Novaprospect

Blog

Perspectives on AI governance, FedRAMP compliance, and building regulated-grade engineering infrastructure.

50 posts

FedRAMPConMonCISAGRC

The Light Switch Is on the KEV List: CVE-2023-4346 and Whether Your Building Is in the Boundary

On July 15 CISA added CVE-2023-4346 โ€” an overly restrictive account-lockout flaw in the KNX building-automation protocol โ€” to the KEV catalog, with a federal remediation deadline of July 29. An attacker can lock legitimate operators out of KNX devices by setting a BCU key. It's not a server, it's not an app: it's the protocol that runs the lights, HVAC, and door controllers. Which makes it the cleanest test yet of the question a KEV clock asks first โ€” is this even inside your authorization boundary?

Read post โ†’
FedRAMPConMonCISACompliance

The Security Appliance Nobody Drew on the Diagram: FortiSandbox CVE-2026-39808

CISA added CVE-2026-39808 โ€” an unauthenticated OS command injection in Fortinet FortiSandbox โ€” to the KEV catalog on July 16, with a federal remediation deadline of July 19. Three days. And the awkward question it forces isn't 'can we patch it,' it's 'is this box even inside the authorization boundary we drew?' Security appliances have a way of living just off the edge of the diagram.

Read post โ†’
FedRAMPConMonCISAVulnerability Management

No Login Required: CVE-2026-56164 and Whether That SharePoint Farm Is Even Inside Your Boundary

Two weeks after the last SharePoint KEV item, CISA added another one โ€” CVE-2026-56164, a missing-authentication flaw in on-premises SharePoint Server that lets an unauthenticated attacker elevate privileges over the network. The federal deadline is today. Two things make this one worth a post: it drops the authentication requirement the July 2 bug still needed, and its severity graders can't agree โ€” NVD calls it 9.8, Microsoft calls it 5.3. Both of those roads lead to the same first question: is that farm even inside your authorization boundary, and can you answer before the clock runs out?

Read post โ†’
AI SecurityFedRAMPConMonCISA

Langflow Is Back on the KEV โ€” and This Time It's the Wall Between Tenants: CVE-2026-55255

CISA added CVE-2026-55255 โ€” an authorization-bypass flaw in Langflow, the open-source AI agent builder โ€” to the KEV catalog on July 7, with a federal remediation deadline of July 10. Six weeks after the last Langflow KEV item, the actively-exploited thing is Langflow again. But this one isn't remote code execution. It's an authenticated user reaching into another user's flows, which means the thing that broke is the wall between tenants.

Read post โ†’
FedRAMPComplianceGRC

The Doors Open Today: 20x Marketplace Listings, and Three Weeks to Say Goodbye to FedRAMP Ready

On June 25 FedRAMP launched the Consolidated Rules for 2026, and with them a transition calendar that stops being a projection today: July 6 is the day Marketplace listings open for the 20x initial implementation stage. FedRAMP Ready goes Legacy on July 28, the Class A pipeline opens August 3, Classes B and C on August 31 โ€” and every existing Rev5 system is on the clock to adopt the new rules by January 1, 2027. Here's the whole ladder, and what each rung actually asks of you.

Read post โ†’
FedRAMPConMonCISAVulnerability Management

"Exploitation Less Likely": CVE-2026-45659 and the Advisory Field That Isn't a Promise

On July 1 CISA added CVE-2026-45659 โ€” a deserialization RCE in on-premises SharePoint Server โ€” to the KEV catalog with a federal deadline of July 4. Microsoft patched it back in late May and rated it 'Exploitation Less Likely.' Five weeks later it's being exploited in the wild, with a three-day clock attached. That gap between the advisory's probability field and the catalog's certainty is the whole post: it's the empirical case for FedRAMP's 'assume it's automatable' rule, playing out in real time.

Read post โ†’
CryptographyFedRAMPCISACompliance

A Deadline in 2030 That Starts in 2026: The Post-Quantum EO and the Crypto Nobody Inventoried

On June 22 the White House signed an executive order putting hard federal dates on the move to post-quantum cryptography โ€” encryption by 2030, authentication by 2031 โ€” and pulling contractors onto the same clock through the FAR. The deadline reads like it's years away. It isn't, for two reasons: adversaries are collecting encrypted data now to decrypt later, and you can't migrate cryptography you've never inventoried. The order's quietest provision โ€” a cryptographic bill of materials โ€” is the part we want to dwell on.

Read post โ†’
AI GovernanceFedRAMPComplianceGRC

When the AI Itself Is the Thing That Isn't on the List: M-25-21 and High-Impact AI

We've written a lot about securing the agent โ€” its identity, its blast radius, its egress. There's a governance layer sitting above all of that, and for federal AI it now has teeth: OMB's M-25-21 requires every agency to name a Chief AI Officer, publish a use-case inventory, and apply minimum risk-management practices to any system it designates high-impact. As of April, 56 agencies had reported 3,611 AI use cases โ€” 445 of them high-impact. The hard part isn't the practices. It's having an honest list in the first place.

Read post โ†’
FedRAMPConMonCISAVulnerability Management

From "What's the Score?" to "Assume It's Automatable": BOD 26-04 and FedRAMP's Answer

CISA's BOD 26-04 retires the CVSS-sort-and-march approach to patching in favor of four risk questions โ€” is it exposed, is it automatable, does it grant control, is it being exploited โ€” and a set of urgency tiers from three days to fix-on-upgrade. FedRAMP's NTC-0014 aligns to it and then goes one step further with a rule we keep thinking about: assume every exploit is automatable unless you can prove otherwise.

Read post โ†’
AI SecurityFedRAMPConMonCISA

Three Bugs That Want to Be One: The UniFi OS KEV Chain and the Gear Nobody Scoped

On June 23 CISA added three Ubiquiti UniFi OS flaws to the KEV catalog โ€” an access-control bypass that's already being exploited, a path traversal, and a command injection. Read separately they're a mixed bag. Read the way an attacker reads them, they're a staircase from network access to running commands on the box. And the box is usually the network fabric nobody put inside the boundary.

Read post โ†’
AI SecurityFedRAMPConMonCISA

When the KEV Item Is the Gateway In Front of Your Models: CVE-2026-42271 and LiteLLM

CISA added CVE-2026-42271 โ€” a command-injection bug in LiteLLM, the open-source AI gateway teams put in front of their models โ€” to the KEV catalog on June 8, with a federal remediation deadline of June 22. The injection point is a pair of MCP preview endpoints, and chained with a Starlette host-header bypass it becomes unauthenticated RCE. Two weeks after Langflow, the actively-exploited thing is the proxy layer itself.

Read post โ†’
FedRAMPComplianceGRC

From Authorized to Certified: Reading the CR26 Relabel for What It Is

With the Consolidated Rules for 2026 landing at the end of this month, FedRAMP is retiring a phrase it's used for a decade. 'FedRAMP Authorized' becomes 'FedRAMP Certified,' and the Low/Moderate/High baselines pick up new names: Certification Classes A, B, C, and D. It's the same controls and the same boundary โ€” but a relabel this public is worth reading carefully, because some of it is cosmetic and some of it isn't.

Read post โ†’
FedRAMPConMonCISAGRC

Is It Even in Your Boundary? CVE-2026-0257 and the Question a KEV Clock Asks First

CISA added CVE-2026-0257 โ€” an actively-exploited authentication bypass in Palo Alto PAN-OS GlobalProtect โ€” to the KEV catalog on May 29 with a federal remediation deadline of June 1. But Cloud NGFW and Panorama aren't affected, only on-prem GlobalProtect is, which makes this a good week to talk about the question that actually comes first under a KEV clock: is this even inside your authorization boundary?

Read post โ†’
FedRAMPComplianceGRC

20x Is Permanent Now: The Rehearsal's Over, the Rules Land in June

FedRAMP 20x has moved out of pilot and into Phase 3 โ€” GSA has confirmed it as the permanent authorization model. The Consolidated Rules for 2026 finalize by the end of June, take effect July 1, and run through 2028, with the real submission pipeline opening in Q4. Here's what changes when the experiment becomes the standard.

Read post โ†’
AI SecurityFedRAMPConMonCISA

When the KEV Item Is Your Agent Platform: CVE-2025-34291 and Langflow

CISA added CVE-2025-34291 โ€” a CVSS 9.4 account-takeover-to-RCE chain in Langflow, the open-source AI agent and workflow builder โ€” to the KEV catalog on May 21, with a federal remediation deadline of June 4. It's the first time the actively-exploited thing on the clock is the orchestration layer itself, and that changes the conversation about where AI risk actually lives.

Read post โ†’
FedRAMPConMonCISAGRC

A 10.0 on Thursday: CVE-2026-20182, the KEV Clock, and ConMon Inside a FedRAMP Boundary

CISA added CVE-2026-20182 โ€” an authentication bypass in Cisco Catalyst SD-WAN Controller and Manager, CVSS 10.0, actively exploited โ€” to the KEV catalog on May 14 with a federal remediation deadline of May 17. For FedRAMP CSPs, this is the shape of ConMon working under load: a 72-hour clock, a control-plane device, and an obligation that the Consolidated Rules will soon make explicit.

Read post โ†’
FedRAMP20x-changelog

20x Changelog โ€” Week of May 11, 2026

Week 1 of a recurring brief on FedRAMP 20x: RFC movements, cohort status, schema changes, and the program-level dates worth tracking. This week is the kickoff snapshot โ€” what is currently open, where the program is, and what to watch.

Read post โ†’
FedRAMPComplianceGRC

The FedRAMP Consolidated Rules: Reading the May 2026 Public Preview

FedRAMP published the public preview of its Consolidated Rules for 2026 on May 4. Templates are being retired in favor of machine-readable artifacts, Balance Improvement Releases become mandatory, and Rev 5 and 20x will run as parallel paths through 2028. Here's what that actually looks like from inside an authorization.

Read post โ†’
EngineeringAIQuality

Evals Belong in CI

Evaluation suites for AI features are usually run by data scientists in notebooks, on demand, before launches. That is the wrong place for them. Evals belong on the same merge gate as the unit tests.

Read post โ†’
AI SecurityIdentityGovernance

Who Is the Agent Logged In As?

Agents need identities, and 'the engineer who started the session' is not one. The non-human identity problem has been quietly waiting for AI to make it urgent.

Read post โ†’
AI GovernanceComplianceGateway

AI Gateway as a Compliance Control Point

The AI gateway shipped by Vercel and the equivalents emerging elsewhere are marketed as developer convenience โ€” one API across providers. The more interesting read is compliance. A gateway is the only chokepoint a regulated org has for AI traffic, and most teams are not yet treating it as one.

Read post โ†’
AI SecurityAgentsAir Gap

Computer Use and the Evaporating Air Gap

Anthropic's Computer Use API and the equivalents now shipping from other frontier labs let a model drive a real desktop โ€” screen, keyboard, mouse. Air gaps that worked against network-layer exfiltration do not work against a model that can type.

Read post โ†’
AI SecurityData MinimizationModels

The Compliance Cost of a Million-Token Context

Anthropic's 1M-token context window is a genuine capability leap. It is also an unannounced change to your data-minimization story, your audit log volume, and your exfiltration surface. The engineering teams pulling it in have not yet reconciled any of those.

Read post โ†’
AI SecurityMCPSupply Chain

The MCP Threat Surface Nobody Is Modeling

Model Context Protocol servers are the new universal connector between agents and the rest of the enterprise. They are also a threat surface with properties no prior connector had, and the industry has not caught up.

Read post โ†’
EngineeringAISDLC

The Session Log Is an SDLC Artifact

Every AI-assisted session produces a log. Most organizations treat it as a chat transcript. We treat it as a first-class SDLC artifact, and it has changed how we do nearly everything downstream.

Read post โ†’
AI SecurityNetworkAgents

The Egress Problem You Did Not Know You Had

Network egress policy is a control most security teams consider mature. It usually is โ€” for the workloads it was designed against. Agents are a different workload, and most egress policies treat them as if they were not.

Read post โ†’
AI ComplianceFedRAMPConMon

Evidence Collection at Machine Scale

Continuous monitoring was never going to be satisfied by quarterly screenshots. Now that automation is doing the work of collection, the gap between the compliance artifact and the control it represents is visible in a way it was not before.

Read post โ†’
EngineeringAI GovernanceCompliance

Separation of Duties Applies to AI, Too

The engineer who dispatched the agent should not be the engineer who approves the agent's output. This is a rule the rest of the industry has quietly forgotten in the rush to ship AI features.

Read post โ†’
FedRAMPAI ComplianceBoundary

FedRAMP and AI Workloads: The Boundary Problem

A FedRAMP authorization boundary is a specific, drawn thing. An AI workload that reaches an external model provider crosses the boundary every time it runs. That is the problem the industry has not fully reckoned with.

Read post โ†’
AI SecurityData ExfiltrationAgents

Data Exfiltration Through the Helpful Agent

The fastest path out of a well-defended network is now a chatbot with a tool that fetches URLs. The attack does not require a model compromise. It requires only the behavior the agent was designed to exhibit.

Read post โ†’
EngineeringAIGovernance

Branch Discipline for AI Agents

An agent that can commit to main is an agent you cannot recover from. We enforce branch discipline on agents more strictly than we enforce it on human engineers, for exactly that reason.

Read post โ†’
AI SecuritySupply ChainGovernance

Your Model Is a Dependency

The foundation model your product depends on is a piece of third-party software. Everything your security program says about third-party software applies to it. Most programs have not caught up.

Read post โ†’
EngineeringAIGovernance

The Prompt File Is a Contract

We put our agent prompts in version control, next to the code. That single decision turned out to be load-bearing for nearly everything else we built around AI.

Read post โ†’
AI ComplianceAuditNOVAICOM

Audit Trails at Machine Scale

An audit trail designed for human engineers does not survive contact with an agentic workflow. The log volume alone breaks it. What replaces it is not more logs, but better structure.

Read post โ†’
AI SecurityAgentsProduction Safety

The Blast Radius of an Agent

When an agentic system makes a wrong decision โ€” and it will โ€” the damage is bounded by the authority you gave it. Most teams do not think about that envelope until after the incident.

Read post โ†’