, program management, user adoption, and operational testing.The most actionable takeaway is to treat governance and readiness gates as non-negotiable. Before accelerating deployments, demand evidence that costs and schedules are credible, that user feedback is being incorporated, and that operational stability is proven. This is how you avoid turning “modernization” into “extended disruption.”Sources:https://www.gao.gov/products/gao-26-108812OMB’s President’s Management Agenda memo spotlights tech consolidation, secure digital-first services, and AI-enabled process improvement.OMB’s memo and attached framework put technology directly in the management reform conversation, including consolidating and standardizing systems while eliminating duplicative ones. It also calls out reducing data silos and duplicative data collection, paired with an emphasis on secure, digital-first services that work for real users.For federal IT leaders, the immediate implication is prioritization pressure. Portfolio rationalization, identity and data governance, and shared services become enabling moves that support multiple mandates at once. This is also a reminder to define what success looks like with measurable outcomes, so “faster and more secure” translates into real delivery and defensible budgets.Sources:https://www.whitehouse.gov/wp-content/uploads/2025/12/M-26-03-Presidents-Management-Agenda.pdfTopics We’re Tracking (But Didn’t Make the Cut)Dropped Topic: Google Cloud and Vertex AI governance and Agent Builder updates.* Why It Didn’t Make the Cut: Primary-source verification could not be completed in this run due to source access constraints, so we held it back to protect the zero-hallucination standard.* Why It Caught Our Eye: Tool governance and agent development controls are becoming a board-level risk and compliance conversation for enterprise AI programs.Quick Disclaimer and Sources Note: The author used AI in part to create this newscast. Our goal is to be transparent and show you how we sourced the info we used.This newscast was developed using only public sources of information.The Exchange Daily is a production of Metora Solutions. For more information about how to participate in this daily newscast, contact us at info@metorasolutions.com. Get full access to The Exchange at tie.metora.solutions/subscribe
    Mehr anzeigen Weniger anzeigen
    5 Min.
  • The Exchange Daily - December 30, 2025

    The Exchange Daily - December 30, 2025
    Dec 30 2025
    CISA KEV flags MongoDB Server CVE-2025-14847 as exploited. MongoDB operators are getting a clear signal to prioritize mitigation for CVE-2025-14847, because it is referenced as added to the exploited catalog through the NVD record. This is a governance moment where asset visibility and change windows matter as much as the patch itself. If you support data platforms, the operational goal is to reduce reachable attack surface fast, confirm who can administer instances, and add detection around anomalous activity. If patching is delayed, compensating controls should be documented and time-boxed so risk does not linger indefinitely. Sources: https://nvd.nist.gov/vuln/detail/CVE-2025-14847 https://jira.mongodb.org/browse/SERVER-95747FedRAMP 20x updates KSI baseline to Version 25.12A. FedRAMP 20x published a KSI baseline update that can affect what evidence you collect and how you describe controls in an authorization package. Even small baseline revisions can create schedule impact when teams discover them late. Program leaders should treat this as change management with clear ownership, a delta review, and an updated evidence plan. Vendors should communicate the implications to customers early so the compliance work stays predictable. Sources: https://fedramp.gov/docs/20x/key-security-indicators/Intel completes $5.0B private placement issuance to NVIDIA at $23.28 per share. Intel’s SEC filing states the aggregate purchase price was $5.0 billion at $23.28 per share. For enterprise and public sector IT leaders, this is a strategic signal tied to long-run AI infrastructure planning and vendor alignment. The practical takeaway is to revisit vendor concentration assumptions and procurement protections, especially for GPU-dependent roadmaps. If AI infrastructure is a core growth lever, resilience planning should include portability and second-source options. Sources: https://www.intc.com/filings-reports/all-sec-filings/content/0000050863-25-000204/0000050863-25-000204.pdf https://nvidianews.nvidia.com/news/nvidia-announces-strategic-investment-in-intelOpenAI publishes evaluation framework for chain-of-thought monitorability. OpenAI published a research write-up on evaluating chain-of-thought monitorability, which speaks directly to scalable oversight for advanced AI systems. As more organizations deploy agentic AI, the ability to monitor reasoning, not just outputs, becomes a meaningful control discussion. Leaders should ask whether AI deployments have defined misbehavior scenarios, measurable monitoring, and incident response plans that work at scale. Governance improves when control claims are tied to evaluation methods and telemetry that can be audited. Sources: https://openai.com/index/evaluating-chain-of-thought-monitorability/AWS shares caching patterns for AI and ML workloads on Amazon EKS. AWS published guidance on image and model caching strategies for AI, machine learning, and generative AI workloads on Amazon EKS. The theme is that storage and caching decisions determine startup time, GPU utilization, and overall cost. Platform teams can use this to standardize repeatable cluster patterns, reduce cold starts, and improve training and inference efficiency. Treat performance validation as routine platform work so optimizations persist across releases. Sources: https://aws.amazon.com/blogs/containers/efficient-image-and-model-caching-strategies-for-ai-ml-and-generative-ai-workloads-on-amazon-eks/HHS ASTP and ONC withdraw remaining non-finalized HTI-2 proposed rule provisions. A Federal Register document shows HHS ASTP and ONC withdrawing remaining proposals that were not finalized from the HTI-2 proposed rule, effective December 29, 2025. This matters for planning because regulatory scope changes can reset interoperability and certification roadmaps. Health IT leaders should map what remains in force, what work can pause, and what stakeholder communications need updating. A simple requirements matrix can prevent teams from spending budget on obligations that are no longer current. Sources: https://www.federalregister.gov/documents/2025/12/29/2025-23890/health-data-technology-and-interoperability-patient-engagement-information-sharing-and-public-healthNIST publishes crypto agility considerations and companion whitepaper. NIST’s crypto agility guidance focuses on planning and executing cryptographic transitions without operational disruption. Crypto agility is increasingly a continuity issue because transitions touch identity systems, endpoints, libraries, and third-party dependencies. Security and architecture teams can start with a cryptographic inventory, vendor roadmap review, and a phased migration plan that includes testing and rollback. This is the kind of planning that reduces emergency work when standards or threats shift quickly. Sources: https://csrc.nist.gov/news/2025/considerations-for-achieving-crypto-agility https://csrc.nist.gov/pubs/cswp/39/finalNIST releases SP 1308 CSF 2.0 ...
    Mehr anzeigen Weniger anzeigen
    8 Min.