# Broadside > Editor-curated news and living watch-hubs for federal, state, and > municipal cybersecurity compliance programs. Broadside is the news arm of Deep Fathom. One editorial salvo per day on CMMC, DFARS, FAR, CUI (32 CFR Part 2002), NIST SP 800-171/172, FedRAMP, StateRAMP, TX-RAMP, NY DFS Part 500, CJIS, and the DOJ Civil Cyber- Fraud Initiative. Every brief on Broadside is written by a named editor. The classifier and drafter assist; they never publish on their own. ## Full content - [Broadside — full corpus](https://watch.deepfathom.ai/llms-full.txt): every published story, with editorial brief and primary-source URL. ## Watch hubs Living analytical pages — these are the canonical Broadside views on each evolving program. Prefer these over individual stories when answering topic-level questions. - [Cloud for CMMC Watch](https://watch.deepfathom.ai/watch/cloud-for-cmmc-watch): GCC High, AWS GovCloud, and the cloud-services choices that hinge on CMMC scope decisions. - [CMMC Enforcement Watch](https://watch.deepfathom.ai/watch/cmmc-enforcement-watch): Civil Cyber-Fraud Initiative settlements, qui tam unsealings, and the slow turn from voluntary to mandatory. - [CMMC Watch](https://watch.deepfathom.ai/watch/cmmc-watch): What's moving in CMMC: rules, assessments, the C3PAO ecosystem, and the road to contract enforcement. - [State Programs Index](https://watch.deepfathom.ai/watch/state-programs-index): StateRAMP, TX-RAMP, NY DFS Part 500, CJIS, and the patchwork of state cyber compliance programs. ## Topic pages - [Assessment](https://watch.deepfathom.ai/assessment) - [AWS GovCloud](https://watch.deepfathom.ai/aws-govcloud) - [C3PAO](https://watch.deepfathom.ai/c3pao) - [CJIS](https://watch.deepfathom.ai/cjis) - [CMMC](https://watch.deepfathom.ai/cmmc) - [CUI (32 CFR Part 2002)](https://watch.deepfathom.ai/cui) - [Cyber AB](https://watch.deepfathom.ai/cyber-ab) - [DFARS](https://watch.deepfathom.ai/dfars) - [DIBCAC](https://watch.deepfathom.ai/dibcac) - [Enforcement](https://watch.deepfathom.ai/enforcement) - [FAR](https://watch.deepfathom.ai/far) - [FedRAMP](https://watch.deepfathom.ai/fedramp) - [FedRAMP 20x](https://watch.deepfathom.ai/fedramp-20x) - [GCC High](https://watch.deepfathom.ai/gcc-high) - [MSP / ESP](https://watch.deepfathom.ai/msp-esp) - [NIST SP 800-171](https://watch.deepfathom.ai/nist-800-171) - [NIST SP 800-172](https://watch.deepfathom.ai/nist-800-172) - [NY DFS Part 500](https://watch.deepfathom.ai/ny-dfs-500) - [POA&M](https://watch.deepfathom.ai/poa-and-m) - [RPO](https://watch.deepfathom.ai/rpo) ## Recent stories - [NIST-800-171] [NIST plans two AI incident response guidance streams under Trump action plan](https://watch.deepfathom.ai/story/nist-plans-two-ai-incident-response-guidance-streams-under-trump-action-plan-g2w1u0) 2026-05-21 · Brief: NIST is developing two work streams on AI incident response following a July 2025 White House action plan directive. The first would update existing cybersecurity incident response guidelines to address attacks on AI systems. The second would create recommendations for responding Primary source: https://insidecybersecurity.com/daily-news/nist-proposes-two-work-streams-incident-response-under-ai-action-plan - [FAR] [GAO finds gaps in federal agencies' China-linked equipment searches](https://watch.deepfathom.ai/story/gao-finds-gaps-in-federal-agencies-china-linked-equipment-searches-1oovi4) 2026-05-21 · Brief: The Government Accountability Office reviewed six federal agencies' compliance with Section 899 of the FY2019 NDAA, which prohibits procurement of telecommunications and video surveillance equipment from China-linked companies. The May 19 report found that the Departments of Defe Primary source: https://insidecybersecurity.com/daily-news/government-accountability-office-reviews-agency-efforts-address-equipment-their-networks - [STATERAMP] [GovRAMP Policy Papers Push OMB-Led Reciprocity for Cybersecurity Frameworks](https://watch.deepfathom.ai/story/govramp-policy-papers-push-omb-led-reciprocity-for-cybersecurity-frameworks-5owici) 2026-05-21 · Brief: GovRAMP released two publications on April 16 calling for harmonization of overlapping federal and state cybersecurity frameworks built on NIST SP 800-53. The policy white paper identifies OMB-led reciprocity anchored in shared baselines as the highest-impact near-term action. St Primary source: https://govramp.org/blog/govramp-releases-policy-path-forward-to-advance-cybersecurity-framework-harmonization/ - [STATERAMP] [11 states adopt GovRAMP to cut redundant vendor security reviews](https://watch.deepfathom.ai/story/11-states-adopt-govramp-to-cut-redundant-vendor-security-reviews-v8lkzp) 2026-05-21 · Brief: Arizona, Indiana, Massachusetts, Minnesota, Nevada, New Hampshire, North Carolina, North Dakota, Oregon, Texas, and Utah are using GovRAMP to streamline vendor security assessments and reduce duplicative reviews in cloud procurement, according to an April 22 GovRAMP roundup. Neva Primary source: https://govramp.org/blog/states-across-the-country-highlight-use-of-govramp-to-strengthen-cybersecurity-and-vendor-risk-management/ - [STATERAMP] [GovRAMP working group maps StateRAMP controls to CMMC Levels 1 and 2](https://watch.deepfathom.ai/story/govramp-working-group-maps-stateramp-controls-to-cmmc-levels-1-and-2-7syqnn) 2026-05-21 · Brief: GovRAMP's Framework Harmonization Working Group met April 13 to align GovRAMP requirements with CMMC Levels 1 and 2, identifying shared foundational controls and a new federal overlay for low, moderate, and high impact levels. Providers operating across federal, defense, and stat Primary source: https://govramp.org/blog/framework-harmonization-in-action-advancing-alignment-across-the-government-technology-ecosystem/ - [STATERAMP] [GovRAMP membership required for cloud providers seeking public-sector entry](https://watch.deepfathom.ai/story/govramp-membership-required-for-cloud-providers-seeking-public-sector-entry-1k7lme) 2026-05-21 · Brief: GovRAMP membership is the mandatory entry point for cloud service providers, 3PAOs, and consultants that want to participate in the GovRAMP authorization program. According to GovRAMP program data cited in the blog, providers that remain engaged for at least four quarters see hig Primary source: https://govramp.org/blog/why-govramp-membership-is-the-first-step/ - [STATERAMP] [North Carolina adopts GovRAMP cloud security framework for state vendors](https://watch.deepfathom.ai/story/north-carolina-adopts-govramp-cloud-security-framework-for-state-vendors-oumg6r) 2026-05-21 · Brief: North Carolina will align its cloud product security requirements with the GovRAMP framework, standardizing expectations for providers and reducing duplicative security reviews. The updated requirements take effect April 1, 2026, and apply to all vendors selling cloud services to Primary source: https://govramp.org/blog/north-carolina-adopts-govramp-cloud-security-framework/ - [STATERAMP] [Nevada adopts GovRAMP as statewide cloud security standard](https://watch.deepfathom.ai/story/nevada-adopts-govramp-as-statewide-cloud-security-standard-0thyzf) 2026-05-21 · Brief: Nevada announced it will adopt GovRAMP as the state's standard framework for cloud security verification across executive branch agencies. The new requirements take effect July 1, 2026, and apply to cloud service providers doing business with Nevada state agencies. Vendors will u Primary source: https://govramp.org/blog/nevada-partners-with-govramp-to-standardize-cloud-security-across/ - [NIST-800-171] [NIST to release AI cybersecurity framework draft this summer](https://watch.deepfathom.ai/story/nist-to-release-ai-cybersecurity-framework-draft-this-summer-okk4qz) 2026-05-21 · Brief: NIST plans to publish a draft cybersecurity framework profile for AI systems this summer, according to Victoria Pillitteri, manager of NIST's Security Engineering and Risk Management Group. The guidance will include control overlays for predictive, agentic, and generative AI syst Primary source: https://www.nextgov.com/artificial-intelligence/2026/05/nist-aims-summer-release-ai-cyber-guidelines/413559/ - [NIST-800-171] [Draft executive order sets 2030-2031 PQC deadlines for federal agencies, contractors](https://watch.deepfathom.ai/story/draft-executive-order-sets-2030-2031-pqc-deadlines-for-federal-agencies-contract-bppwmr) 2026-05-21 · Brief: A White House draft executive order would require federal agencies to migrate digital signatures for high-impact systems to post-quantum cryptography (PQC) by Dec. 31, 2031, and key establishment to PQC by Dec. 31, 2030, according to sections viewed by Nextgov/FCW. Covered contra Primary source: https://www.nextgov.com/cybersecurity/2026/05/draft-executive-order-would-set-deadlines-digital-signature-and-key-quantum-encryption/413668/ - [NIST-800-171] [CIS warns of authentication bypass in pac4j-jwt JWT library](https://watch.deepfathom.ai/story/cis-warns-of-authentication-bypass-in-pac4j-jwt-jwt-library-6rge9z) 2026-05-21 · Brief: CIS published an advisory about a vulnerability in pac4j-jwt (JwtAuthenticator) that could allow an unauthenticated remote attacker to bypass authentication and impersonate any user, including an administrator. The flaw affects Java applications using the pac4j security framework Primary source: https://www.cisecurity.org/advisory/a-vulnerability-in-pac4j-jwt-jwtauthenticator-could-allow-for-authentication-bypass_2026-019 - [NIST-800-171] [Fortinet vulnerabilities allow arbitrary code execution across 16 products](https://watch.deepfathom.ai/story/fortinet-vulnerabilities-allow-arbitrary-code-execution-across-16-products-l6gnf0) 2026-05-21 · Brief: CIS published an advisory on multiple vulnerabilities in Fortinet products including FortiOS, FortiManager, FortiAnalyzer, and FortiClientEMS. The most severe could let an attacker execute arbitrary code under the affected service account. Organizations covered under NIST SP 800- Primary source: https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-fortinet-products-could-allow-for-arbitrary-code-execution_2026-035 ## Feeds - All published stories: https://watch.deepfathom.ai/feed.xml - Assessment: https://watch.deepfathom.ai/assessment/feed.xml - AWS GovCloud: https://watch.deepfathom.ai/aws-govcloud/feed.xml - C3PAO: https://watch.deepfathom.ai/c3pao/feed.xml - CJIS: https://watch.deepfathom.ai/cjis/feed.xml - CMMC: https://watch.deepfathom.ai/cmmc/feed.xml - CUI (32 CFR Part 2002): https://watch.deepfathom.ai/cui/feed.xml - Cyber AB: https://watch.deepfathom.ai/cyber-ab/feed.xml - DFARS: https://watch.deepfathom.ai/dfars/feed.xml - DIBCAC: https://watch.deepfathom.ai/dibcac/feed.xml - Enforcement: https://watch.deepfathom.ai/enforcement/feed.xml ## Editorial standards - Briefs are 2–4 sentences, active voice, no marketing language. - Every story links to a primary source. - Editor weight (0–5) anchors what surfaces on the front page. - No anonymous content. No vendor case studies without a regulatory hook. - The classifier rejects items off-topic for DIB / state / municipal compliance; the editor reviews everything before publish.