North Carolina will align its cloud product security requirements with the GovRAMP framework, standardizing expectations for providers and reducing duplicative security reviews. The updated requirements take effect April 1, 2026, and apply to all vendors selling cloud services to state agencies. GovRAMP and North Carolina plan educational webinars for providers ahead of the effective date.
A White House draft executive order would require federal agencies to migrate digital signatures for high-impact systems to post-quantum cryptography (PQC) by Dec. 31, 2031, and key establishment to PQC by Dec. 31, 2030, according to sections viewed by Nextgov/FCW. Covered contractors working with federal agencies face a 2030 deadline to comply with NIST-developed PQC standards. National security systems are excluded from the mandate. The order is expected to be released as soon as this week, a source told Nextgov/FCW.
Nevada announced it will adopt GovRAMP as the state's standard framework for cloud security verification across executive branch agencies. The new requirements take effect July 1, 2026, and apply to cloud service providers doing business with Nevada state agencies. Vendors will undergo independent assessment and continuous monitoring through GovRAMP rather than duplicative reviews by individual agencies. GovRAMP and Nevada plan to host webinars ahead of the effective date to walk vendors through the updated requirements.
The Government Accountability Office reviewed six federal agencies' compliance with Section 899 of the FY2019 NDAA, which prohibits procurement of telecommunications and video surveillance equipment from China-linked companies. The May 19 report found that the Departments of Defense and Energy each identified covered devices in recent searches, while DHS, DOJ, State, and Treasury reported none. GAO flagged that each search method (IT network scans, procurement record reviews, physical searches) has limitations, and agencies reported difficulties including limited supply-chain visibility and lack of authoritative subsidiary data.
NIST plans to publish a draft cybersecurity framework profile for AI systems this summer, according to Victoria Pillitteri, manager of NIST's Security Engineering and Risk Management Group. The guidance will include control overlays for predictive, agentic, and generative AI systems, with the predictive AI overlay arriving this summer and agentic guidance due in late summer to early fall. NIST aims to finalize all guidance by 2027. Organizations adopting AI should track the draft for baseline cybersecurity controls that may affect vendor and supply chain security requirements.
CIS published an advisory on multiple vulnerabilities in Fortinet products including FortiOS, FortiManager, FortiAnalyzer, and FortiClientEMS. The most severe could let an attacker execute arbitrary code under the affected service account. Organizations covered under NIST SP 800-171 and 800-172 that use these products should apply patches and validate that affected systems are not out of compliance with security control requirements. CIS did not publish a specific CVE list or patch timeline in this advisory; further review of Fortinet security bulletins is advised.
GovRAMP released two publications on April 16 calling for harmonization of overlapping federal and state cybersecurity frameworks built on NIST SP 800-53. The policy white paper identifies OMB-led reciprocity anchored in shared baselines as the highest-impact near-term action. State, local, tribal, and territorial governments are most affected by duplicated compliance efforts and delayed procurement. No rulemaking is proposed; the publications are recommendations intended to support coordinated execution under existing authority.
NIST is developing two work streams on AI incident response following a July 2025 White House action plan directive. The first would update existing cybersecurity incident response guidelines to address attacks on AI systems. The second would create recommendations for responding to harms caused by AI systems, including misuse and malfunction. NIST sought feedback at a May 14 workshop and plans to scope the work to the most severe harms, affecting organizations that deploy AI systems and their users.
Arizona, Indiana, Massachusetts, Minnesota, Nevada, New Hampshire, North Carolina, North Dakota, Oregon, Texas, and Utah are using GovRAMP to streamline vendor security assessments and reduce duplicative reviews in cloud procurement, according to an April 22 GovRAMP roundup. Nevada will require GovRAMP-based vendor security evaluations beginning July 1, 2026. The program gives state CIOs and CISOs a single, nationally aligned framework for third-party risk management, replacing state-specific assessment programs such as Arizona's AZRAMP.